From: Oleg Nesterov <oleg@redhat.com>
To: Peter Zijlstra <peterz@infradead.org>
Cc: Sasha Levin <sasha.levin@oracle.com>,
Ingo Molnar <mingo@kernel.org>,
John Stultz <john.stultz@linaro.org>,
Thomas Gleixner <tglx@linutronix.de>,
Frederic Weisbecker <fweisbec@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
Dave Jones <davej@redhat.com>,
Andrey Ryabinin <a.ryabinin@samsung.com>
Subject: Re: finish_task_switch && prev_state (Was: sched, timers: use after free in __lock_task_sighand when exiting a process)
Date: Tue, 15 Jul 2014 16:25:25 +0200 [thread overview]
Message-ID: <20140715142525.GA26029@redhat.com> (raw)
In-Reply-To: <20140715132353.GF9918@twins.programming.kicks-ass.net>
On 07/15, Peter Zijlstra wrote:
>
> @@ -2211,13 +2211,15 @@ static void finish_task_switch(struct rq *rq, struct task_struct *prev)
>
> /*
> * A task struct has one reference for the use as "current".
> + *
> * If a task dies, then it sets TASK_DEAD in tsk->state and calls
> - * schedule one last time. The schedule call will never return, and
> - * the scheduled task must drop that reference.
> - * The test for TASK_DEAD must occur while the runqueue locks are
> - * still held, otherwise prev could be scheduled on another cpu, die
> - * there before we look at prev->state, and then the reference would
> - * be dropped twice.
> + * schedule one last time. The schedule call will never return, and the
> + * scheduled task must drop that reference.
> + *
> + * The test for TASK_DEAD must occur while the runqueue locks are still
> + * held, otherwise we can race with RUNNING -> DEAD transitions, and
> + * then the reference would be dropped twice.
> + *
> * Manfred Spraul <manfred@colorfullife.com>
> */
Agreed, this looks much more understandable!
And probably I missed something again, but it seems that this logic is broken
with __ARCH_WANT_UNLOCKED_CTXSW.
Of course, even if I am right this is pure theoretical, but smp_wmb() before
"->on_cpu = 0" is not enough and we need a full barrier ?
Oleg.
next prev parent reply other threads:[~2014-07-15 14:27 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-13 21:51 sched, timers: use after free in __lock_task_sighand when exiting a process Sasha Levin
2014-07-13 23:45 ` Sasha Levin
2014-07-14 9:04 ` Peter Zijlstra
2014-07-14 9:34 ` Andrey Ryabinin
2014-07-14 9:58 ` Peter Zijlstra
2014-07-14 10:25 ` Andrey Ryabinin
2014-07-14 14:49 ` Oleg Nesterov
2014-07-14 15:13 ` Oleg Nesterov
2014-07-14 15:31 ` Andrey Ryabinin
2014-07-14 16:01 ` finish_task_switch && prev_state (Was: sched, timers: use after free in __lock_task_sighand when exiting a process) Oleg Nesterov
2014-07-15 13:12 ` Oleg Nesterov
2014-07-15 13:23 ` Peter Zijlstra
2014-07-15 14:25 ` Oleg Nesterov [this message]
2014-07-29 9:10 ` Peter Zijlstra
2014-07-29 9:22 ` Peter Zijlstra
2014-07-29 15:53 ` Oleg Nesterov
2014-07-15 13:28 ` sched, timers: use after free in __lock_task_sighand when exiting a process Peter Zijlstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140715142525.GA26029@redhat.com \
--to=oleg@redhat.com \
--cc=a.ryabinin@samsung.com \
--cc=davej@redhat.com \
--cc=fweisbec@gmail.com \
--cc=john.stultz@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=peterz@infradead.org \
--cc=sasha.levin@oracle.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.