From: Oleg Nesterov <oleg@redhat.com>
To: Siddhesh Poyarekar <siddhesh.poyarekar@gmail.com>
Cc: Mark Salter <msalter@redhat.com>,
linux-next <linux-next@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
Paul Gortmaker <paul.gortmaker@windriver.com>
Subject: Re: [PATCH 2/2] mm/linux-next: Fix rcu locking in vm_is_stack
Date: Wed, 7 Mar 2012 16:38:49 +0100 [thread overview]
Message-ID: <20120307153849.GA18879@redhat.com> (raw)
In-Reply-To: <1331064994-6693-2-git-send-email-siddhesh.poyarekar@gmail.com>
On 03/07, Siddhesh Poyarekar wrote:
>
> Take rcu read lock before we do anything at all with the threadgroup
> list. Also use list_first_entry_rcu to safely get the reference to the
> first task in the list.
Sorry, but both patches are absolutely wrong, afaics. This change fixes
nothing, just obfuscates the code.
Probably my explanation was not clear, let me try again.
rcu_read_lock() can not help without the additional checks. By the
time you take it, task->thread_group->next can point to nowhere.
So,
> @@ -3932,18 +3932,20 @@ pid_t vm_is_stack(struct task_struct *task,
> return task->pid;
>
> if (in_group) {
> - struct task_struct *t = task;
> + struct task_struct *t;
> rcu_read_lock();
> - while_each_thread(task, t) {
> + t = list_first_entry_rcu(&task->thread_group,
> + struct task_struct, thread_group);
It is not safe to dereference this pointer.
Once again. You have the task_struct *task. It exits,
but task->thread_group->next still points to another thread T. Now suppose
that T exits too. But task->thread_group->next was not changed, it still
points to T. RCU grace period passes, T is freed.
After that you take rcu_read_lock(), but it is too late! >next points to
the already freed/reused memory. How can list_first_entry_rcu() help?
What you need is something like
rcu_read_lock();
if (!pid_alive(task))
goto done;
t = task;
do {
...
} while_each(task, t);
done:
rcu_read_unlock();
And. Imho it is not good to have the (afaics exactly?) same code in
mm/nommu.c, even with the same names. Why it is not possible to make
a single definition?
Oleg.
next prev parent reply other threads:[~2012-03-07 15:38 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-03-06 14:49 nommu build failure in linux-next Mark Salter
2012-03-06 15:19 ` Siddhesh Poyarekar
2012-03-06 20:16 ` [PATCH 1/2] mm: Fix task_nommu build regression " Siddhesh Poyarekar
2012-03-06 20:16 ` [PATCH 2/2] mm/linux-next: Fix rcu locking in vm_is_stack Siddhesh Poyarekar
2012-03-07 15:38 ` Oleg Nesterov [this message]
2012-03-07 16:05 ` Siddhesh Poyarekar
2012-03-07 22:11 ` Siddhesh Poyarekar
2012-03-08 17:40 ` Oleg Nesterov
2012-03-08 18:35 ` Siddhesh Poyarekar
2012-03-06 20:39 ` [PATCH 1/2] mm: Fix task_nommu build regression in linux-next Andrew Morton
2012-03-07 3:31 ` Siddhesh Poyarekar
2012-03-07 16:43 ` Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120307153849.GA18879@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=msalter@redhat.com \
--cc=paul.gortmaker@windriver.com \
--cc=siddhesh.poyarekar@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox