From: Oleg Nesterov <oleg@redhat.com>
To: Michal Hocko <mhocko@kernel.org>
Cc: linux-mm@kvack.org,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
David Rientjes <rientjes@google.com>,
Vladimir Davydov <vdavydov@parallels.com>,
Andrew Morton <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 4/6] mm, oom: skip vforked tasks from being selected
Date: Tue, 31 May 2016 23:43:38 +0200 [thread overview]
Message-ID: <20160531214338.GB26582@redhat.com> (raw)
In-Reply-To: <20160531074247.GC26128@dhcp22.suse.cz>
On 05/31, Michal Hocko wrote:
>
> On Mon 30-05-16 21:28:57, Oleg Nesterov wrote:
> >
> > I don't think we can trust vfork_done != NULL.
> >
> > copy_process() doesn't disallow CLONE_VFORK without CLONE_VM, so with this patch
> > it would be trivial to make the exploit which hides a memory hog from oom-killer.
>
> OK, I wasn't aware of this possibility.
Neither was me ;) I noticed this during this review.
> > Or I am totally confused?
>
> I cannot judge I am afraid. You are definitely much more familiar with
> all these subtle details than me.
OK, I just verified that clone(CLONE_VFORK|SIGCHLD) really works to be sure.
> +/* expects to be called with task_lock held */
> +static inline bool in_vfork(struct task_struct *tsk)
> +{
> + bool ret;
> +
> + /*
> + * need RCU to access ->real_parent if CLONE_VM was used along with
> + * CLONE_PARENT
> + */
> + rcu_read_lock();
> + ret = tsk->vfork_done && tsk->real_parent->mm == tsk->mm;
> + rcu_read_unlock();
> +
> + return ret;
> +}
Yes, but may I ask to add a comment? And note that "expects to be called with
task_lock held" looks misleading, we do not need the "stable" tsk->vfork_done
since we only need to check if it is NULL or not.
It would be nice to explain that
1. we check real_parent->mm == tsk->mm because CLONE_VFORK does not
imply CLONE_VM
2. CLONE_VFORK can be used with CLONE_PARENT/CLONE_THREAD and thus
->real_parent is not necessarily the task doing vfork(), so in
theory we can't rely on task_lock() if we want to dereference it.
And in this case we can't trust the real_parent->mm == tsk->mm
check, it can be false negative. But we do not care, if init or
another oom-unkillable task does this it should blame itself.
Oleg.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
WARNING: multiple messages have this Message-ID (diff)
From: Oleg Nesterov <oleg@redhat.com>
To: Michal Hocko <mhocko@kernel.org>
Cc: linux-mm@kvack.org,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
David Rientjes <rientjes@google.com>,
Vladimir Davydov <vdavydov@parallels.com>,
Andrew Morton <akpm@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 4/6] mm, oom: skip vforked tasks from being selected
Date: Tue, 31 May 2016 23:43:38 +0200 [thread overview]
Message-ID: <20160531214338.GB26582@redhat.com> (raw)
In-Reply-To: <20160531074247.GC26128@dhcp22.suse.cz>
On 05/31, Michal Hocko wrote:
>
> On Mon 30-05-16 21:28:57, Oleg Nesterov wrote:
> >
> > I don't think we can trust vfork_done != NULL.
> >
> > copy_process() doesn't disallow CLONE_VFORK without CLONE_VM, so with this patch
> > it would be trivial to make the exploit which hides a memory hog from oom-killer.
>
> OK, I wasn't aware of this possibility.
Neither was me ;) I noticed this during this review.
> > Or I am totally confused?
>
> I cannot judge I am afraid. You are definitely much more familiar with
> all these subtle details than me.
OK, I just verified that clone(CLONE_VFORK|SIGCHLD) really works to be sure.
> +/* expects to be called with task_lock held */
> +static inline bool in_vfork(struct task_struct *tsk)
> +{
> + bool ret;
> +
> + /*
> + * need RCU to access ->real_parent if CLONE_VM was used along with
> + * CLONE_PARENT
> + */
> + rcu_read_lock();
> + ret = tsk->vfork_done && tsk->real_parent->mm == tsk->mm;
> + rcu_read_unlock();
> +
> + return ret;
> +}
Yes, but may I ask to add a comment? And note that "expects to be called with
task_lock held" looks misleading, we do not need the "stable" tsk->vfork_done
since we only need to check if it is NULL or not.
It would be nice to explain that
1. we check real_parent->mm == tsk->mm because CLONE_VFORK does not
imply CLONE_VM
2. CLONE_VFORK can be used with CLONE_PARENT/CLONE_THREAD and thus
->real_parent is not necessarily the task doing vfork(), so in
theory we can't rely on task_lock() if we want to dereference it.
And in this case we can't trust the real_parent->mm == tsk->mm
check, it can be false negative. But we do not care, if init or
another oom-unkillable task does this it should blame itself.
Oleg.
next prev parent reply other threads:[~2016-05-31 21:43 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-30 13:05 [PATCH 0/6 -v2] Handle oom bypass more gracefully Michal Hocko
2016-05-30 13:05 ` Michal Hocko
2016-05-30 13:05 ` [PATCH 1/6] proc, oom: drop bogus task_lock and mm check Michal Hocko
2016-05-30 13:05 ` Michal Hocko
2016-05-30 13:49 ` Vladimir Davydov
2016-05-30 13:49 ` Vladimir Davydov
2016-05-30 17:43 ` Oleg Nesterov
2016-05-30 17:43 ` Oleg Nesterov
2016-05-31 7:32 ` Michal Hocko
2016-05-31 7:32 ` Michal Hocko
2016-05-31 22:53 ` Oleg Nesterov
2016-05-31 22:53 ` Oleg Nesterov
2016-06-01 6:53 ` Michal Hocko
2016-06-01 6:53 ` Michal Hocko
2016-06-01 10:41 ` Tetsuo Handa
2016-06-01 10:41 ` Tetsuo Handa
2016-06-01 10:48 ` Michal Hocko
2016-06-01 10:48 ` Michal Hocko
2016-05-30 13:05 ` [PATCH 2/6] proc, oom_adj: extract oom_score_adj setting into a helper Michal Hocko
2016-05-30 13:05 ` Michal Hocko
2016-05-30 13:05 ` [PATCH 3/6] mm, oom_adj: make sure processes sharing mm have same view of oom_score_adj Michal Hocko
2016-05-30 13:05 ` Michal Hocko
2016-05-31 7:41 ` Michal Hocko
2016-05-31 7:41 ` Michal Hocko
2016-05-30 13:05 ` [PATCH 4/6] mm, oom: skip vforked tasks from being selected Michal Hocko
2016-05-30 13:05 ` Michal Hocko
2016-05-30 19:28 ` Oleg Nesterov
2016-05-30 19:28 ` Oleg Nesterov
2016-05-31 7:42 ` Michal Hocko
2016-05-31 7:42 ` Michal Hocko
2016-05-31 21:43 ` Oleg Nesterov [this message]
2016-05-31 21:43 ` Oleg Nesterov
2016-06-01 7:09 ` Michal Hocko
2016-06-01 7:09 ` Michal Hocko
2016-06-01 14:12 ` Tetsuo Handa
2016-06-01 14:25 ` Michal Hocko
2016-06-02 10:45 ` Tetsuo Handa
2016-06-02 11:20 ` Michal Hocko
2016-06-02 11:31 ` Tetsuo Handa
2016-06-02 12:55 ` Michal Hocko
2016-05-30 13:05 ` [PATCH 5/6] mm, oom: kill all tasks sharing the mm Michal Hocko
2016-05-30 13:05 ` Michal Hocko
2016-05-30 18:18 ` Oleg Nesterov
2016-05-30 18:18 ` Oleg Nesterov
2016-05-31 7:43 ` Michal Hocko
2016-05-31 7:43 ` Michal Hocko
2016-05-31 21:48 ` Oleg Nesterov
2016-05-31 21:48 ` Oleg Nesterov
2016-05-30 13:05 ` [PATCH 6/6] mm, oom: fortify task_will_free_mem Michal Hocko
2016-05-30 13:05 ` Michal Hocko
2016-05-30 17:35 ` Oleg Nesterov
2016-05-30 17:35 ` Oleg Nesterov
2016-05-31 7:46 ` Michal Hocko
2016-05-31 7:46 ` Michal Hocko
2016-05-31 22:29 ` Oleg Nesterov
2016-05-31 22:29 ` Oleg Nesterov
2016-06-01 7:03 ` Michal Hocko
2016-06-01 7:03 ` Michal Hocko
2016-05-31 15:03 ` Tetsuo Handa
2016-05-31 15:10 ` Michal Hocko
2016-05-31 15:29 ` Tetsuo Handa
2016-06-01 7:25 ` Michal Hocko
2016-06-01 12:04 ` Tetsuo Handa
2016-06-01 12:43 ` Michal Hocko
2016-06-02 14:03 ` [PATCH 7/6] mm, oom: task_will_free_mem should skip oom_reaped tasks Michal Hocko
2016-06-02 14:03 ` Michal Hocko
2016-06-02 15:24 ` Tetsuo Handa
2016-06-02 15:50 ` Michal Hocko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160531214338.GB26582@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mhocko@kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=rientjes@google.com \
--cc=vdavydov@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.