From: Todd Inglett <tinglett@vnet.ibm.com>
To: Alexander Viro <viro@math.psu.edu>
Cc: linux-kernel@vger.kernel.org
Subject: Re: SMP races in proc with thread_struct
Date: Thu, 03 May 2001 06:47:33 -0500 [thread overview]
Message-ID: <3AF14555.8699881B@vnet.ibm.com> (raw)
In-Reply-To: <Pine.GSO.4.21.0105011236140.9771-100000@weyl.math.psu.edu>
Alexander Viro wrote:
>
> On Tue, 1 May 2001, Todd Inglett wrote:
>
> > Perhaps this is old news...but...
> >
> > I can easily create a race when reading /proc/<pid>/stat
> > (fs/proc/{base.c,array.c}) where a rapidly reading application, such as
> > "top", starts reading stats for a thread which goes away during the
> > read. This is easily reproduced with a program that rapidly forks and
> > exits while top is running.
> >
> > On inspection, I don't see how the code can expect the thread_struct to
> > stay around since it is not holding any lock for the duration of its
> > use. The code could hold the thread_struct's lock (after verifying it
> > still exists while holding tasklist_lock I would imagine), but for
> > performance I would think a better solution would be to copy the struct
> > since stale data is probably ok in this case.
> >
> > Dereferencing a non-existent thread_struct is clearly not ok.
> >
> > Would anyone familiar with this code care to comment?
>
> Code bumps the reference count of couple of pages that hold task_struct
> when it opens the file.
Yes that's right. [Note that I erroneously wrote thread_struct when I
meant task_struct].
On closer inspection I see it is the *parent* task_struct that is the
problem here. The task has indeed exited and the memory for the
task_struct is correctly held. However, the /proc code will grab
tasklist_lock and dereference the parent task_struct to get the parent
pid. Grabbing tasklist_lock is good, of course, when the task is live
because the parent could be switched at any time. But in this case the
child is already done. And so is the parent. So the child's parent
task_struct is gone, but the stale held task_struct still points to
where it once was.
Does this sound like a possible scenerio?
--
-todd
next prev parent reply other threads:[~2001-05-03 11:48 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-05-01 14:30 SMP races in proc with thread_struct Todd Inglett
2001-05-01 16:50 ` Alexander Viro
2001-05-03 11:47 ` Todd Inglett [this message]
2001-05-04 12:34 ` Todd Inglett
2001-05-04 12:46 ` Keith Owens
2001-05-04 13:11 ` Andreas Schwab
2001-05-04 13:38 ` Brian Gerst
2001-05-04 23:27 ` Keith Owens
2001-05-04 14:21 ` Andreas Ferber
2001-05-04 15:18 ` Todd Inglett
2001-05-04 16:04 ` Alexander Viro
2001-05-04 17:52 ` [PATCH][RFC] " Alexander Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3AF14555.8699881B@vnet.ibm.com \
--to=tinglett@vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@math.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox