CINXE.COM

LKML: Paul Jackson: [PATCH 04/10] Cpuset: fork hook fix

<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>LKML: Paul Jackson: [PATCH 04/10] Cpuset: fork hook fix</title><link href="/css/message.css" rel="stylesheet" type="text/css" /><link href="/css/wrap.css" rel="alternate stylesheet" type="text/css" title="wrap" /><link href="/css/nowrap.css" rel="stylesheet" type="text/css" title="nowrap" /><link href="/favicon.ico" rel="shortcut icon" /><script src="/js/simple-calendar.js" type="text/javascript"></script><script src="/js/styleswitcher.js" type="text/javascript"></script><link rel="alternate" type="application/rss+xml" title="lkml.org : last 100 messages" href="/rss.php" /><link rel="alternate" type="application/rss+xml" title="lkml.org : last messages by Paul Jackson" href="/groupie.php?aid=5266" /><!--Matomo--><script> var _paq = window._paq = window._paq || []; /* tracker methods like "setCustomDimension" should be called before "trackPageView" */ _paq.push(["setDoNotTrack", true]); _paq.push(["disableCookies"]); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="//m.lkml.org/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', '1']); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.async=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script><!--End Matomo Code--></head><body onload="es.jasper.simpleCalendar.init();" itemscope="itemscope" itemtype="http://schema.org/BlogPosting"><table border="0" cellpadding="0" cellspacing="0"><tr><td width="180" align="center"><a href="/"><img style="border:0;width:135px;height:32px" src="/images/toprowlk.gif" alt="lkml.org" /></a></td><td width="32">聽</td><td class="nb"><div><a class="nb" href="/lkml"> [lkml]</a> 聽 <a class="nb" href="/lkml/2005"> [2005]</a> 聽 <a class="nb" href="/lkml/2005/12"> [Dec]</a> 聽 <a class="nb" href="/lkml/2005/12/10"> [10]</a> 聽 <a class="nb" href="/lkml/last100"> [last100]</a> 聽 <a href="/rss.php"><img src="/images/rss-or.gif" border="0" alt="RSS Feed" /></a></div><div>Views: <a href="#" class="nowrap" onclick="setActiveStyleSheet('wrap');return false;">[wrap]</a><a href="#" class="wrap" onclick="setActiveStyleSheet('nowrap');return false;">[no wrap]</a> 聽 <a class="nb" href="/lkml/mheaders/2005/12/10/37" onclick="this.href='/lkml/headers'+'/2005/12/10/37';">[headers]</a>聽 <a href="/lkml/bounce/2005/12/10/37">[forward]</a>聽 </div></td><td width="32">聽</td></tr><tr><td valign="top"><div class="es-jasper-simpleCalendar" baseurl="/lkml/"></div><div class="threadlist">Messages in this thread</div><ul class="threadlist"><li class="root"><a href="/lkml/2005/12/10/28">First message in thread</a></li><li><a href="/lkml/2005/12/10/28">Paul Jackson</a><ul><li><a href="/lkml/2005/12/10/29">Paul Jackson</a></li><li><a href="/lkml/2005/12/10/30">Paul Jackson</a></li><li><a href="/lkml/2005/12/10/31">Paul Jackson</a></li><li><a href="/lkml/2005/12/10/32">Paul Jackson</a><ul><li><a href="/lkml/2005/12/10/48">Paul Jackson</a></li></ul></li><li><a href="/lkml/2005/12/10/33">Paul Jackson</a></li><li><a href="/lkml/2005/12/10/34">Paul Jackson</a></li><li><a href="/lkml/2005/12/10/35">Paul Jackson</a></li><li><a href="/lkml/2005/12/10/36">Paul Jackson</a></li><li class="origin"><a href="">Paul Jackson</a></li><li><a href="/lkml/2005/12/10/39">Paul Jackson</a></li></ul></li></ul><div class="threadlist">Patch in this message</div><ul class="threadlist"><li><a href="/lkml/diff/2005/12/10/37/1">Get diff 1</a></li></ul></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerl.gif" width="32" height="32" alt="/" /></td><td class="c" rowspan="2" valign="top" style="padding-top: 1em"><table><tr><td><table><tr><td class="lp">Date</td><td class="rp" itemprop="datePublished">Sat, 10 Dec 2005 00:19:05 -0800 (PST)</td></tr><tr><td class="lp">From</td><td class="rp" itemprop="author">Paul Jackson &lt;&gt;</td></tr><tr><td class="lp">Subject</td><td class="rp" itemprop="name">[PATCH 04/10] Cpuset: fork hook fix</td></tr></table></td><td></td></tr></table><pre itemprop="articleBody">Fix obscure, never seen in real life, cpuset fork race.<br />The cpuset_fork() call in fork.c was setting up the correct<br />task-&gt;cpuset pointer after the tasklist_lock was dropped,<br />which briefly exposed the newly forked process with an unsafe<br />(copied from parent without locks or usage counter increment)<br />cpuset pointer.<br /><br />In theory, that exposed cpuset pointer could have been pointing<br />at a cpuset that was already freed and removed, and in theory<br />another task that had been sitting on the tasklist_lock waiting<br />to scan the task list could have raced down the entire tasklist,<br />found our new child at the far end, and dereferenced that bogus<br />cpuset pointer.<br /><br />To fix, setup up the correct cpuset pointer in the new child<br />by calling cpuset_fork() before the new task is linked into the<br />tasklist, and with that, add a fork failure case, to dereference<br />that cpuset, if the fork fails along the way, after cpuset_fork()<br />was called.<br /><br />Had to remove a BUG_ON() from cpuset_exit(), because it was<br />no longer valid - the call to cpuset_exit() from a failed fork<br />would not have PF_EXITING set.<br /><br />Signed-off-by: Paul Jackson &lt;pj&#64;sgi.com&gt;<br /><br />---<br /><br /> kernel/cpuset.c | 4 +---<br /> kernel/fork.c | 6 ++++--<br /> 2 files changed, 5 insertions(+), 5 deletions(-)<br /><br />--- 2.6.15-rc3-mm1.orig/kernel/cpuset.c 2005-12-08 02:05:37.457685051 -0800<br />+++ 2.6.15-rc3-mm1/kernel/cpuset.c 2005-12-08 15:19:04.600207271 -0800<br />&#64;&#64; -1821,15 +1821,13 &#64;&#64; void cpuset_fork(struct task_struct *chi<br /> *<br /> * We don't need to task_lock() this reference to tsk-&gt;cpuset,<br /> * because tsk is already marked PF_EXITING, so attach_task() won't<br />- * mess with it.<br />+ * mess with it, or task is a failed fork, never visible to attach_task.<br /> **/<br /> <br /> void cpuset_exit(struct task_struct *tsk)<br /> {<br /> struct cpuset *cs;<br /> <br />- BUG_ON(!(tsk-&gt;flags &amp; PF_EXITING));<br />-<br /> cs = tsk-&gt;cpuset;<br /> tsk-&gt;cpuset = NULL;<br /> <br />--- 2.6.15-rc3-mm1.orig/kernel/fork.c 2005-12-08 02:05:34.885390778 -0800<br />+++ 2.6.15-rc3-mm1/kernel/fork.c 2005-12-08 15:19:50.203259819 -0800<br />&#64;&#64; -971,12 +971,13 &#64;&#64; static task_t *copy_process(unsigned lon<br /> p-&gt;io_context = NULL;<br /> p-&gt;io_wait = NULL;<br /> p-&gt;audit_context = NULL;<br />+ cpuset_fork(p);<br /> #ifdef CONFIG_NUMA<br /> p-&gt;mempolicy = mpol_copy(p-&gt;mempolicy);<br /> if (IS_ERR(p-&gt;mempolicy)) {<br /> retval = PTR_ERR(p-&gt;mempolicy);<br /> p-&gt;mempolicy = NULL;<br />- goto bad_fork_cleanup;<br />+ goto bad_fork_cleanup_cpuset;<br /> }<br /> #endif<br /> <br />&#64;&#64; -1147,7 +1148,6 &#64;&#64; static task_t *copy_process(unsigned lon<br /> total_forks++;<br /> write_unlock_irq(&amp;tasklist_lock);<br /> proc_fork_connector(p);<br />- cpuset_fork(p);<br /> retval = 0;<br /> <br /> fork_out:<br />&#64;&#64; -1179,7 +1179,9 &#64;&#64; bad_fork_cleanup_security:<br /> bad_fork_cleanup_policy:<br /> #ifdef CONFIG_NUMA<br /> mpol_free(p-&gt;mempolicy);<br />+bad_fork_cleanup_cpuset:<br /> #endif<br />+ cpuset_exit(p);<br /> bad_fork_cleanup:<br /> if (p-&gt;binfmt)<br /> module_put(p-&gt;binfmt-&gt;module);<br />-- <br /> I won't rest till it's the best ...<br /> Programmer, Linux Scalability<br /> Paul Jackson &lt;pj&#64;sgi.com&gt; 1.650.933.1373<br />-<br />To unsubscribe from this list: send the line "unsubscribe linux-kernel" in<br />the body of a message to majordomo&#64;vger.kernel.org<br />More majordomo info at <a href="http://vger.kernel.org/majordomo-info.html">http://vger.kernel.org/majordomo-info.html</a><br />Please read the FAQ at <a href="http://www.tux.org/lkml/">http://www.tux.org/lkml/</a><br /><br /></pre></td><td width="32" rowspan="2" class="c" valign="top"><img src="/images/icornerr.gif" width="32" height="32" alt="\" /></td></tr><tr><td align="right" valign="bottom"> 聽 </td></tr><tr><td align="right" valign="bottom">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerl.gif" width="32" height="32" alt="\" /></td><td class="c">聽</td><td class="c" valign="bottom" style="padding-bottom: 0px"><img src="/images/bcornerr.gif" width="32" height="32" alt="/" /></td></tr><tr><td align="right" valign="top" colspan="2"> 聽 </td><td class="lm">Last update: 2005-12-10 09:25 聽聽 [from the cache]<br />漏2003-2020 <a href="http://blog.jasper.es/"><span itemprop="editor">Jasper Spaans</span></a>|hosted at <a href="https://www.digitalocean.com/?refcode=9a8e99d24cf9">Digital Ocean</a> and my Meterkast|<a href="http://blog.jasper.es/categories.html#lkml-ref">Read the blog</a></td><td>聽</td></tr></table><script language="javascript" src="/js/styleswitcher.js" type="text/javascript"></script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10