Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp2186585ybp; Sat, 5 Oct 2019 07:16:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqyUzmWj1LPoSK5/3AxIhVtrA17l8lKA4iq1wOxOOhIJ3HrqMEGm+gfkBxZstNz3ExznKNgj X-Received: by 2002:aa7:dc4b:: with SMTP id g11mr20919070edu.70.1570284985741; Sat, 05 Oct 2019 07:16:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570284985; cv=none; d=google.com; s=arc-20160816; b=HfP9a72DQ0IjmDpUkeUbitrA3GNvU5K+SS3F+0TmLGIHhZv0HUgdMb3gczvZkhU3JM CZHRSi96nDjnjFfY/Ug2dGYMTpCmDk0YkcM8wyNKJVtYXqbFOP3DUpERByyLZoT1Uguu zhWYXRUmxoMbWr3nN5mIilJVTyishh5qDdP9nCWizQ3IiM3TEWNqq08Pgqc0yhY4uB4R Q3eOqvarRidLrPR9gbQ1ZLyhS1XVuNpFhkwxh4VS2Zihn2feB4upElCZe0CW2uOl9mjq HQD4dMMwB4DbDT5BoPtLSDQ6Y8GXcWP9o6pYDsRTTCx0tcCX7fWYdfDNFroAgGOe6Tis r3dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=RYoG6KevTCu1bV9zbdcAKIm/paardtSFfHkAHufzt00=; b=nhjNpfYt7KiSBqDh73IyLbxBTj1lYFPdkKj7jli2ICSe2pHPWCeX27Nih8fHk77N8r wlGGX/AzI7S5ZL4nsdo5Q9sWyAXDtw7scM+VAp2B2JlKfEIEzmx4kpF6PYUKYVuJZVJ3 VONdqGy+lSkhwIdNE0jpwtJTSf6I0xz1tflQAvFNfEefveu+/IVOoDcn57A/0xAzLzmY bOG4sc49jv+GRmFol1awwEMv0PhmaZ3YK0mFHhqY3fwveOyNPjAlz1yD5G7TLdTerB88 TdodnrwPxwJSmIvv7bkA+NiB9Ar5SIF8xS/Vkn75+HnpX0SmPJznzu5RdaRWUi2x3k1d niYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 64si6446383edf.34.2019.10.05.07.16.02; Sat, 05 Oct 2019 07:16:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728110AbfJEOPa (ORCPT + 99 others); Sat, 5 Oct 2019 10:15:30 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:41508 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726269AbfJEOPa (ORCPT ); Sat, 5 Oct 2019 10:15:30 -0400 Received: from [213.220.153.21] (helo=wittgenstein) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iGkqD-0003fV-3P; Sat, 05 Oct 2019 14:15:25 +0000 Date: Sat, 5 Oct 2019 16:15:24 +0200 From: Christian Brauner To: Marco Elver Cc: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com, bsingharora@gmail.com, LKML , syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] taskstats: fix data-race Message-ID: <20191005141523.kog6il27seucy2f4@wittgenstein> References: <0000000000009b403005942237bf@google.com> <20191005112806.13960-1-christian.brauner@ubuntu.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Oct 05, 2019 at 03:33:07PM +0200, Marco Elver wrote: > On Sat, 5 Oct 2019 at 13:28, Christian Brauner > wrote: > > > > When assiging and testing taskstats in taskstats > > taskstats_exit() there's a race around writing and reading sig->stats. > > > > cpu0: > > task calls exit() > > do_exit() > > -> taskstats_exit() > > -> taskstats_tgid_alloc() > > The task takes sighand lock and assigns new stats to sig->stats. > > > > cpu1: > > task catches signal > > do_exit() > > -> taskstats_tgid_alloc() > > -> taskstats_exit() > > The tasks reads sig->stats __without__ holding sighand lock seeing > > garbage. > > Is the task seeing garbage reading the data pointed to by stats, or is > this just the pointer that would be garbage? I expect the pointer to be garbage. > > My only observation here is that the previous version was trying to do > double-checked locking, to avoid taking the lock if sig->stats was > already set. The obvious problem with the previous version is plain > read/write and missing memory ordering: the write inside the critical > section should be smp_store_release and there should only be one > smp_load_acquire at the start. > > Maybe I missed something somewhere, but maybe my suggestion below > would be an equivalent fix without always having to take the lock to > assign the pointer? If performance is not critical here, then it's > probably not worth it. The only point of contention is when the whole thread-group exits (e.g. via exit_group(2) since threads in a thread-group share signal struct). The reason I didn't do memory barriers was because we need to take the spinlock for the actual list manipulation anyway. But I don't mind incorporating the acquire/release. Christian > > Thanks, > -- Marco > > diff --git a/kernel/taskstats.c b/kernel/taskstats.c > index 13a0f2e6ebc2..f58dd285a44b 100644 > --- a/kernel/taskstats.c > +++ b/kernel/taskstats.c > @@ -554,25 +554,31 @@ static int taskstats_user_cmd(struct sk_buff > *skb, struct genl_info *info) > static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) > { > struct signal_struct *sig = tsk->signal; > - struct taskstats *stats; > + struct taskstats *stats_new, *stats; > > - if (sig->stats || thread_group_empty(tsk)) > + /* acquire load to make pointed-to data visible */ > + stats = smp_load_acquire(&sig->stats); > + if (stats || thread_group_empty(tsk)) > goto ret; > > /* No problem if kmem_cache_zalloc() fails */ > - stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); > + stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); > > spin_lock_irq(&tsk->sighand->siglock); > - if (!sig->stats) { > - sig->stats = stats; > - stats = NULL; > + stats = sig->stats; > + if (!stats) { > + stats = stats_new; > + /* release store to order zalloc before */ > + smp_store_release(&sig->stats, stats_new); > + stats_new = NULL; > } > spin_unlock_irq(&tsk->sighand->siglock); > > - if (stats) > - kmem_cache_free(taskstats_cache, stats); > + if (stats_new) > + kmem_cache_free(taskstats_cache, stats_new); > + > ret: > - return sig->stats; > + return stats; > } > > /* Send pid data out on exit */