From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>,
Roland McGrath <roland@redhat.com>,
linux-kernel@vger.kernel.org,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
stable@kernel.org
Subject: Re: [PATCH v3] fix race copy_process() vs de_thread()
Date: Tue, 25 Aug 2009 09:10:30 +0900 [thread overview]
Message-ID: <4A932BF6.1090405@ct.jp.nec.com> (raw)
In-Reply-To: <20090824162730.GA14367@redhat.com>
Oleg Nesterov wrote:
> Spotted by Hiroshi Shimamoto who also provided the test-case below.
>
> copy_process() pathes use signal->count as a reference counter, but
> it is not. This test case
>
> #include <sys/types.h>
> #include <sys/wait.h>
> #include <unistd.h>
> #include <stdio.h>
> #include <errno.h>
> #include <pthread.h>
>
> void *null_thread(void *p)
> {
> for (;;)
> sleep(1);
>
> return NULL;
> }
>
> void *exec_thread(void *p)
> {
> execl("/bin/true", "/bin/true", NULL);
>
> return null_thread(p);
> }
>
> int main(int argc, char **argv)
> {
> for (;;) {
> pid_t pid;
> int ret, status;
>
> pid = fork();
> if (pid < 0)
> break;
>
> if (!pid) {
> pthread_t tid;
>
> pthread_create(&tid, NULL, exec_thread, NULL);
> for (;;)
> pthread_create(&tid, NULL, null_thread, NULL);
> }
>
> do {
> ret = waitpid(pid, &status, 0);
> } while (ret == -1 && errno == EINTR);
> }
>
> return 0;
> }
>
> quickly creates the unkillable task.
>
> If copy_process(CLONE_THREAD) races with de_thread()
> copy_signal()->atomic(signal->count) breaks the signal->notify_count
> logic, and the execing thread can hang forever in kernel space.
>
> Change copy_process() to increment count/live only when we know for
> sure we can't fail. In this case the forked thread will take care
> of its reference to signal correctly.
>
> If copy_process() fails, check CLONE_THREAD flag. If it it set - do
> nothing, the counters were not changed and current belongs to the same
> thread group. If it is not set, ->signal must be released in any case
> (and ->count must be == 1), the forked child is the only thread in the
> thread group.
>
> We need more cleanups here, in particular signal->count should not be
> used by de_thread/__exit_signal at all. This patch only fixes the bug.
>
> Reported-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
> Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Nice fix!
Tested-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
Thanks,
Hiroshi
prev parent reply other threads:[~2009-08-25 0:20 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-24 4:01 [PATCH] fix race copy_process() vs de_thread() Hiroshi Shimamoto
2009-08-24 5:11 ` KAMEZAWA Hiroyuki
2009-08-24 5:58 ` [PATCH v2] " Hiroshi Shimamoto
2009-08-24 6:14 ` [PATCH] " Roland McGrath
2009-08-24 6:20 ` Roland McGrath
2009-08-24 6:32 ` Hiroshi Shimamoto
2009-08-24 8:38 ` Oleg Nesterov
2009-08-24 8:53 ` Oleg Nesterov
2009-08-24 9:15 ` Roland McGrath
2009-08-24 10:50 ` Oleg Nesterov
2009-08-24 16:27 ` [PATCH v3] " Oleg Nesterov
2009-08-24 16:57 ` Roland McGrath
2009-08-25 0:10 ` Hiroshi Shimamoto [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A932BF6.1090405@ct.jp.nec.com \
--to=h-shimamoto@ct.jp.nec.com \
--cc=akpm@linux-foundation.org \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=oleg@redhat.com \
--cc=roland@redhat.com \
--cc=stable@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.