From: Nick Piggin <nickpiggin@yahoo.com.au>
To: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
Cc: Roland Mc Grath <roland@redhat.com>,
Jeff Dike <jdike@addtoit.com>,
BlaisorBlade <blaisorblade_spam@yahoo.it>,
user-mode-linux devel
<user-mode-linux-devel@lists.sourceforge.net>,
linux-kernel@vger.kernel.org
Subject: [uml-devel] Re: Race condition in ptrace
Date: Fri, 04 Feb 2005 11:27:59 +1100 [thread overview]
Message-ID: <4202C18F.5010605@yahoo.com.au> (raw)
In-Reply-To: <42021E35.8050601@fujitsu-siemens.com>
Bodo Stroesser wrote:
> Working with the new UML skas0 mode on my Xeon HT host, sporadically I saw
> some processes on UML segfaulting.
>
> In all cases, I could track this down to be caused by a gs segment
> register,
> that had the wrong contents.
>
> This again is caused by a problem in the host linux: A ptraced child
> going to
> stop and having woken up its parent, will save some of its registers (on
> i386
> they are fs, gs and the fp-registers) very late in switch_to. The parent is
> granted access to child's registers as soon, as the child is removed from
> the runqueue. Thus, in rare cases, the parent might access child's register
> savearea before the registers really are saved.
>
> This problem might also be the reason for problems with floatpoint on UML,
> that were reported some time ago.
>
> I've written a test program, that reproduces the problem on my 2.6.9
> vanilla
> host quite quick. Using SuSE kernel 2.6.5-7.97-smp, I can't reproduce the
> problem, although the relevant parts seem to be unchanged. Maybe not
> related
> changes modify the timing?
>
> I also created a patch, that fixes the problem on my 2.6.9 host. This
> probably
> isn't a sane patch, but is enough to demonstrate, where I think, the bug
> is.
> Both files are attached.
>
> Bodo
>
>
> ------------------------------------------------------------------------
>
> --- a/include/linux/sched.h 2005-02-02 22:15:51.000000000 +0100
> +++ b/include/linux/sched.h 2005-02-02 22:22:54.000000000 +0100
> @@ -584,6 +584,7 @@ struct task_struct {
> struct mempolicy *mempolicy;
> short il_next; /* could be shared with used_math */
> #endif
> + volatile long saving;
> };
>
> static inline pid_t process_group(struct task_struct *tsk)
> --- a/kernel/sched.c 2005-02-02 21:32:51.000000000 +0100
> +++ b/kernel/sched.c 2005-02-02 22:12:14.000000000 +0100
> @@ -2689,8 +2689,10 @@ need_resched:
> if (unlikely((prev->state & TASK_INTERRUPTIBLE) &&
> unlikely(signal_pending(prev))))
> prev->state = TASK_RUNNING;
> - else
> + else {
> + prev->saving = 1;
> deactivate_task(prev, rq);
> + }
> }
>
> cpu = smp_processor_id();
> --- a/kernel/ptrace.c 2005-02-02 22:12:33.000000000 +0100
> +++ b/kernel/ptrace.c 2005-02-02 22:20:46.000000000 +0100
> @@ -96,6 +96,7 @@ int ptrace_check_attach(struct task_stru
>
> if (!ret && !kill) {
> wait_task_inactive(child);
> + while ( child->saving ) ;
> }
>
> /* All systems go.. */
> --- a/arch/i386/kernel/process.c 2005-02-02 22:18:29.000000000 +0100
> +++ b/arch/i386/kernel/process.c 2005-02-02 22:19:22.000000000 +0100
> @@ -577,6 +577,9 @@ struct task_struct fastcall * __switch_t
> asm volatile("movl %%fs,%0":"=m" (*(int *)&prev->fs));
> asm volatile("movl %%gs,%0":"=m" (*(int *)&prev->gs));
>
> + wmb();
> + prev_p->saving=0;
> +
> /*
> * Restore %fs and %gs if needed.
> */
>
I don't see how this could help because AFAIKS, child->saving is only
set and cleared while the runqueue is locked. And the same runqueue lock
is taken by wait_task_inactive.
-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
User-mode-linux-devel mailing list
User-mode-linux-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/user-mode-linux-devel
WARNING: multiple messages have this Message-ID (diff)
From: Nick Piggin <nickpiggin@yahoo.com.au>
To: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
Cc: Roland Mc Grath <roland@redhat.com>,
Jeff Dike <jdike@addtoit.com>,
BlaisorBlade <blaisorblade_spam@yahoo.it>,
user-mode-linux devel
<user-mode-linux-devel@lists.sourceforge.net>,
linux-kernel@vger.kernel.org
Subject: Re: Race condition in ptrace
Date: Fri, 04 Feb 2005 11:27:59 +1100 [thread overview]
Message-ID: <4202C18F.5010605@yahoo.com.au> (raw)
In-Reply-To: <42021E35.8050601@fujitsu-siemens.com>
Bodo Stroesser wrote:
> Working with the new UML skas0 mode on my Xeon HT host, sporadically I saw
> some processes on UML segfaulting.
>
> In all cases, I could track this down to be caused by a gs segment
> register,
> that had the wrong contents.
>
> This again is caused by a problem in the host linux: A ptraced child
> going to
> stop and having woken up its parent, will save some of its registers (on
> i386
> they are fs, gs and the fp-registers) very late in switch_to. The parent is
> granted access to child's registers as soon, as the child is removed from
> the runqueue. Thus, in rare cases, the parent might access child's register
> savearea before the registers really are saved.
>
> This problem might also be the reason for problems with floatpoint on UML,
> that were reported some time ago.
>
> I've written a test program, that reproduces the problem on my 2.6.9
> vanilla
> host quite quick. Using SuSE kernel 2.6.5-7.97-smp, I can't reproduce the
> problem, although the relevant parts seem to be unchanged. Maybe not
> related
> changes modify the timing?
>
> I also created a patch, that fixes the problem on my 2.6.9 host. This
> probably
> isn't a sane patch, but is enough to demonstrate, where I think, the bug
> is.
> Both files are attached.
>
> Bodo
>
>
> ------------------------------------------------------------------------
>
> --- a/include/linux/sched.h 2005-02-02 22:15:51.000000000 +0100
> +++ b/include/linux/sched.h 2005-02-02 22:22:54.000000000 +0100
> @@ -584,6 +584,7 @@ struct task_struct {
> struct mempolicy *mempolicy;
> short il_next; /* could be shared with used_math */
> #endif
> + volatile long saving;
> };
>
> static inline pid_t process_group(struct task_struct *tsk)
> --- a/kernel/sched.c 2005-02-02 21:32:51.000000000 +0100
> +++ b/kernel/sched.c 2005-02-02 22:12:14.000000000 +0100
> @@ -2689,8 +2689,10 @@ need_resched:
> if (unlikely((prev->state & TASK_INTERRUPTIBLE) &&
> unlikely(signal_pending(prev))))
> prev->state = TASK_RUNNING;
> - else
> + else {
> + prev->saving = 1;
> deactivate_task(prev, rq);
> + }
> }
>
> cpu = smp_processor_id();
> --- a/kernel/ptrace.c 2005-02-02 22:12:33.000000000 +0100
> +++ b/kernel/ptrace.c 2005-02-02 22:20:46.000000000 +0100
> @@ -96,6 +96,7 @@ int ptrace_check_attach(struct task_stru
>
> if (!ret && !kill) {
> wait_task_inactive(child);
> + while ( child->saving ) ;
> }
>
> /* All systems go.. */
> --- a/arch/i386/kernel/process.c 2005-02-02 22:18:29.000000000 +0100
> +++ b/arch/i386/kernel/process.c 2005-02-02 22:19:22.000000000 +0100
> @@ -577,6 +577,9 @@ struct task_struct fastcall * __switch_t
> asm volatile("movl %%fs,%0":"=m" (*(int *)&prev->fs));
> asm volatile("movl %%gs,%0":"=m" (*(int *)&prev->gs));
>
> + wmb();
> + prev_p->saving=0;
> +
> /*
> * Restore %fs and %gs if needed.
> */
>
I don't see how this could help because AFAIKS, child->saving is only
set and cleared while the runqueue is locked. And the same runqueue lock
is taken by wait_task_inactive.
next prev parent reply other threads:[~2005-02-04 0:28 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-03 12:51 [uml-devel] Race condition in ptrace Bodo Stroesser
2005-02-03 12:51 ` Bodo Stroesser
2005-02-04 0:27 ` Nick Piggin [this message]
2005-02-04 0:27 ` Nick Piggin
2005-02-04 12:35 ` [uml-devel] " Bodo Stroesser
2005-02-04 12:35 ` Bodo Stroesser
2005-02-04 22:15 ` [uml-devel] " Nick Piggin
2005-02-04 22:15 ` Nick Piggin
2005-02-04 22:39 ` [uml-devel] " Andrew Morton
2005-02-04 22:39 ` Andrew Morton
2005-02-04 23:15 ` [uml-devel] " Nick Piggin
2005-02-04 23:15 ` Nick Piggin
2005-02-05 4:35 ` [uml-devel] " Nick Piggin
2005-02-05 4:35 ` Nick Piggin
2005-02-06 3:26 ` [uml-devel] [PATCH] fix wait_task_inactive race (was Re: Race condition in ptrace) Nick Piggin
2005-02-06 3:26 ` Nick Piggin
2005-02-06 7:19 ` [uml-devel] " Ingo Molnar
2005-02-06 7:19 ` Ingo Molnar
2005-02-06 7:36 ` [uml-devel] " Nick Piggin
2005-02-06 7:36 ` Nick Piggin
2005-02-06 7:47 ` [uml-devel] " Nick Piggin
2005-02-06 7:47 ` Nick Piggin
2005-02-14 16:07 ` [uml-devel] " Bodo Stroesser
2005-02-14 16:07 ` Bodo Stroesser
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4202C18F.5010605@yahoo.com.au \
--to=nickpiggin@yahoo.com.au \
--cc=blaisorblade_spam@yahoo.it \
--cc=bstroesser@fujitsu-siemens.com \
--cc=jdike@addtoit.com \
--cc=linux-kernel@vger.kernel.org \
--cc=roland@redhat.com \
--cc=user-mode-linux-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.