From: Dave Hansen <haveblue@us.ibm.com>
To: Kasper Dupont <kasperd@daimi.au.dk>
Cc: Linux-Kernel <linux-kernel@vger.kernel.org>
Subject: Re: [RFC] Race condition?
Date: Fri, 02 Aug 2002 10:00:13 -0700 [thread overview]
Message-ID: <3D4ABA9D.8060307@us.ibm.com> (raw)
In-Reply-To: 3D4A8D45.49226E2B@daimi.au.dk
[-- Attachment #1: Type: text/plain, Size: 884 bytes --]
Kasper Dupont wrote:
> Is there a race condition in this piece of code from do_fork in
> linux/kernel/fork.c? I cannot see what prevents two processes
> from calling this at the same time and both successfully fork
> even though the user had only one process left.
>
> if (atomic_read(&p->user->processes) >= p->rlim[RLIMIT_NPROC].rlim_cur
> && !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
> goto bad_fork_free;
>
> atomic_inc(&p->user->__count);
> atomic_inc(&p->user->processes);
I don't see any locking in the call chain leading to this function, so
I think you're right. The attached patch fixes this. It costs an
extra 2 atomic ops in the failure case, but otherwise just makes the
processes++ operation earlier.
Patch is against 2.5.27, but applies against 30.
--
Dave Hansen
haveblue@us.ibm.com
[-- Attachment #2: fork-up-race-2.5.27.patch --]
[-- Type: text/plain, Size: 672 bytes --]
--- linux-2.5.27-clean/kernel/fork.c Sat Jul 20 12:11:07 2002
+++ linux/kernel/fork.c Fri Aug 2 09:35:17 2002
@@ -628,13 +628,15 @@
goto fork_out;
retval = -EAGAIN;
- if (atomic_read(&p->user->processes) >= p->rlim[RLIMIT_NPROC].rlim_cur) {
- if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
+ atomic_inc(&p->user->processes);
+ if (atomic_read(&p->user->processes) > p->rlim[RLIMIT_NPROC].rlim_cur) {
+ if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
+ atomic_dec(&p->user->processes);
goto bad_fork_free;
+ }
}
atomic_inc(&p->user->__count);
- atomic_inc(&p->user->processes);
/*
* Counter increases are protected by
next prev parent reply other threads:[~2002-08-02 16:57 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-08-02 13:46 [RFC] Race condition? Kasper Dupont
2002-08-02 14:48 ` Oliver Neukum
2002-08-02 17:13 ` Kasper Dupont
2002-08-02 18:51 ` Oliver Neukum
2002-08-02 17:37 ` Dave Hansen
2002-08-02 18:45 ` Oliver Neukum
2002-08-02 19:09 ` Dave Hansen
2002-08-02 17:00 ` Dave Hansen [this message]
2002-08-02 17:41 ` Oliver Neukum
2002-08-02 18:48 ` Dave Hansen
2002-08-02 18:56 ` Dave Hansen
2002-08-03 0:36 ` Keith Owens
[not found] <17aw0S-0U7gB7C@fmrl00.sul.t-online.com>
2002-08-03 11:07 ` Keith Owens
2002-08-03 11:17 ` Keith Owens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3D4ABA9D.8060307@us.ibm.com \
--to=haveblue@us.ibm.com \
--cc=kasperd@daimi.au.dk \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.