(on top of rework-fix-is_single_threaded.patch)
- is_single_threaded(task) is not safe unless task == current,
we can't use task->signal or task->mm.
- it doesn't make sense unless task == current, the task can
fork right after the check.
Rename it to is_current_single_threaded() and kill the argument.
Signed-off-by: Oleg Nesterov <[email protected]>
---
include/linux/sched.h | 2 +-
lib/is_single_threaded.c | 3 ++-
security/selinux/hooks.c | 2 +-
security/keys/process_keys.c | 2 +-
4 files changed, 5 insertions(+), 4 deletions(-)
--- WAIT/include/linux/sched.h~ISS_1_RENAME 2009-07-01 20:20:57.000000000 +0200
+++ WAIT/include/linux/sched.h 2009-07-09 22:14:21.000000000 +0200
@@ -2055,7 +2055,7 @@ static inline unsigned long wait_task_in
#define for_each_process(p) \
for (p = &init_task ; (p = next_task(p)) != &init_task ; )
-extern bool is_single_threaded(struct task_struct *);
+extern bool is_current_single_threaded(void);
/*
* Careful: do_each_thread/while_each_thread is a double loop so
--- WAIT/lib/is_single_threaded.c~ISS_1_RENAME 2009-07-09 19:43:27.000000000 +0200
+++ WAIT/lib/is_single_threaded.c 2009-07-09 22:16:29.000000000 +0200
@@ -15,8 +15,9 @@
/*
* Returns true if the task does not share ->mm with another thread/process.
*/
-bool is_single_threaded(struct task_struct *task)
+bool is_current_single_threaded(void)
{
+ struct task_struct *task = current;
struct mm_struct *mm = task->mm;
struct task_struct *p, *t;
bool ret;
--- WAIT/security/selinux/hooks.c~ISS_1_RENAME 2009-07-03 11:15:08.000000000 +0200
+++ WAIT/security/selinux/hooks.c 2009-07-09 22:17:58.000000000 +0200
@@ -5182,7 +5182,7 @@ static int selinux_setprocattr(struct ta
/* Only allow single threaded processes to change context */
error = -EPERM;
- if (!is_single_threaded(p)) {
+ if (!is_current_single_threaded()) {
error = security_bounded_transition(tsec->sid, sid);
if (error)
goto abort_change;
--- WAIT/security/keys/process_keys.c~ISS_1_RENAME 2009-04-06 00:03:42.000000000 +0200
+++ WAIT/security/keys/process_keys.c 2009-07-09 22:18:31.000000000 +0200
@@ -702,7 +702,7 @@ long join_session_keyring(const char *na
/* only permit this if there's a single thread in the thread group -
* this avoids us having to adjust the creds on all threads and risking
* ENOMEM */
- if (!is_single_threaded(current))
+ if (!is_current_single_threaded())
return -EMLINK;
new = prepare_creds();
On Thu, 9 Jul 2009, Oleg Nesterov wrote:
> (on top of rework-fix-is_single_threaded.patch)
>
> - is_single_threaded(task) is not safe unless task == current,
> we can't use task->signal or task->mm.
>
> - it doesn't make sense unless task == current, the task can
> fork right after the check.
>
> Rename it to is_current_single_threaded() and kill the argument.
>
> Signed-off-by: Oleg Nesterov <[email protected]>
Acked-by: James Morris <[email protected]>
--
James Morris
<[email protected]>
On Thu, Jul 09, 2009 at 11:28:47PM +0200, Oleg Nesterov wrote:
> (on top of rework-fix-is_single_threaded.patch)
>
> - is_single_threaded(task) is not safe unless task == current,
> we can't use task->signal or task->mm.
>
> - it doesn't make sense unless task == current, the task can
> fork right after the check.
>
> Rename it to is_current_single_threaded() and kill the argument.
It would be more natural to put the current first, as in
current_is_single_threaded(). That would also fit with the various
other current_* helpers we have.
On 07/09, Christoph Hellwig wrote:
>
> On Thu, Jul 09, 2009 at 11:28:47PM +0200, Oleg Nesterov wrote:
> > (on top of rework-fix-is_single_threaded.patch)
> >
> > - is_single_threaded(task) is not safe unless task == current,
> > we can't use task->signal or task->mm.
> >
> > - it doesn't make sense unless task == current, the task can
> > fork right after the check.
> >
> > Rename it to is_current_single_threaded() and kill the argument.
>
> It would be more natural to put the current first, as in
> current_is_single_threaded(). That would also fit with the various
> other current_* helpers we have.
Agreed, re-sending.
Oleg.
(on top of rework-fix-is_single_threaded.patch)
- is_single_threaded(task) is not safe unless task == current,
we can't use task->signal or task->mm.
- it doesn't make sense unless task == current, the task can
fork right after the check.
Rename it to current_is_single_threaded() and kill the argument.
Signed-off-by: Oleg Nesterov <[email protected]>
Acked-by: James Morris <[email protected]>
---
include/linux/sched.h | 2 +-
lib/is_single_threaded.c | 3 ++-
security/selinux/hooks.c | 2 +-
security/keys/process_keys.c | 2 +-
4 files changed, 5 insertions(+), 4 deletions(-)
--- WAIT/include/linux/sched.h~ISS_1_RENAME 2009-07-01 20:20:57.000000000 +0200
+++ WAIT/include/linux/sched.h 2009-07-09 22:14:21.000000000 +0200
@@ -2055,7 +2055,7 @@ static inline unsigned long wait_task_in
#define for_each_process(p) \
for (p = &init_task ; (p = next_task(p)) != &init_task ; )
-extern bool is_single_threaded(struct task_struct *);
+extern bool current_is_single_threaded(void);
/*
* Careful: do_each_thread/while_each_thread is a double loop so
--- WAIT/lib/is_single_threaded.c~ISS_1_RENAME 2009-07-09 19:43:27.000000000 +0200
+++ WAIT/lib/is_single_threaded.c 2009-07-09 22:16:29.000000000 +0200
@@ -15,8 +15,9 @@
/*
* Returns true if the task does not share ->mm with another thread/process.
*/
-bool is_single_threaded(struct task_struct *task)
+bool current_is_single_threaded(void)
{
+ struct task_struct *task = current;
struct mm_struct *mm = task->mm;
struct task_struct *p, *t;
bool ret;
--- WAIT/security/selinux/hooks.c~ISS_1_RENAME 2009-07-03 11:15:08.000000000 +0200
+++ WAIT/security/selinux/hooks.c 2009-07-09 22:17:58.000000000 +0200
@@ -5182,7 +5182,7 @@ static int selinux_setprocattr(struct ta
/* Only allow single threaded processes to change context */
error = -EPERM;
- if (!is_single_threaded(p)) {
+ if (!current_is_single_threaded()) {
error = security_bounded_transition(tsec->sid, sid);
if (error)
goto abort_change;
--- WAIT/security/keys/process_keys.c~ISS_1_RENAME 2009-04-06 00:03:42.000000000 +0200
+++ WAIT/security/keys/process_keys.c 2009-07-09 22:18:31.000000000 +0200
@@ -702,7 +702,7 @@ long join_session_keyring(const char *na
/* only permit this if there's a single thread in the thread group -
* this avoids us having to adjust the creds on all threads and risking
* ENOMEM */
- if (!is_single_threaded(current))
+ if (!current_is_single_threaded())
return -EMLINK;
new = prepare_creds();
current_is_single_threaded() can safely miss a freshly forked CLONE_VM
task, but in this case it must not miss its parent. That is why we take
mm->mmap_sem for writing to make sure a thread/task with the same ->mm
can't pass exit_mm() and disappear.
However we can avoid ->mmap_sem and rely on rcu/barriers:
- if we do not see the exiting parent on thread/process list
we see the result of list_del_rcu(), in this case we must
also see the result of list_add_rcu() which does wmb().
- if we do see the parent but its ->mm == NULL, we need rmb()
to make sure we can't miss the child.
Signed-off-by: Oleg Nesterov <[email protected]>
---
lib/is_single_threaded.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- WAIT/lib/is_single_threaded.c~ISS_2_RCU 2009-07-09 22:16:29.000000000 +0200
+++ WAIT/lib/is_single_threaded.c 2009-07-09 22:54:41.000000000 +0200
@@ -22,8 +22,6 @@ bool current_is_single_threaded(void)
struct task_struct *p, *t;
bool ret;
- might_sleep();
-
if (atomic_read(&task->signal->live) != 1)
return false;
@@ -31,7 +29,6 @@ bool current_is_single_threaded(void)
return true;
ret = false;
- down_write(&mm->mmap_sem);
rcu_read_lock();
for_each_process(p) {
if (unlikely(p->flags & PF_KTHREAD))
@@ -45,12 +42,17 @@ bool current_is_single_threaded(void)
goto found;
if (likely(t->mm))
break;
+ /*
+ * t->mm == NULL. Make sure next_thread/next_task
+ * will see other CLONE_VM tasks which might be
+ * forked before exiting.
+ */
+ smp_rmb();
} while_each_thread(p, t);
}
ret = true;
found:
rcu_read_unlock();
- up_write(&mm->mmap_sem);
return ret;
}
Oleg Nesterov <[email protected]> wrote:
> current_is_single_threaded() can safely miss a freshly forked CLONE_VM
> task, but in this case it must not miss its parent. That is why we take
> mm->mmap_sem for writing to make sure a thread/task with the same ->mm
> can't pass exit_mm() and disappear.
>
> However we can avoid ->mmap_sem and rely on rcu/barriers:
>
> - if we do not see the exiting parent on thread/process list
> we see the result of list_del_rcu(), in this case we must
> also see the result of list_add_rcu() which does wmb().
>
> - if we do see the parent but its ->mm == NULL, we need rmb()
> to make sure we can't miss the child.
>
> Signed-off-by: Oleg Nesterov <[email protected]>
Acked-by: David Howells <[email protected]>
Oleg Nesterov <[email protected]> wrote:
> - is_single_threaded(task) is not safe unless task == current,
> we can't use task->signal or task->mm.
>
> - it doesn't make sense unless task == current, the task can
> fork right after the check.
>
> Rename it to current_is_single_threaded() and kill the argument.
>
> Signed-off-by: Oleg Nesterov <[email protected]>
> Acked-by: James Morris <[email protected]>
Acked-by: David Howells <[email protected]>
On Fri, 10 Jul 2009, David Howells wrote:
> > However we can avoid ->mmap_sem and rely on rcu/barriers:
> >
> > - if we do not see the exiting parent on thread/process list
> > we see the result of list_del_rcu(), in this case we must
> > also see the result of list_add_rcu() which does wmb().
> >
> > - if we do see the parent but its ->mm == NULL, we need rmb()
> > to make sure we can't miss the child.
> >
> > Signed-off-by: Oleg Nesterov <[email protected]>
>
> Acked-by: David Howells <[email protected]>
I gather this stuff is going into -mm ?
Can it be merged via security-testing#next?
--
James Morris
<[email protected]>
On 07/13, James Morris wrote:
>
> On Fri, 10 Jul 2009, David Howells wrote:
>
> > > However we can avoid ->mmap_sem and rely on rcu/barriers:
> > >
> > > - if we do not see the exiting parent on thread/process list
> > > we see the result of list_del_rcu(), in this case we must
> > > also see the result of list_add_rcu() which does wmb().
> > >
> > > - if we do see the parent but its ->mm == NULL, we need rmb()
> > > to make sure we can't miss the child.
> > >
> > > Signed-off-by: Oleg Nesterov <[email protected]>
> >
> > Acked-by: David Howells <[email protected]>
>
> I gather this stuff is going into -mm ?
Yes, this is on top of rework-fix-is_single_threaded.patch
Given that David acked these changes, I guess they will go
to -mm soon.
> Can it be merged via security-testing#next?
Please do what you think right, I don't know what will be more
convenient to you and Andrew.
Oleg.
On Tue, 14 Jul 2009, Oleg Nesterov wrote:
> > I gather this stuff is going into -mm ?
>
> Yes, this is on top of rework-fix-is_single_threaded.patch
>
> Given that David acked these changes, I guess they will go
> to -mm soon.
>
> > Can it be merged via security-testing#next?
>
> Please do what you think right, I don't know what will be more
> convenient to you and Andrew.
I've applied all three patches to
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next
Oleg, please verify that they're the correct versions.
--
James Morris
<[email protected]>