Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp1357409ybi;
        Wed, 17 Jul 2019 13:53:25 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz9uYXck3Vva6zoYFqGbaR5+PZ62f2TcITdeCq9f+lNMLEJkY7hmFtqr7Ep2RcELwNF3iOj
X-Received: by 2002:a17:902:d715:: with SMTP id w21mr5569179ply.261.1563396805235;
        Wed, 17 Jul 2019 13:53:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1563396805; cv=none;
        d=google.com; s=arc-20160816;
        b=pTjGh2dtKu9YWd5+SA83JtiqSe2q2/a4uf723Uxyx1H8AyBl+yE6JkIIDbNg6WI9wO
         EIDcfCsgCD9wKy30gvWzHsUPrqQ4osUSUmPuzCHUgehRNrO2R/+eI8Dgr1Om6hUujvot
         12VzsUzRn5dAdCb+9dwOq+pDdM2XZLpkpzOGpay2fo699Wkd6+H4Jep/Ansj8z4r4iuH
         a9mnjEDrZvhJl0/WNb3/7HW/tyZMnfBNl3taNR43LRbFMRc1VOIYYD4b+2AKoGrw3bvl
         WNJg9lWETz+lOdoBHXkd2GJI1pwjvIenH2Pl5+9LFyWiPvIlUL7vOL17iJfTY4kgq0jh
         PM5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=UB70Pl95De4aMH6sG+K8b1SReAqlkJ/qWgP62skcQHI=;
        b=neD2iauRIMnw18OZVUCpB6JTq4R0OL9XBEE1TRBTTlYWiwK8sNPI8bPDpftU8e9PfF
         4qIgdonGphWZ0kgBRls72yCzRUHzDcMpDB2W7okZaB/p0bOzEnQm69ODz/QhbQuPRR5f
         I2kijjtjevYcBwOPQl50BVSlZ7bz3Ed4kLcZyE0GokQULtRB0SeOPlFyOXkr3ntU8vOz
         Mz85SquaaXrdcmWJF7T/a5y8+a/EyF1PdI7DgcGGtu1H2TjSQGYsdxGui1rVAgD2cELD
         fBwCR6zA8S/FwaY/t7qNJOfXKM6P0u/kT5K3dKJlH9kPBxMPeVqL9DcP/lOxDbJXS7Lu
         4Bxg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@joelfernandes.org header.s=google header.b="Q1+09v/y";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k22si23593214pll.168.2019.07.17.13.53.08;
        Wed, 17 Jul 2019 13:53:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@joelfernandes.org header.s=google header.b="Q1+09v/y";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727382AbfGQUvQ (ORCPT <rfc822;epopevad@gmail.com> + 99 others);
        Wed, 17 Jul 2019 16:51:16 -0400
Received: from mail-pg1-f195.google.com ([209.85.215.195]:38737 "EHLO
        mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726063AbfGQUvQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 17 Jul 2019 16:51:16 -0400
Received: by mail-pg1-f195.google.com with SMTP id f5so2900003pgu.5
        for <linux-kernel@vger.kernel.org>; Wed, 17 Jul 2019 13:51:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=joelfernandes.org; s=google;
        h=date:from:to:cc:subject:message-id:references:mime-version
         :content-disposition:in-reply-to:user-agent;
        bh=UB70Pl95De4aMH6sG+K8b1SReAqlkJ/qWgP62skcQHI=;
        b=Q1+09v/yS4NfrSGnTgctWJ0ZUVgRNQ5Z9clmyc+Rk+ebBgnUmdgZZ2lalrCP9vRmzH
         /kH4I68xlHSDV88sddXw2FWcqVA0g3xmsu2dQa2wkkcTRZ+03LoDKYs0yJp6SiXO0O5Q
         97qXqKX3WT1CtoDHXLKw4vgXtF6Ih4dFymLow=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=UB70Pl95De4aMH6sG+K8b1SReAqlkJ/qWgP62skcQHI=;
        b=RueyAf3+BqYanfTbhnC4Ife8SpKlAHua4/gDmnzb5qFLmjSlN0ae4GE6ylC+6k9w1n
         nGAnK7BKHFW9kSmEJ9PpnrfgyLcXaOU/UsDspkEX0+JNkDWKQLuqLgE8Vv2bxiexq9c7
         O80gX6jdaqiK5Bw4oq8zky8UFgpyQJONZpyxNSpbmfuGf2ltT+rbv8VuoZ7EXI9KHxc4
         brwtKMaoe09vgOOmAxp/dw8NHolQO7QtOlxuTeI+2fTxWfivoBwBkrj/DrQRa7XgpqQX
         tP7mfL+jMHFSfmweoyCYbQ6R8sGEsjG++jbMgnTL6/BJfgtD4bJ3zb1X4pUl38ATOUDI
         I4ag==
X-Gm-Message-State: APjAAAXoXkHjVMui20mQTorfwydXZ6xhTM2/djfVdEiPnq1V8nIo/a1t
        f/umk0uLogBIp196k4v31+A=
X-Received: by 2002:a17:90a:19c2:: with SMTP id 2mr44853908pjj.13.1563396675308;
        Wed, 17 Jul 2019 13:51:15 -0700 (PDT)
Received: from localhost ([2620:15c:6:12:9c46:e0da:efbf:69cc])
        by smtp.gmail.com with ESMTPSA id y22sm30467711pfo.39.2019.07.17.13.51.13
        (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256);
        Wed, 17 Jul 2019 13:51:14 -0700 (PDT)
Date:   Wed, 17 Jul 2019 16:51:12 -0400
From:   Joel Fernandes <joel@joelfernandes.org>
To:     Christian Brauner <christian@brauner.io>
Cc:     linux-kernel@vger.kernel.org,
        Suren Baghdasaryan <surenb@google.com>,
        kernel-team@android.com, Andrea Arcangeli <aarcange@redhat.com>,
        Andrew Morton <akpm@linux-foundation.org>,
        "Eric W. Biederman" <ebiederm@xmission.com>,
        Oleg Nesterov <oleg@redhat.com>, Tejun Heo <tj@kernel.org>,
        jannh@google.com
Subject: Re: [PATCH RFC v1] pidfd: fix a race in setting exit_state for pidfd
 polling
Message-ID: <20190717205112.GC72146@google.com>
References: <20190717172100.261204-1-joel@joelfernandes.org>
 <20190717175556.axe2pne7lcrkmtzr@brauner.io>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20190717175556.axe2pne7lcrkmtzr@brauner.io>
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Jul 17, 2019 at 07:55:57PM +0200, Christian Brauner wrote:
> On Wed, Jul 17, 2019 at 01:21:00PM -0400, Joel Fernandes wrote:
> > From: Suren Baghdasaryan <surenb@google.com>
> > 
> > There is a race between reading task->exit_state in pidfd_poll and writing
> > it after do_notify_parent calls do_notify_pidfd. Expected sequence of
> > events is:
> > 
> > CPU 0                            CPU 1
> > ------------------------------------------------
> > exit_notify
> >   do_notify_parent
> >     do_notify_pidfd
> >   tsk->exit_state = EXIT_DEAD
> >                                   pidfd_poll
> >                                      if (tsk->exit_state)
> > 
> > However nothing prevents the following sequence:
> > 
> > CPU 0                            CPU 1
> > ------------------------------------------------
> > exit_notify
> >   do_notify_parent
> >     do_notify_pidfd
> >                                    pidfd_poll
> >                                       if (tsk->exit_state)
> >   tsk->exit_state = EXIT_DEAD
> > 
> > This causes a polling task to wait forever, since poll blocks because
> > exit_state is 0 and the waiting task is not notified again. A stress
> > test continuously doing pidfd poll and process exits uncovered this bug,
> > and the below patch fixes it.
> > 
> > To fix this, we set tsk->exit_state before calling do_notify_pidfd.
> > 
> > Cc: kernel-team@android.com
> > Signed-off-by: Suren Baghdasaryan <surenb@google.com>
> > Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
> 
> That means in such a situation other users will see EXIT_ZOMBIE where
> they didn't see that before until after the parent failed to get
> notified.
> 
> That's a rather subtle internal change. I was worried about
> __ptrace_detach() since it explicitly checks for EXIT_ZOMBIE but it
> seems to me that this is fine since we hold write_lock_irq(&tasklist_lock);
> at the point when we do set p->exit_signal.

Right.

> Acked-by: Christian Brauner <christian@brauner.io>

Thanks.

> Once Oleg confirms that I'm right not to worty I'll pick this up.

Ok.