From: Oleg Nesterov <oleg@tv-sign.ru>
To: Ingo Molnar <mingo@elte.hu>
Cc: Jesper Juhl <jesper.juhl@gmail.com>,
linux-kernel@vger.kernel.org, Pavel Emelyanov <xemul@openvz.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
Sukadev Bhattiprolu <sukadev@us.ibm.com>
Subject: fork_idle && pid problems ? (was: Possible mem leak in copy_process())
Date: Thu, 17 Apr 2008 18:02:46 +0400 [thread overview]
Message-ID: <20080417140246.GA257@tv-sign.ru> (raw)
In-Reply-To: <20080417130252.GB6640@elte.hu>
On 04/17, Ingo Molnar wrote:
>
> * Oleg Nesterov <oleg@tv-sign.ru> wrote:
>
> > > 1331 if (likely(p->pid)) {
>
> > > 1351 }
>
> > > Event leaked_storage: Returned without freeing storage "pid" Also
> > > see events: [alloc_fn][var_assign][pass_arg]
> >
> > this looks like a false alarm.
> >
> > p->pid == pid->numbers[0].nr. If "struct pid *pid" was allocated, its
> > .nr can't be 0.
> >
> > IOW, !p->pid means that pid == init_struct_pid, it wasn't allocated
> > but was passed from the caller.
>
> should we perhaps codify this rule via adding something like this to the
> else branch:
>
> WARN_ON_ONCE(task_pid(p) != &init_struct_pid);
>
> ?
Perhaps yes, I don't know...
But please note that we heavily rely on the fact that nobody except idle
threads can have pid_nr == 0, and more importantly, each "struct pid" must
have the unique .nr withing the same namespace (init_pid_ns in this case).
I'd suggest to just add a small comment.
But wait... What _is_ the task_pid() after fork_idle() ???
fork_idle() doesn't really attach the new thread to the init_struct_pid,
so ->pids[PIDTYPE_PID].pid just points the parent's pid, no?
As for x86, the parent is /sbin/init (kernel_init->smp_prepare_cpus),
not so bad, it can't exit.
But what about HOTPLUG_CPU? Suppose we add CPU, use some non-idle
kernel thread (workqueue) to fork the idle thread. CPU goes down,
parent exits and frees the pid. Now, if this CPU goes up again, the
idle thread runs with its ->pid pointing to the freed memory, not
good.
Not serious perhaps, afaics we only need this ->pid to ensure that
swapper can safely fork /sbin/init, but still.
Pavel, Eric, Sukadev? Please say I missed something! ;)
Otherwise, we can change init_idle() to do attach_pid(init_struct_pid),
afaics we can do this lockless. In that case we should also change
INIT_STRUCT_PID() and remove the initialization of .tasks.
Oleg.
next prev parent reply other threads:[~2008-04-17 15:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-16 21:45 Possible mem leak in copy_process() Jesper Juhl
2008-04-17 4:17 ` Arnd Bergmann
2008-04-17 11:57 ` Oleg Nesterov
2008-04-17 13:02 ` Ingo Molnar
2008-04-17 14:02 ` Oleg Nesterov [this message]
2008-04-17 15:50 ` fork_idle && pid problems ? Pavel Emelyanov
2008-04-17 15:36 ` Oleg Nesterov
2008-04-17 16:40 ` Pavel Emelyanov
2008-04-17 16:05 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080417140246.GA257@tv-sign.ru \
--to=oleg@tv-sign.ru \
--cc=ebiederm@xmission.com \
--cc=jesper.juhl@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=sukadev@us.ibm.com \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox