From: Mike Galbraith <efault@gmx.de>
To: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <peterz@infradead.org>,
Miklos Vajna <vmiklos@frugalware.org>,
shenghui <crosslonelyover@gmail.com>,
kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org,
Greg KH <greg@kroah.com>, Paul Turner <pjt@google.com>,
Yong Zhang <yong.zhang0@gmail.com>,
Li Zefan <lizf@cn.fujitsu.com>, Paul Menage <menage@google.com>,
Balbir Singh <balbir@linux.vnet.ibm.com>,
Srivatsa Vaddagiri <vatsa@in.ibm.com>
Subject: [PATCH] Re: [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash
Date: Fri, 31 Dec 2010 09:32:30 +0100 [thread overview]
Message-ID: <1293784350.6839.2.camel@marge.simson.net> (raw)
In-Reply-To: <20101229152522.GA23825@elte.hu>
On Wed, 2010-12-29 at 16:25 +0100, Ingo Molnar wrote:
> I tried this patch, but it causes a boot crash:
The below should fix it.
sched: fix autogroup reference leak and cpu_cgroup_exit() explosion
In the event of a fork failure, the new cpu_cgroup_exit() method tries to
move an unhashed task. Since PF_EXITING isn't set in that case, autogroup
will dig aground in a freed signal_struct. Neither cgroups nor autogroup
has anything it needs to do with this shade, so don't go there.
This also uncovered a struct autogroup reference leak. copy_process() was
simply freeing vs putting the signal_struct, stranding a reference.
Signed-off-by: Mike Galbraith <efault@gmx.de>
---
kernel/fork.c | 2 +-
kernel/sched.c | 10 ++++++++++
2 files changed, 11 insertions(+), 1 deletion(-)
Index: linux-2.6.37.git/kernel/fork.c
===================================================================
--- linux-2.6.37.git.orig/kernel/fork.c
+++ linux-2.6.37.git/kernel/fork.c
@@ -1318,7 +1318,7 @@ bad_fork_cleanup_mm:
}
bad_fork_cleanup_signal:
if (!(clone_flags & CLONE_THREAD))
- free_signal_struct(p->signal);
+ put_signal_struct(p->signal);
bad_fork_cleanup_sighand:
__cleanup_sighand(p->sighand);
bad_fork_cleanup_fs:
Index: linux-2.6.37.git/kernel/sched.c
===================================================================
--- linux-2.6.37.git.orig/kernel/sched.c
+++ linux-2.6.37.git/kernel/sched.c
@@ -9193,6 +9193,16 @@ cpu_cgroup_attach(struct cgroup_subsys *
static void
cpu_cgroup_exit(struct cgroup_subsys *ss, struct task_struct *task)
{
+ /*
+ * cgroup_exit() is called in the copy_process failure path.
+ * The task isn't hashed, and we don't want to make autogroup
+ * dig into a freed signal_struct, so just go away.
+ *
+ * XXX: why are cgroup methods diddling unattached tasks?
+ */
+ if (!(task->flags & PF_EXITING))
+ return;
+
sched_move_task(task);
}
next prev parent reply other threads:[~2010-12-31 8:33 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-29 7:10 [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c shenghui
2010-06-29 10:43 ` Peter Zijlstra
2010-06-29 11:24 ` shenghui
2010-06-29 11:35 ` Peter Zijlstra
2010-06-29 12:44 ` shenghui
2010-12-19 2:03 ` Miklos Vajna
2010-12-22 0:22 ` Miklos Vajna
2010-12-22 8:29 ` Peter Zijlstra
2010-12-22 8:41 ` Peter Zijlstra
2010-12-22 8:41 ` Mike Galbraith
2010-12-22 9:07 ` Peter Zijlstra
2010-12-22 13:31 ` Miklos Vajna
2010-12-22 14:00 ` Peter Zijlstra
2010-12-22 14:11 ` Peter Zijlstra
2010-12-22 15:14 ` Miklos Vajna
2010-12-22 15:25 ` Peter Zijlstra
2010-12-22 17:08 ` Peter Zijlstra
2010-12-22 17:16 ` Ingo Molnar
2010-12-22 17:25 ` Peter Zijlstra
2010-12-22 20:36 ` Peter Zijlstra
2010-12-23 2:08 ` Yong Zhang
2010-12-23 12:12 ` Peter Zijlstra
2010-12-23 12:33 ` Peter Zijlstra
2010-12-23 18:24 ` Peter Zijlstra
[not found] ` <1293132304.6798.6.camel@marge.simson.net>
[not found] ` <1293132862.25981.22.camel@laptop>
[not found] ` <1293187425.7138.2.camel@marge.simson.net>
[not found] ` <1293188091.25981.200.camel@laptop>
[not found] ` <1293192999.18035.4.camel@marge.simson.net>
2010-12-24 15:59 ` [PATCH] sched, cgroup: Use exit hook to avoid use-after-free crash Peter Zijlstra
2010-12-24 16:40 ` Miklos Vajna
2010-12-24 16:48 ` Mike Galbraith
2010-12-24 17:07 ` Peter Zijlstra
2010-12-24 17:24 ` Mike Galbraith
2010-12-25 17:55 ` Balbir Singh
2010-12-25 20:59 ` Paul Menage
2011-01-03 7:06 ` Peter Zijlstra
2010-12-29 15:25 ` Ingo Molnar
2010-12-29 23:07 ` Miklos Vajna
2010-12-31 10:04 ` Mike Galbraith
2010-12-31 10:46 ` Miklos Vajna
2010-12-31 8:32 ` Mike Galbraith [this message]
2011-01-03 8:21 ` [PATCH] " Peter Zijlstra
2011-01-04 14:19 ` [tip:sched/core] sched, autogroup: Fix reference leak tip-bot for Mike Galbraith
2011-01-04 14:57 ` Oleg Nesterov
2011-01-04 19:06 ` Mike Galbraith
2011-01-19 19:04 ` [tip:sched/urgent] sched, cgroup: Use exit hook to avoid use-after-free crash tip-bot for Peter Zijlstra
2010-12-22 21:11 ` [PATCH] avoid race condition in pick_next_task_fair in kernel/sched_fair.c Miklos Vajna
2010-12-22 23:39 ` Miklos Vajna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1293784350.6839.2.camel@marge.simson.net \
--to=efault@gmx.de \
--cc=balbir@linux.vnet.ibm.com \
--cc=crosslonelyover@gmail.com \
--cc=greg@kroah.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lizf@cn.fujitsu.com \
--cc=menage@google.com \
--cc=mingo@elte.hu \
--cc=peterz@infradead.org \
--cc=pjt@google.com \
--cc=vatsa@in.ibm.com \
--cc=vmiklos@frugalware.org \
--cc=yong.zhang0@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox