From: Oleg Nesterov <oleg@redhat.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>,
David Howells <dhowells@redhat.com>,
Thomas Gleixner <tglx@linutronix.de>,
Alexander Gordeev <agordeev@redhat.com>,
Chris Zankel <chris@zankel.net>, David Smith <dsmith@redhat.com>,
"Frank Ch. Eigler" <fche@redhat.com>,
Geert Uytterhoeven <geert@linux-m68k.org>,
Larry Woodman <lwoodman@redhat.com>,
Peter Zijlstra <peterz@infradead.org>, Tejun Heo <tj@kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4 1/3] task_work_add: generic process-context callbacks
Date: Sat, 14 Apr 2012 05:05:07 +0200 [thread overview]
Message-ID: <20120414030507.GA27579@redhat.com> (raw)
In-Reply-To: <CA+55aFyxV8v2mOjb1Ly=1ttPyLvUt6RZO8wgjD_9owtO=VM0hw@mail.gmail.com>
On 04/13, Linus Torvalds wrote:
>
> This is seriously buggy:
I am already sleep. But,
> On Fri, Apr 13, 2012 at 7:12 PM, Oleg Nesterov <oleg@redhat.com> wrote:
> >
> > +void task_work_run(struct task_struct *task)
> > +{
> > + struct hlist_head task_works;
> > + struct hlist_node *pos;
> > +
> > + raw_spin_lock_irq(&task->pi_lock);
> > + hlist_move_list(&task->task_works, &task_works);
> > + raw_spin_unlock_irq(&task->pi_lock);
> > +
> > + if (unlikely(hlist_empty(&task_works)))
> > + return;
> > + /*
> > + * We use hlist to save the space in task_struct, but we want fifo.
> > + * Find the last entry, the list should be short, then process them
> > + * in reverse order.
> > + */
> > + for (pos = task_works.first; pos->next; pos = pos->next)
> > + ;
> > +
> > + for (;;) {
> > + struct hlist_node **pprev = pos->pprev;
> > + struct task_work *twork = container_of(pos, struct task_work,
> > + hlist);
> > + twork->func(twork);
> > +
> > + if (pprev == &task_works.first)
> > + break;
> > + pos = container_of(pprev, struct hlist_node, next);
> > + }
> > +}
>
> No can do. You've removed the task-work from the process list, and you
> no longer hold the spinlock that protects that list. That means that
> you *cannot* access the task-work data structure any more, because it
> may long be gone.
>
> Look at the users of this interface that you wrote yourself. They
> allocate the task-work on the stack, and do a "task_work_cancel()"
> before returning. That data structure is *gone*. You can't dereference
> it any more.
tsk is always "current", probably this should be documented, I'll add
the comment.
So this can't race with irq_thread() which uses the task_work on stack.
> Basically, *any* access of 'twork' after it is removed from the list
> and you have released the task spinlock is unsafe, as far as I can
> tell.
I don't follow.
Once task_work_run() removes task_work from list (and drops the lock)
nobody can use this twork. task_work_cancel obviously can't find it,
it will return NULL.
Oleg.
next prev parent reply other threads:[~2012-04-14 3:06 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-04-14 2:12 [PATCH v4 0/3] task_work_add (was: task_work_queue) Oleg Nesterov
2012-04-14 2:12 ` [PATCH v4 1/3] task_work_add: generic process-context callbacks Oleg Nesterov
2012-04-14 2:40 ` Linus Torvalds
2012-04-14 3:05 ` Oleg Nesterov [this message]
2012-04-17 13:53 ` David Howells
2012-04-17 16:16 ` Oleg Nesterov
2012-04-14 3:39 ` Oleg Nesterov
2012-04-14 8:00 ` Linus Torvalds
2012-04-14 20:27 ` Oleg Nesterov
2012-04-14 2:12 ` [PATCH v4 2/3] genirq: reimplement exit_irq_thread() hook via task_work_add() Oleg Nesterov
2012-04-17 14:11 ` David Howells
2012-04-17 16:29 ` Oleg Nesterov
2012-04-14 2:12 ` [PATCH v4 3/3] cred: change keyctl_session_to_parent() to use task_work_add() Oleg Nesterov
2012-04-17 14:23 ` David Howells
2012-04-17 16:36 ` Oleg Nesterov
2012-04-17 19:34 ` Oleg Nesterov
2012-04-19 16:52 ` David Howells
2012-04-19 17:34 ` Oleg Nesterov
2012-04-19 17:36 ` Oleg Nesterov
2012-04-19 17:55 ` David Howells
2012-04-19 18:10 ` Oleg Nesterov
2012-04-19 18:40 ` Oleg Nesterov
2012-04-19 19:34 ` David Howells
2012-04-19 19:47 ` Oleg Nesterov
2012-04-19 22:26 ` David Howells
2012-04-14 2:32 ` [PATCH v4 0/3] task_work_add (was: task_work_queue) Linus Torvalds
2012-04-14 3:28 ` Oleg Nesterov
2012-04-14 18:08 ` Peter Zijlstra
2012-04-14 20:17 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120414030507.GA27579@redhat.com \
--to=oleg@redhat.com \
--cc=agordeev@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=chris@zankel.net \
--cc=dhowells@redhat.com \
--cc=dsmith@redhat.com \
--cc=fche@redhat.com \
--cc=geert@linux-m68k.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lwoodman@redhat.com \
--cc=peterz@infradead.org \
--cc=tglx@linutronix.de \
--cc=tj@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.