From: Oleg Nesterov <oleg-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Konstantin Khlebnikov
<khlebnikov-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org>
Cc: linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Roman Gushchin <klamm-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org>,
Nikita Vetoshkin
<nekto0n-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org>,
Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
Subject: Re: [PATCH 1/2] kernel/fork: handle put_user errors for CLONE_CHILD_SETTID/CLEARTID
Date: Fri, 6 Feb 2015 20:44:05 +0100 [thread overview]
Message-ID: <20150206194405.GA13960@redhat.com> (raw)
In-Reply-To: <20150206162301.18031.32251.stgit@buzz>
On 02/06, Konstantin Khlebnikov wrote:
>
> Whole sequence looks like: task calls fork, glibc calls syscall clone with
> CLONE_CHILD_SETTID and passes pointer to TLS THREAD_SELF->tid as argument.
> Child task gets read-only copy of VM including TLS. Child calls put_user()
> to handle CLONE_CHILD_SETTID from schedule_tail(). put_user() trigger page
> fault and it fails because do_wp_page() hits memcg limit without invoking
> OOM-killer because this is page-fault from kernel-space.
Because of !FAULT_FLAG_USER?
Perhaps we should fix this? Say mem_cgroup_oom_enable/disable around put_user(),
I dunno.
> Put_user returns
> -EFAULT, which is ignored. Child returns into user-space and catches here
> assert (THREAD_GETMEM (self, tid) != ppid),
If only I understood why else we need CLONE_CHILD_SETTID ;)
> --- a/kernel/sched/core.c
> +++ b/kernel/sched/core.c
> @@ -2312,8 +2312,20 @@ asmlinkage __visible void schedule_tail(struct task_struct *prev)
> post_schedule(rq);
> preempt_enable();
>
> - if (current->set_child_tid)
> - put_user(task_pid_vnr(current), current->set_child_tid);
> + if (current->set_child_tid &&
> + unlikely(put_user(task_pid_vnr(current), current->set_child_tid))) {
> + int dummy;
> +
> + /*
> + * If this address is unreadable then userspace has not set
> + * proper pointer. Application either doesn't care or will
> + * notice this soon. If this address is readable then task
> + * will be mislead about its own tid. It's better to die.
> + */
> + if (!get_user(dummy, current->set_child_tid) &&
> + !fatal_signal_pending(current))
> + force_sig(SIGSEGV, current);
> + }
Well, get_user() can fail the same way? The page we need to cow can be
swapped out.
At first glance, to me this problem should be solved somewhere else...
I'll try to reread this all tomorrow.
Oleg.
next prev parent reply other threads:[~2015-02-06 19:44 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-06 16:23 [PATCH 1/2] kernel/fork: handle put_user errors for CLONE_CHILD_SETTID/CLEARTID Konstantin Khlebnikov
2015-02-06 16:23 ` [PATCH 2/2] kernel/fork: handle put_user errors for CLONE_PARENT_SETTID Konstantin Khlebnikov
2015-02-06 20:49 ` Linus Torvalds
[not found] ` <CA+55aFxBuf-0UkoYCrwH_vNsWFnUkFOz5c9O_Mswe_w0BTkqbQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-06 21:07 ` Oleg Nesterov
2015-02-06 21:13 ` Konstantin Khlebnikov
2015-02-06 21:55 ` Andy Lutomirski
[not found] ` <CALYGNiMv021=WC2uXsjo5zT8JwewweZUDdk0x8FGHh9V5j6bFQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-02-06 22:10 ` Linus Torvalds
2015-02-06 19:44 ` Oleg Nesterov [this message]
[not found] ` <20150206194405.GA13960-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-02-06 19:55 ` [PATCH 1/2] kernel/fork: handle put_user errors for CLONE_CHILD_SETTID/CLEARTID Oleg Nesterov
[not found] ` <20150206195529.GA15517-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-02-06 20:27 ` Konstantin Khlebnikov
2015-02-06 20:32 ` memcg && uaccess (Was: [PATCH 1/2] kernel/fork: handle put_user errors for CLONE_CHILD_SETTID/CLEARTID) Oleg Nesterov
[not found] ` <20150206203246.GA16924-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-02-10 16:19 ` Johannes Weiner
2015-02-10 19:47 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150206194405.GA13960@redhat.com \
--to=oleg-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=khlebnikov-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org \
--cc=klamm-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=nekto0n-XoJtRXgx1JseBXzfvpsJ4g@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).