From: Oleg Nesterov <oleg@redhat.com>
To: Mateusz Guzik <mjguzik@gmail.com>
Cc: alexjlzheng@gmail.com, usamaarif642@gmail.com, david@kernel.org,
akpm@linux-foundation.org, lorenzo.stoakes@oracle.com,
alexjlzheng@tencent.com, mingo@kernel.org, ruippan@tencent.com,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: Re: [PATCH] procfs: fix missing RCU protection when reading real_parent in do_task_stat()
Date: Wed, 28 Jan 2026 09:01:35 +0100 [thread overview]
Message-ID: <aXnCX7SmABmQJis3@redhat.com> (raw)
In-Reply-To: <zgqq2et7hf4fh3ggzvvcfmr5wkwoqjfzftxpdedinwinpr4xun@jrbtkbd5ig6n>
On 01/27, Mateusz Guzik wrote:
>
> On Tue, Jan 27, 2026 at 06:25:25PM +0100, Oleg Nesterov wrote:
> > On 01/27, alexjlzheng@gmail.com wrote:
> > > --- a/fs/proc/array.c
> > > +++ b/fs/proc/array.c
> > > @@ -528,7 +528,9 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
> > > }
> > >
> > > sid = task_session_nr_ns(task, ns);
> > > - ppid = task_tgid_nr_ns(task->real_parent, ns);
> > > + rcu_read_lock();
> > > + ppid = task_tgid_nr_ns(rcu_dereference(task->real_parent), ns);
> > > + rcu_read_unlock();
> >
> > But this can't really help. If task->real_parent has already exited and
> > it was reaped, then it is actually "Too late!" for rcu_read_lock().
> >
> > Please use task_ppid_nr_ns() which does the necessary pid_alive() check.
Ah, I was wrong, I forgot about lock_task_sighand(task). So in this case
pid_alive() is not necessary, and the patch is fine.
But unless you have a strong opinion, I'd still suggest to use
task_ppid_nr_ns(), see below.
> Suppose it fits the time window between the current parent exiting and
> the task being reassigned to init. Then you transiently see 0 as the pid,
> instead of 1 (or whatever). This reads like a bug to me.
But we can't avoid this. Without tasklist_lock even
task_tgid_nr_ns(current->real_parent, ns);
can return zero if we race with reparenting. If ->real_parent is reaped
right after we read the ->real_parent pointer, it has no pids. See
__unhash_process() -> detach_pid().
> It probably should do precisely the same thing proposed in this patch,
> as in:
> rcu_read_lock();
> ppid = task_tgid_nr_ns(rcu_dereference(task->real_parent), ns);
> rcu_read_unlock();
No, task_ppid_nr_ns(tsk) does need the pid_alive() check. If tsk exits,
tsk->real_parent points to nowhere, rcu_read_lock() can't help.
This all needs cleanups. ->real_parent and ->group_leader need the helpers
(probably with some CONFIG_PROVE_RCU checks) and they should be moved to
signal_struct.
So far I have only sent some trivial initial cleanups/preparations, see
https://lore.kernel.org/all/aXY_h8i78n6yD9JY@redhat.com/
I'll try to do the next step this week. If I have time ;) I am on a
forced PTO caused by renovations in our apartment.
Oleg.
next prev parent reply other threads:[~2026-01-28 8:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-27 15:04 [PATCH] procfs: fix missing RCU protection when reading real_parent in do_task_stat() alexjlzheng
2026-01-27 17:25 ` Oleg Nesterov
2026-01-27 18:49 ` Mateusz Guzik
2026-01-28 3:15 ` Jinliang Zheng
2026-01-28 8:01 ` Oleg Nesterov [this message]
2026-01-28 8:10 ` Jinliang Zheng
2026-01-28 3:10 ` Jinliang Zheng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aXnCX7SmABmQJis3@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=alexjlzheng@gmail.com \
--cc=alexjlzheng@tencent.com \
--cc=david@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lorenzo.stoakes@oracle.com \
--cc=mingo@kernel.org \
--cc=mjguzik@gmail.com \
--cc=ruippan@tencent.com \
--cc=usamaarif642@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.