From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S966220AbbJ1Oa5 (ORCPT ); Wed, 28 Oct 2015 10:30:57 -0400 Received: from mx1.redhat.com ([209.132.183.28]:52857 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965995AbbJ1Oaz (ORCPT ); Wed, 28 Oct 2015 10:30:55 -0400 Date: Wed, 28 Oct 2015 16:27:15 +0100 From: Oleg Nesterov To: Markus Pargmann Cc: Andrew Morton , Tejun Heo , nbd-general@lists.sourceforge.net, linux-kernel@vger.kernel.org Subject: Re: [PATCH 1/1] kthread: introduce kthread_get_run() to fix __nbd_ioctl() Message-ID: <20151028152715.GA22672@redhat.com> References: <20151025142655.GA30961@redhat.com> <20151025142713.GA30965@redhat.com> <20151026073314.GD16521@pengutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20151026073314.GD16521@pengutronix.de> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Markus, sorry for delay, I didn't have email access two days, On 10/26, Markus Pargmann wrote: > > On Sun, Oct 25, 2015 at 03:27:13PM +0100, Oleg Nesterov wrote: > > It is not safe to use the task_struct returned by kthread_run(threadfn) > > if threadfn() can exit before the "owner" does kthread_stop(), nothing > > protects this task_struct. > > > > So __nbd_ioctl() looks buggy; a killed nbd_thread_send() can exit, free > > its task_struct, and then kthread_stop() can use the freed/reused memory. > > > > Add the new trivial helper, kthread_get_run(). Hopefully it will have more > > users, this patch changes __nbd_ioctl() as an example. > > Thanks. > > Acked-by: Markus Pargmann > > However I am not sure this is important for 4.3 final. This bug is > present since at least 2008 (didn't look further). Ah yes, I din't bother to check the history of this code, thanks. So this bug is very old, no need to push the fix into 4.3. Oleg.