[PATCH 1/2] introduce __next_thread(), fix next_tid() vs exec() race

From: Oleg Nesterov
Date: Thu Aug 24 2023 - 10:34:16 EST

Next message: Oleg Nesterov: "[PATCH 2/2] change next_thread() to use __next_thread() ?: group_leader"
Previous message: Richard Fitzgerald: "[PATCH v5 08/10] kunit: string-stream: Add tests for freeing resource-managed string_stream"
In reply to: Oleg Nesterov: "[PATCH 0/2] introduce __next_thread(), change next_thread()"
Next in thread: Oleg Nesterov: "[PATCH 2/2] change next_thread() to use __next_thread() ?: group_leader"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

next_tid(start) does:

rcu_read_lock();
if (pid_alive(start)) {
pos = next_thread(start);
if (thread_group_leader(pos))
pos = NULL;
else
get_task_struct(pos);

it should return pos = NULL when next_thread() wraps to the 1st thread
in the thread group, group leader, and the thread_group_leader() check
tries to detect this case.

But this can race with exec. To simplify, suppose we have a main thread
M and a single sub-thread T, next_tid(T) should return NULL.

Now suppose that T execs. If next_tid(T) is called after T changes the
leadership and before it does release_task() which removes the old leader
from list, then next_thread() returns M and thread_group_leader(M) = F.

Lockless use of next_thread() should be avoided. After this change only
task_group_seq_get_next() does this, and I believe it should be changed
as well.

Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx>
---
fs/proc/base.c | 6 ++----
include/linux/sched/signal.h | 11 +++++++++++
2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 69dbb03ad55b..b9fb36cd5e9c 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -3838,10 +3838,8 @@ static struct task_struct *next_tid(struct task_struct *start)
struct task_struct *pos = NULL;
rcu_read_lock();
if (pid_alive(start)) {
- pos = next_thread(start);
- if (thread_group_leader(pos))
- pos = NULL;
- else
+ pos = __next_thread(start);
+ if (pos)
get_task_struct(pos);
}
rcu_read_unlock();
diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h
index 0014d3adaf84..7fb34b8cda54 100644
--- a/include/linux/sched/signal.h
+++ b/include/linux/sched/signal.h
@@ -715,6 +715,17 @@ bool same_thread_group(struct task_struct *p1, struct task_struct *p2)
return p1->signal == p2->signal;
}

+/*
+ * returns NULL if p is the last thread in the thread group
+ */
+static inline struct task_struct *__next_thread(struct task_struct *p)
+{
+ return list_next_or_null_rcu(&p->signal->thread_head,
+ &p->thread_node,
+ struct task_struct,
+ thread_node);
+}
+
static inline struct task_struct *next_thread(const struct task_struct *p)
{
return list_entry_rcu(p->thread_group.next,
--
2.25.1.362.g51ebf55

Next message: Oleg Nesterov: "[PATCH 2/2] change next_thread() to use __next_thread() ?: group_leader"
Previous message: Richard Fitzgerald: "[PATCH v5 08/10] kunit: string-stream: Add tests for freeing resource-managed string_stream"
In reply to: Oleg Nesterov: "[PATCH 0/2] introduce __next_thread(), change next_thread()"
Next in thread: Oleg Nesterov: "[PATCH 2/2] change next_thread() to use __next_thread() ?: group_leader"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]