Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2186585ybp;
        Sat, 5 Oct 2019 07:16:25 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyUzmWj1LPoSK5/3AxIhVtrA17l8lKA4iq1wOxOOhIJ3HrqMEGm+gfkBxZstNz3ExznKNgj
X-Received: by 2002:aa7:dc4b:: with SMTP id g11mr20919070edu.70.1570284985741;
        Sat, 05 Oct 2019 07:16:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570284985; cv=none;
        d=google.com; s=arc-20160816;
        b=HfP9a72DQ0IjmDpUkeUbitrA3GNvU5K+SS3F+0TmLGIHhZv0HUgdMb3gczvZkhU3JM
         CZHRSi96nDjnjFfY/Ug2dGYMTpCmDk0YkcM8wyNKJVtYXqbFOP3DUpERByyLZoT1Uguu
         zhWYXRUmxoMbWr3nN5mIilJVTyishh5qDdP9nCWizQ3IiM3TEWNqq08Pgqc0yhY4uB4R
         Q3eOqvarRidLrPR9gbQ1ZLyhS1XVuNpFhkwxh4VS2Zihn2feB4upElCZe0CW2uOl9mjq
         HQD4dMMwB4DbDT5BoPtLSDQ6Y8GXcWP9o6pYDsRTTCx0tcCX7fWYdfDNFroAgGOe6Tis
         r3dw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=RYoG6KevTCu1bV9zbdcAKIm/paardtSFfHkAHufzt00=;
        b=nhjNpfYt7KiSBqDh73IyLbxBTj1lYFPdkKj7jli2ICSe2pHPWCeX27Nih8fHk77N8r
         wlGGX/AzI7S5ZL4nsdo5Q9sWyAXDtw7scM+VAp2B2JlKfEIEzmx4kpF6PYUKYVuJZVJ3
         VONdqGy+lSkhwIdNE0jpwtJTSf6I0xz1tflQAvFNfEefveu+/IVOoDcn57A/0xAzLzmY
         bOG4sc49jv+GRmFol1awwEMv0PhmaZ3YK0mFHhqY3fwveOyNPjAlz1yD5G7TLdTerB88
         TdodnrwPxwJSmIvv7bkA+NiB9Ar5SIF8xS/Vkn75+HnpX0SmPJznzu5RdaRWUi2x3k1d
         niYA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 64si6446383edf.34.2019.10.05.07.16.02;
        Sat, 05 Oct 2019 07:16:25 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728110AbfJEOPa (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Sat, 5 Oct 2019 10:15:30 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:41508 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726269AbfJEOPa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 5 Oct 2019 10:15:30 -0400
Received: from [213.220.153.21] (helo=wittgenstein)
        by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.86_2)
        (envelope-from <christian.brauner@ubuntu.com>)
        id 1iGkqD-0003fV-3P; Sat, 05 Oct 2019 14:15:25 +0000
Date:   Sat, 5 Oct 2019 16:15:24 +0200
From:   Christian Brauner <christian.brauner@ubuntu.com>
To:     Marco Elver <elver@google.com>
Cc:     syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com,
        bsingharora@gmail.com, LKML <linux-kernel@vger.kernel.org>,
        syzkaller-bugs@googlegroups.com
Subject: Re: [PATCH] taskstats: fix data-race
Message-ID: <20191005141523.kog6il27seucy2f4@wittgenstein>
References: <0000000000009b403005942237bf@google.com>
 <20191005112806.13960-1-christian.brauner@ubuntu.com>
 <CANpmjNMqTupyPc6-PCviB1HPTHawjzNL1r1gmdQqnwCvE=BNNA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CANpmjNMqTupyPc6-PCviB1HPTHawjzNL1r1gmdQqnwCvE=BNNA@mail.gmail.com>
User-Agent: NeoMutt/20180716
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sat, Oct 05, 2019 at 03:33:07PM +0200, Marco Elver wrote:
> On Sat, 5 Oct 2019 at 13:28, Christian Brauner
> <christian.brauner@ubuntu.com> wrote:
> >
> > When assiging and testing taskstats in taskstats
> > taskstats_exit() there's a race around writing and reading sig->stats.
> >
> > cpu0:
> > task calls exit()
> > do_exit()
> >         -> taskstats_exit()
> >                 -> taskstats_tgid_alloc()
> > The task takes sighand lock and assigns new stats to sig->stats.
> >
> > cpu1:
> > task catches signal
> > do_exit()
> >         -> taskstats_tgid_alloc()
> >                 -> taskstats_exit()
> > The tasks reads sig->stats __without__ holding sighand lock seeing
> > garbage.
> 
> Is the task seeing garbage reading the data pointed to by stats, or is
> this just the pointer that would be garbage?

I expect the pointer to be garbage.

> 
> My only observation here is that the previous version was trying to do
> double-checked locking, to avoid taking the lock if sig->stats was
> already set. The obvious problem with the previous version is plain
> read/write and missing memory ordering: the write inside the critical
> section should be smp_store_release and there should only be one
> smp_load_acquire at the start.
> 
> Maybe I missed something somewhere, but maybe my suggestion below
> would be an equivalent fix without always having to take the lock to
> assign the pointer? If performance is not critical here, then it's
> probably not worth it.

The only point of contention is when the whole thread-group exits (e.g.
via exit_group(2) since threads in a thread-group share signal struct).
The reason I didn't do memory barriers was because we need to take the
spinlock for the actual list manipulation anyway.
But I don't mind incorporating the acquire/release.

Christian

> 
> Thanks,
> -- Marco
> 
> diff --git a/kernel/taskstats.c b/kernel/taskstats.c
> index 13a0f2e6ebc2..f58dd285a44b 100644
> --- a/kernel/taskstats.c
> +++ b/kernel/taskstats.c
> @@ -554,25 +554,31 @@ static int taskstats_user_cmd(struct sk_buff
> *skb, struct genl_info *info)
>  static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk)
>  {
>   struct signal_struct *sig = tsk->signal;
> - struct taskstats *stats;
> + struct taskstats *stats_new, *stats;
> 
> - if (sig->stats || thread_group_empty(tsk))
> + /* acquire load to make pointed-to data visible */
> + stats = smp_load_acquire(&sig->stats);
> + if (stats || thread_group_empty(tsk))
>   goto ret;
> 
>   /* No problem if kmem_cache_zalloc() fails */
> - stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
> + stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
> 
>   spin_lock_irq(&tsk->sighand->siglock);
> - if (!sig->stats) {
> - sig->stats = stats;
> - stats = NULL;
> + stats = sig->stats;
> + if (!stats) {
> + stats = stats_new;
> + /* release store to order zalloc before */
> + smp_store_release(&sig->stats, stats_new);
> + stats_new = NULL;
>   }
>   spin_unlock_irq(&tsk->sighand->siglock);
> 
> - if (stats)
> - kmem_cache_free(taskstats_cache, stats);
> + if (stats_new)
> + kmem_cache_free(taskstats_cache, stats_new);
> +
>  ret:
> - return sig->stats;
> + return stats;
>  }
> 
>  /* Send pid data out on exit */