From: Oleg Nesterov <oleg@redhat.com>
To: "Andrew Morton" <akpm@linux-foundation.org>,
"Christian Brauner" <brauner@kernel.org>,
高翔 <gaoxiang17@xiaomi.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Mateusz Guzik <mjguzik@gmail.com>,
Xiang Gao <gxxa03070307@gmail.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/4] pid: make __task_pid_nr_ns(ns => NULL) safe for zombie callers
Date: Sun, 10 Aug 2025 19:36:04 +0200 [thread overview]
Message-ID: <20250810173604.GA19991@redhat.com> (raw)
In-Reply-To: <20250802022123.3536934-1-gxxa03070307@gmail.com>
task_pid_vnr(another_task) will crash if the caller was already reaped.
The pid_alive(current) check can't really help, the parent/debugger can
call release_task() right after this check.
This also means that even task_ppid_nr_ns(current, NULL) is not safe,
pid_alive() only ensures that it is safe to dereference ->real_parent.
Change __task_pid_nr_ns() to ensure ns != NULL.
Originally-by: 高翔 <gaoxiang17@xiaomi.com>
Link: https://lore.kernel.org/all/20250802022123.3536934-1-gxxa03070307@gmail.com/
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
kernel/pid.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/pid.c b/kernel/pid.c
index 8317bcbc7cf7..58d97a78f07e 100644
--- a/kernel/pid.c
+++ b/kernel/pid.c
@@ -514,7 +514,8 @@ pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
rcu_read_lock();
if (!ns)
ns = task_active_pid_ns(current);
- nr = pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
+ if (ns)
+ nr = pid_nr_ns(rcu_dereference(*task_pid_ptr(task, type)), ns);
rcu_read_unlock();
return nr;
--
2.25.1.362.g51ebf55
next prev parent reply other threads:[~2025-08-10 17:37 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-02 2:21 [PATCH] pid: Add a judgment for ns null in pid_nr_ns Xiang Gao
2025-08-02 2:25 ` Al Viro
[not found] ` <15b18541f37447dd8d5dbd8012662f67@xiaomi.com>
2025-08-02 5:52 ` 答复: [External Mail]Re: " Al Viro
2025-08-02 5:54 ` Al Viro
[not found] ` <c7968242db914979953277226fe55fc8@xiaomi.com>
2025-08-02 8:04 ` 答复: " Al Viro
2025-08-02 8:45 ` Oleg Nesterov
[not found] ` <80be47cb31d14ffc9f9a7d8d4408ab0a@xiaomi.com>
2025-08-04 11:49 ` Oleg Nesterov
2025-08-04 12:14 ` Christian Brauner
2025-08-04 12:44 ` Oleg Nesterov
2025-08-05 12:43 ` Oleg Nesterov
2025-08-08 14:56 ` Christian Brauner
2025-08-10 15:42 ` Oleg Nesterov
[not found] ` <aa5272ddcec944e2a35ca7104f6a86bf@xiaomi.com>
2025-08-05 19:43 ` 答复: [External Mail]Re: " Oleg Nesterov
2025-08-08 14:54 ` Christian Brauner
2025-08-02 8:43 ` Oleg Nesterov
2025-08-10 17:36 ` Oleg Nesterov [this message]
2025-08-10 17:36 ` [PATCH 2/4] pid: introduce task_ppid_vnr() Oleg Nesterov
2025-08-10 17:36 ` [PATCH 3/4] pid: change bacct_add_tsk() to use task_ppid_nr_ns() Oleg Nesterov
2025-08-10 17:36 ` [PATCH 4/4] pid: change task_state() " Oleg Nesterov
2025-08-19 11:40 ` [PATCH] pid: Add a judgment for ns null in pid_nr_ns Christian Brauner
2025-08-19 14:25 ` Oleg Nesterov
2025-09-01 15:30 ` Oleg Nesterov
2025-09-01 15:44 ` Mateusz Guzik
2025-09-01 15:55 ` Mateusz Guzik
2025-09-02 14:37 ` Oleg Nesterov
2026-01-04 7:25 ` Qing Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250810173604.GA19991@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=gaoxiang17@xiaomi.com \
--cc=gxxa03070307@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mjguzik@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.