Re: Thread flags modified without set_thread_flag() (non atomically)

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Mathieu Desnoyers <compudj@google.com>
To: Andi Kleen <ak@suse.de>
Cc: Andrew Morton <akpm@linux-foundation.org>,
	"Martin J. Bligh" <mbligh@google.com>,
	linux-kernel@vger.kernel.org,
	"David S. Miller" <davem@davemloft.net>,
	Paul Mackerras <paulus@samba.org>,
	"Luck, Tony" <tony.luck@intel.com>,
	Haavard Skinnemoen <hskinnemoen@atmel.com>
Subject: Re: Thread flags modified without set_thread_flag() (non atomically)
Date: Mon, 05 Mar 2007 20:35:17 -0800	[thread overview]
Message-ID: <45ECEF85.2080503@google.com> (raw)
In-Reply-To: <20070305144033.GG22829@bingen.suse.de>

Andi Kleen wrote:
>> It does seem risky.  Perhaps it is a micro-optimisation which utilises
>> knowledge that this thread_struct cannot be looked up via any path in this
>> context.
>>
>> Or perhaps it is a bug.  Andi, can you please comment?
>>     
>
> On flush_thread nobody else can mess with the thread, so yes it's a micro
> optimization.
>
>   
Hi Andi,

Here is what I think would be a counter example :

If, at the same time, we have, on x86_64 :

parent process executing :
sys_ptrace()
  (lock_kernel())
  (ptrace_get_task_struct(pid))
  arch_ptrace()
    ptrace_detach()
      ptrace_disable(child);
        clear_singlestep(child);
          clear_tsk_thread_flag(child, TIF_SINGLESTEP);
          (which clears the TIF_SINGLESTEP  flag atomically from a 
different process)
  (put_task_struct(child))
  (unlock_kernel())

And at the same time, in the child process :
sys_execve()
  do_execve()
    search_binary_handler()
      load_elf_binary()
        flush_old_exec()
          flush_thread()
            doing a non-atomic thread flag update

Is there any protection mechanism that would protect from this race 
condition
that I have missed ?

>>> And about this specific flush_thread, I am puzzled about the t->flags ^= 
>>> (_TIF_ABI_PENDING | _TIF_IA32); line. The XOR will clearly flip the 
>>> _TIF_ABI_PENDING bit to 0, and very likely set _TIF_IA32 to the opposite 
>>> of its current value. Why does this change need to be written atomically 
>>> (can other threads play with these flags ?) ?
>>>
>>>       
>> Don't know.
>>     
>
> iirc it came from DaveM originally. He just likes to write things in 
> comp^wclever ways :0) It's just a little shorter.
>
>   
>> No, I don't immediately see anything in the flush_old_exec() code path
>> which tells us that nobody else can look up this thread_info (or be holding
>> a ref to it) in this context.
>>     
>
> Normally the process flags atomicity should only matter with signals;
> i don't think you can send a signal to a process being in exec this way.
>
> -Andi
>

     prev parent reply	other threads:[~2007-03-06  4:36 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-02-26 20:10 Thread flags modified without set_thread_flag() (non atomically) Mathieu Desnoyers
2007-03-01  6:03 ` Andrew Morton
2007-03-01  6:23   ` David Miller
2007-03-01  8:17     ` Andrew Morton
2007-03-01  9:34   ` Haavard Skinnemoen
2007-03-01  9:45     ` Andrew Morton
2007-03-01 10:14       ` Haavard Skinnemoen
2007-03-01 15:13         ` Haavard Skinnemoen
2007-03-01 19:59       ` Mathieu Desnoyers
2007-03-01 22:41         ` Andrew Morton
2007-03-05 16:30           ` Kyle Moffett
2007-03-05 14:40   ` Andi Kleen
2007-03-05 22:04     ` Andrew Morton
2007-03-06  4:35     ` Mathieu Desnoyers [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=45ECEF85.2080503@google.com \
    --to=compudj@google.com \
    --cc=ak@suse.de \
    --cc=akpm@linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=hskinnemoen@atmel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mbligh@google.com \
    --cc=paulus@samba.org \
    --cc=tony.luck@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox