Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1155863ybi; Wed, 17 Jul 2019 10:22:09 -0700 (PDT) X-Google-Smtp-Source: APXvYqzUJ5U17z+PK1t3dp3f2Gay5C21+FTv2mg609BHqmMCJn7LPFYme3cauG1r6KzMwxXO2XrF X-Received: by 2002:a65:55c7:: with SMTP id k7mr10682860pgs.305.1563384128857; Wed, 17 Jul 2019 10:22:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563384128; cv=none; d=google.com; s=arc-20160816; b=K7SMq814RtLJCpPxh35s35TEtb5w/rsR15k7pmZjepS3CDfgPwZAruM56j8Bgi+SPn JlZzMVOibleJkSz/FMRiV50IqU2xC2UcbHznRGMf/C6fejTo3m143fiynRHOsTSkOsrD YsQuXMuhQMX6mPRCLKy3Qkm3EEr7qnhDs4umSvSWy5Ja/oVuBVOQLuK2cPcdLse4cp85 zY9E+BFQsZyAvOvl+7/X7BtkeF0nKVJHZjxJk83rIfXMDjdTg2a6WUJFWO7pEzZwBo3C p6LxaaYIQ//OW499+oVIbeL/vpUJxv+QjwkXtQsZhB24U0SAtqs+U7A0OiP+4XB/1fRw AOqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=iX1wftE5Aqgtgj+nGNer/hw/V9PAwsfP++ET+7am9rU=; b=NrQsMuHueo2rKgQHmKrjDp3kG/I9OZw0T/WsMBhWO+kktAJq9ch2CcD6KPZpYNjbcp 56POv+4PKyf/Q1B6sO8+XMxeBxSbJfaJ5KpQb+C4Y2oMfwKHShKNwjOXQhic2nkX2AT2 LwwaI9CSIPQeAG2YOBQjki+ULAwXTJCIniNy5N+VV9pKvg6lZc7BWq+x4f7ch7I26Mq+ d70SWlA58lZgQPMx45a608iAK1TLCoSMLRqmXLFXWmnu3eYmD344m3B+Axy0Qd0uTleX KVrzl7c0yAhd7AMy8rX6ZovS1H9rFurndhEUZkv0/xtL8fxDodk1SHaOfR2X+C/FuY9+ eykw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@joelfernandes.org header.s=google header.b=HRQVheon; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u62si17722619pjb.3.2019.07.17.10.21.52; Wed, 17 Jul 2019 10:22:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@joelfernandes.org header.s=google header.b=HRQVheon; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727515AbfGQRVJ (ORCPT + 99 others); Wed, 17 Jul 2019 13:21:09 -0400 Received: from mail-pg1-f194.google.com ([209.85.215.194]:35162 "EHLO mail-pg1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725873AbfGQRVI (ORCPT ); Wed, 17 Jul 2019 13:21:08 -0400 Received: by mail-pg1-f194.google.com with SMTP id s1so5170954pgr.2 for ; Wed, 17 Jul 2019 10:21:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelfernandes.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=iX1wftE5Aqgtgj+nGNer/hw/V9PAwsfP++ET+7am9rU=; b=HRQVheonDQr8B9B6F0GQNx/ySkrc3u72V+igTa8ElldPlOlzxJvFRR57GLMrAYz3mY imK5rGkWSJ605HsPuSQ0rogb0jaQMqwT3fbt8L/z2YDmA/PdskqVBuZgZFqUl45wbDDb 3ln+xNw8a3r/ABjC5qqyBBe9Kz94J9V8zij3g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=iX1wftE5Aqgtgj+nGNer/hw/V9PAwsfP++ET+7am9rU=; b=ZZa8FVD5wzh+j4pIiD8tYD0MnEAi42EwOkXGDHyPVNy2xc2A/qU5/76CK+rhH/gJTZ 6OmxopW2qkQMTnSCB5Siz/iaYb6pZ0LHR3mXM4EP9LJV6RvKhT6HctedLF4na79i7ydT b2Hs3Qttw5RtLA/JNBpkTCoGxrrciSUKkO4960XygrJp0Pg4eFAdohGzZbOZzS5hhmhN tHRYu7p/YTz2d1CEUHWamtES/UIjgkcI5Ri2HWnPF9Gy2wPPfvMdMyus31a6RYZTh4YC oNCcEIkNjytXbZPbfmMMLdjNTjM7pjwX5da8MWbngR9xdSLDO4lcWCTPb41NXDDCcdbQ qYbg== X-Gm-Message-State: APjAAAWu7TEMxWyVghlQmXCNz6XZaeIXt+PSq0MtnSsZ6wBE7vssbE1S a4UtSEYXEDvqjZEJL+QEWVogKjDb X-Received: by 2002:a63:205f:: with SMTP id r31mr42551949pgm.159.1563384067498; Wed, 17 Jul 2019 10:21:07 -0700 (PDT) Received: from joelaf.cam.corp.google.com ([2620:15c:6:12:9c46:e0da:efbf:69cc]) by smtp.gmail.com with ESMTPSA id v4sm21679110pgf.20.2019.07.17.10.21.05 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Wed, 17 Jul 2019 10:21:06 -0700 (PDT) From: "Joel Fernandes (Google)" To: linux-kernel@vger.kernel.org Cc: Suren Baghdasaryan , kernel-team@android.com, Joel Fernandes , Andrea Arcangeli , Andrew Morton , Christian Brauner , "Eric W. Biederman" , Oleg Nesterov , Tejun Heo Subject: [PATCH RFC v1] pidfd: fix a race in setting exit_state for pidfd polling Date: Wed, 17 Jul 2019 13:21:00 -0400 Message-Id: <20190717172100.261204-1-joel@joelfernandes.org> X-Mailer: git-send-email 2.22.0.657.g960e92d24f-goog MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Suren Baghdasaryan There is a race between reading task->exit_state in pidfd_poll and writing it after do_notify_parent calls do_notify_pidfd. Expected sequence of events is: CPU 0 CPU 1 ------------------------------------------------ exit_notify do_notify_parent do_notify_pidfd tsk->exit_state = EXIT_DEAD pidfd_poll if (tsk->exit_state) However nothing prevents the following sequence: CPU 0 CPU 1 ------------------------------------------------ exit_notify do_notify_parent do_notify_pidfd pidfd_poll if (tsk->exit_state) tsk->exit_state = EXIT_DEAD This causes a polling task to wait forever, since poll blocks because exit_state is 0 and the waiting task is not notified again. A stress test continuously doing pidfd poll and process exits uncovered this bug, and the below patch fixes it. To fix this, we set tsk->exit_state before calling do_notify_pidfd. Cc: kernel-team@android.com Signed-off-by: Suren Baghdasaryan Signed-off-by: Joel Fernandes (Google) --- kernel/exit.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/kernel/exit.c b/kernel/exit.c index a75b6a7f458a..740ceacb4b76 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -720,6 +720,7 @@ static void exit_notify(struct task_struct *tsk, int group_dead) if (group_dead) kill_orphaned_pgrp(tsk->group_leader, NULL); + tsk->exit_state = EXIT_ZOMBIE; if (unlikely(tsk->ptrace)) { int sig = thread_group_leader(tsk) && thread_group_empty(tsk) && @@ -1156,10 +1157,11 @@ static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p) ptrace_unlink(p); /* If parent wants a zombie, don't release it now */ - state = EXIT_ZOMBIE; + p->exit_state = EXIT_ZOMBIE; if (do_notify_parent(p, p->exit_signal)) - state = EXIT_DEAD; - p->exit_state = state; + p->exit_state = EXIT_DEAD; + + state = p->exit_state; write_unlock_irq(&tasklist_lock); } if (state == EXIT_DEAD) -- 2.22.0.657.g960e92d24f-goog