From: Greg KH <greg@kroah.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Andrew Vagin <avagin@openvz.org>,
linux-kernel@vger.kernel.org, criu@openvz.org,
Pavel Emelyanov <xemul@parallels.com>,
Cyrill Gorcunov <gorcunov@openvz.org>,
"Eric W. Biederman" <ebiederm@xmission.com>
Subject: Re: [PATCH] pidns: remove recursion from free_pid_ns (v3)
Date: Wed, 10 Oct 2012 16:49:23 +0900 [thread overview]
Message-ID: <20121010074923.GA11894@kroah.com> (raw)
In-Reply-To: <20121009120831.8a6d81d8.akpm@linux-foundation.org>
On Tue, Oct 09, 2012 at 12:08:31PM -0700, Andrew Morton wrote:
> On Tue, 9 Oct 2012 12:03:00 -0700
> Greg KH <greg@kroah.com> wrote:
>
> > On Tue, Oct 09, 2012 at 11:48:21AM -0700, Andrew Morton wrote:
> > > On Sat, 6 Oct 2012 23:56:33 +0400
> > > Andrew Vagin <avagin@openvz.org> wrote:
> > >
> > > > Here is a stack trace of recursion:
> > > > free_pid_ns(parent)
> > > > put_pid_ns(parent)
> > > > kref_put(&ns->kref, free_pid_ns);
> > > > free_pid_ns
> > > >
> > > > This patch turns recursion into loops.
> > > >
> > > > pidns can be nested many times, so in case of recursion
> > > > a simple user space program can provoke a kernel panic
> > > > due to exceed of a kernel stack.
> > >
> > > So we should backport this into earlier kernels.
> > >
> > > > --- a/include/linux/kref.h
> > > > +++ b/include/linux/kref.h
> > > > @@ -95,6 +95,18 @@ static inline int kref_put(struct kref *kref, void (*release)(struct kref *kref)
> > > > return kref_sub(kref, 1, release);
> > > > }
> > > >
> > > > +/**
> > > > + * kref_put - decrement refcount for object.
> > > > + * @kref: object.
> > > > + *
> > > > + * Decrement the refcount.
> > > > + * Return 1 if refcount is zero.
> > > > + */
> > > > +static inline int __kref_put(struct kref *kref)
> > > > +{
> > > > + return atomic_dec_and_test(&kref->refcount);
> > > > +}
> > >
> > > Greg might be interested in this.
> > >
> > > It's a pretty specialised thing and perhaps it needs some stern words
> > > in the description explaining when and why it should and shouldn't be
> > > used.
> > >
> > > I wonder if people might (ab)use this to avoid the "doesn't
> > > have a release function" warning.
> >
> > Yes they would, please don't do this at all.
> >
> > In fact, why is it needed? It doesn't solve anything (if it does,
> > something in the way the kref is being used is wrong.)
> >
>
> It's right there in the changelog. The patch fixes deep
> kref_put->release->kref_put recursion by turning the operation for
> pidns into a loop.
But why would a kref release function ever decrement the same kref
again causing a loop in the first place?
That's what I was referring to. This strongly sounds like a problem in
how the kref is being used, not in the kref code itself.
Is a kref even the correct thing here?
greg k-h
next prev parent reply other threads:[~2012-10-10 7:49 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-06 19:56 [PATCH] pidns: remove recursion from free_pid_ns (v3) Andrew Vagin
2012-10-09 18:48 ` Andrew Morton
2012-10-09 19:03 ` Greg KH
2012-10-09 19:08 ` Andrew Morton
2012-10-10 7:49 ` Greg KH [this message]
2012-10-10 9:12 ` Xiaotian Feng
2012-10-10 9:18 ` Xiaotian Feng
2012-10-10 9:21 ` Cyrill Gorcunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121010074923.GA11894@kroah.com \
--to=greg@kroah.com \
--cc=akpm@linux-foundation.org \
--cc=avagin@openvz.org \
--cc=criu@openvz.org \
--cc=ebiederm@xmission.com \
--cc=gorcunov@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.