From: Oleg Nesterov <oleg@redhat.com>
To: Tobias Klauser <tklauser@distanz.ch>
Cc: Matt Mooney <mfm@muteddisk.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org
Subject: Re: ping: drivers/staging/usbip/ abuses task_is_dead/exit_state
Date: Thu, 8 Mar 2012 19:57:39 +0100 [thread overview]
Message-ID: <20120308185739.GA18935@redhat.com> (raw)
In-Reply-To: <20120306193040.GD21503@distanz.ch>
On 03/06, Tobias Klauser wrote:
>
> On 2012-03-06 at 18:39:25 +0100, Oleg Nesterov <oleg@redhat.com> wrote:
> >
> > OK, since nobody cares, probably I should make the patch even if I don't
> > understand this code at all and can't test the change.
> >
> > But, Tobias, may be you can explain what this task_is_dead() check was
> > supposed to do?
>
> As mentioned in the commit message, this was needed for me to work
> around a NULL pointer dereference I got during unbinding
Where? OK, I guess you do not remember the trace ;)
> (I only
> experienced this behaviour on the nios2 platform though, couldn't
> reproduce it on e.g. x86_64).
OK,
> I wasn't really familiar with the codebase of usbip (and still am not)
> but came up with the fix by more or less blindly copying what the
> opposite side is checking for in stub_shutdown_connection(). This fixed
> the behaviour for me and seemed legitimate as it was done equally there.
But this looks "obviously wrong", and afaics just hides the problem.
Not to mention this check is racy, it is simply unsafe to dereference
this task_struct if the kthread has already exited.
At first glance we need something like the patch below (and stub_dev.c
needs the same fix). It assumes that:
- vhci_shutdown_connection() is the only caller of kthread_stop(),
iow nobody else does kthread_stop(tcp_*x)
- we can't leak the task_struct, vhci_shutdown_connection() should
be called in any case at some point.
I'll try to grep more, but perhaps you can ack my understanding?
Oleg.
--- x/drivers/staging/usbip/vhci_sysfs.c
+++ x/drivers/staging/usbip/vhci_sysfs.c
@@ -155,6 +155,16 @@ static int valid_args(__u32 rhport, enum
return 0;
}
+#define kthread_get_run(threadfn, data, namefmt, ...) \
+({ \
+ struct task_struct *__k \
+ = kthread_create(threadfn, data, namefmt, ## __VA_ARGS__); \
+ if (!IS_ERR(__k)) { \
+ get_task_struct(__k);
+ wake_up_process(__k); \
+ } \
+ __k; \
+})
/*
* To start a new USB/IP attachment, a userland program needs to setup a TCP
* connection and then write its socket descriptor with remote device
@@ -222,8 +232,8 @@ static ssize_t store_attach(struct devic
spin_unlock(&the_controller->lock);
/* end the lock */
- vdev->ud.tcp_rx = kthread_run(vhci_rx_loop, &vdev->ud, "vhci_rx");
- vdev->ud.tcp_tx = kthread_run(vhci_tx_loop, &vdev->ud, "vhci_tx");
+ vdev->ud.tcp_rx = kthread_get_run(vhci_rx_loop, &vdev->ud, "vhci_rx");
+ vdev->ud.tcp_tx = kthread_get_run(vhci_tx_loop, &vdev->ud, "vhci_tx");
rh_port_connect(rhport, speed);
--- x/drivers/staging/usbip/vhci_hcd.c
+++ x/drivers/staging/usbip/vhci_hcd.c
@@ -860,10 +860,14 @@ static void vhci_shutdown_connection(str
}
/* kill threads related to this sdev, if v.c. exists */
- if (vdev->ud.tcp_rx && !task_is_dead(vdev->ud.tcp_rx))
+ if (vdev->ud.tcp_rx) {
kthread_stop(vdev->ud.tcp_rx);
- if (vdev->ud.tcp_tx && !task_is_dead(vdev->ud.tcp_tx))
+ put_task_struct(vdev->ud.tcp_rx);
+ }
+ if (vdev->ud.tcp_tx) {
kthread_stop(vdev->ud.tcp_tx);
+ put_task_struct(vdev->ud.tcp_tx);
+ }
pr_info("stop threads\n");
next prev parent reply other threads:[~2012-03-08 19:04 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-19 21:45 [PATCH] user namespace: make signal.c respect user namespaces Serge E. Hallyn
2011-09-19 21:47 ` [PATCH] user namespace: usb: make usb urbs user namespace aware Serge E. Hallyn
2011-09-20 13:17 ` Oleg Nesterov
2011-09-20 13:33 ` Serge E. Hallyn
2011-09-21 5:01 ` [PATCH] user namespace: usb: make usb urbs user namespace aware (v2) Serge E. Hallyn
2011-09-21 18:31 ` Oleg Nesterov
2011-09-21 19:12 ` Serge E. Hallyn
2011-09-21 19:18 ` Greg KH
2011-09-23 1:27 ` [PATCH resend] " Serge E. Hallyn
2011-09-23 15:48 ` Alan Stern
2011-09-23 16:06 ` Serge E. Hallyn
2011-09-23 16:21 ` Alan Stern
2011-09-23 17:22 ` Serge E. Hallyn
2011-09-23 18:35 ` Alan Stern
2011-09-20 12:22 ` [PATCH] user namespace: make signal.c respect user namespaces Oleg Nesterov
2011-09-20 12:44 ` Serge E. Hallyn
2011-09-20 13:41 ` Oleg Nesterov
2011-09-20 14:39 ` [PATCH 0/2] (Was: user namespace: make signal.c respect user namespaces) Oleg Nesterov
2011-09-20 14:39 ` [PATCH 1/2] creds: kill __task_cred()->task_is_dead() check Oleg Nesterov
2011-09-20 15:14 ` drivers/staging/usbip/ abuses task_is_dead/exit_state Oleg Nesterov
2011-09-20 18:38 ` Greg KH
2012-03-06 17:39 ` ping: " Oleg Nesterov
2012-03-06 19:30 ` Tobias Klauser
2012-03-08 18:57 ` Oleg Nesterov [this message]
2012-03-13 11:45 ` Tobias Klauser
2012-03-13 18:07 ` [PATCH] staging: usbip: fix the usage of kthread_stop() Oleg Nesterov
2012-04-01 23:17 ` Oleg Nesterov
2012-04-02 8:11 ` Tobias Klauser
2011-09-20 15:28 ` [PATCH 1/2] creds: kill __task_cred()->task_is_dead() check Paul E. McKenney
2011-09-20 15:40 ` Oleg Nesterov
2011-09-20 15:48 ` Paul E. McKenney
2011-09-20 14:39 ` [PATCH 2/2] creds: __task_cred(current) doesn't need rcu_read_lock_held() Oleg Nesterov
2011-09-20 15:07 ` Serge Hallyn
2011-09-20 15:35 ` Oleg Nesterov
2011-09-20 16:19 ` David Howells
2011-09-20 16:38 ` Oleg Nesterov
2011-09-20 16:50 ` David Howells
2011-09-20 17:13 ` Oleg Nesterov
2011-09-20 16:27 ` [PATCH 1/2] creds: kill __task_cred()->task_is_dead() check David Howells
2011-09-20 15:39 ` [PATCH] user namespace: make signal.c respect user namespaces Serge Hallyn
2011-09-20 16:24 ` Oleg Nesterov
2011-09-20 16:45 ` Serge E. Hallyn
2011-09-20 18:17 ` Oleg Nesterov
2011-09-21 5:00 ` [PATCH] user namespace: make signal.c respect user namespaces (v2) Serge E. Hallyn
2011-09-20 17:48 ` [PATCH] user namespace: make signal.c respect user namespaces Oleg Nesterov
2011-09-20 18:53 ` Serge E. Hallyn
2011-09-21 17:53 ` Oleg Nesterov
2011-09-22 15:23 ` Serge Hallyn
2011-09-23 16:31 ` Serge E. Hallyn
2011-09-23 17:36 ` Oleg Nesterov
2011-09-23 21:20 ` Serge E. Hallyn
2011-09-24 16:37 ` Oleg Nesterov
2011-09-25 20:17 ` Serge E. Hallyn
2011-09-26 16:06 ` Oleg Nesterov
2011-09-27 14:28 ` Serge Hallyn
2011-09-27 14:38 ` Oleg Nesterov
2011-09-27 15:27 ` Serge Hallyn
2011-09-27 17:12 ` Oleg Nesterov
2011-10-04 17:42 ` Serge E. Hallyn
2011-10-09 19:00 ` Oleg Nesterov
2011-10-11 13:08 ` Serge E. Hallyn
2011-10-08 20:02 ` Serge E. Hallyn
2011-10-09 19:03 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120308185739.GA18935@redhat.com \
--to=oleg@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mfm@muteddisk.com \
--cc=tklauser@distanz.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).