From: Oleg Nesterov <oleg@redhat.com>
To: Stefan Priebe - Profihost AG <s.priebe@profihost.ag>,
Kay Sievers <kay.sievers@vrfy.org>,
Dhaval Giani <dhaval@linux.vnet.ibm.com>,
Greg Kroah-Hartman <gregkh@suse.de>
Cc: linux-kernel@vger.kernel.org
Subject: [BUG stable, 2.6.32.27] sched: delayed cleanup of user_struct
Date: Mon, 10 Jan 2011 13:36:30 +0100 [thread overview]
Message-ID: <20110110123630.GA27057@redhat.com> (raw)
In-Reply-To: <20110110114913.GA22298@redhat.com>
On 01/10, Oleg Nesterov wrote:
>
> On 01/10, Stefan Priebe - Profihost AG wrote:
> >
> > i've seen your patch and i've seen that we've a lot of crashes in the
> > process cleanup since upgrading from 2.6.32.19 to 2.6.32.27 and i would
> > like to know if you can tell me if your patch will solve them.
> >
> > Log: (ATTENTION Log is in reverse order)
> > http://pastebin.com/WiyEKScs
>
> No, that patch has nothing to do with this crash.
>
> Looks like, this is CONFIG_USER_SCHED bug. Probably something like
> double-free but I know nothing about this code and USER_SCHED is
> deprecated anyway.
>
> I'd suggest you to disable this option.
>
>
> Perhaps it makes sense to report this bug to lkml, though.
> Probably 3959214f971417f4162926ac52ad4cd042958caa is the offending
> commit.
Yes, at first glance "sched: delayed cleanup of user_struct" looks buggy...
uid_hash_find:
hlist_for_each_entry(user, h, hashent, uidhash_node) {
if (user->uid == uid) {
/* possibly resurrect an "almost deleted" object */
if (atomic_inc_return(&user->__count) == 1)
cancel_delayed_work(&user->work);
return user;
cancel_delayed_work() can only cancel the timer. If the timer has
already expired, it can't cancel the pending work, and
cleanup_user_struct() can run after uid_hash_find() returns.
This _looks_ OK, cleanup_user_struct() should notice ->__count == 0
and do nothing. But it is not.
Suppose that the new "owner" of this user_struct (the caller of
uid_hash_find) in turn does free_uid() before up->work->func()
completes. In this case INIT_DELAYED_WORK() can corrupt the pending
work, or 2 instances of work->func() can race with each other on
different CPUs. In particular, this can lead to double free.
Kay?
Oleg.
next parent reply other threads:[~2011-01-10 12:44 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4D2AB8F7.7030506@profihost.ag>
[not found] ` <20110110114913.GA22298@redhat.com>
2011-01-10 12:36 ` Oleg Nesterov [this message]
2011-01-10 12:46 ` [BUG stable, 2.6.32.27] sched: delayed cleanup of user_struct Stefan Priebe - Profihost AG
2011-01-10 13:35 ` Oleg Nesterov
2011-01-10 14:01 ` Stefan Priebe - Profihost AG
2011-01-10 14:08 ` Oleg Nesterov
2011-01-10 14:23 ` Stefan Priebe - Profihost AG
2011-01-10 14:19 ` Oleg Nesterov
2011-01-10 17:07 ` Mike Galbraith
2011-01-10 18:23 ` Greg KH
2011-01-10 18:43 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110110123630.GA27057@redhat.com \
--to=oleg@redhat.com \
--cc=dhaval@linux.vnet.ibm.com \
--cc=gregkh@suse.de \
--cc=kay.sievers@vrfy.org \
--cc=linux-kernel@vger.kernel.org \
--cc=s.priebe@profihost.ag \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.