Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp816702ybp; Wed, 9 Oct 2019 04:49:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqy6jQoGKroQDiuyNgLl7u9rnLhaNubmMITA9D7HJX3X9mV5AomlTqFLIv2Xr3OS9vnScr6s X-Received: by 2002:aa7:d045:: with SMTP id n5mr2544554edo.24.1570621760258; Wed, 09 Oct 2019 04:49:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570621760; cv=none; d=google.com; s=arc-20160816; b=ngsBbWF35y+zTWHxXsNszQUlQoO0ehFFkQwUEl59qxY/l+xQBYUk4EF2rGltwfH39b uFoTql4O2P88GVxC77MCPNdGZztdG8D7usGOP/+vviIGpMtw70ag7KR0k+xI4yXTONwl 3ERMYegx9scu5VGSeIEsDeR1QhnlpG62qDThGM6FDuSdqokF5A14Kpw+JPRQcF3fclgx Ikb5mOfHB4CE6POt51Mle1MaXtp1iuK/rcDCeS77hOWjffKm7MrBdBljfih/j9r8Qxvm 1+xln3roy1Jr8uyYCN+5J6NJTt+8XQfoh/7PCkh3ycNmj7Yox0KEQxOuzaTZ9seJmm00 0TPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=RdvAMuUQxe0Qi+V1vQERcuk1lbOQES8EHOAEiADwjx4=; b=g+pBJ1SmC8srYf5eQ0hIzVKkZQwIcOBTnOVbJsVgRt7rYGzGFjnb7k4752DH6s6dxT XMwupPRa8fq22yGJenRXzyXNGjnS/GiZcjNuuPN9hG4/kC/00S7eCwExyTH+vHrwxCrk sW/wvhCxePC9vGLPmKp+TD8cyxBk0Kf9/s+F4hZRUPvZwHCvyjmOkPHwzKi+lYlYMnzx csz7dxSGznAkPMr/qistl38c0lm6Pi/pEB/WmfiLzlfwVPsVgugEKcurl9WaPkktf7Xm 2BaFPbUI55ulnpqXtkmjP1jKbrJwzUWxiu2y98wYyoSj4hsigippetxdPmyjZq6fSmFa dvRQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vsXIJOY2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c14si937488ejz.242.2019.10.09.04.48.57; Wed, 09 Oct 2019 04:49:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vsXIJOY2; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730950AbfJILsm (ORCPT + 99 others); Wed, 9 Oct 2019 07:48:42 -0400 Received: from mail-ot1-f66.google.com ([209.85.210.66]:45606 "EHLO mail-ot1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730843AbfJILsl (ORCPT ); Wed, 9 Oct 2019 07:48:41 -0400 Received: by mail-ot1-f66.google.com with SMTP id 41so1416365oti.12 for ; Wed, 09 Oct 2019 04:48:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RdvAMuUQxe0Qi+V1vQERcuk1lbOQES8EHOAEiADwjx4=; b=vsXIJOY2nMi/MfBY1pJtQhlwrpew68PURn3w5LdtO1wXmFIG/536TJk5IfLDQSjxHl aCcIAFc6mxLObXfo8dSV0kDEFdQUu30qi9WbACCGXISBuqwYLSqhtf7e+TQID+sijrdB JJZJK70VrxacHEkuS8d5zZ4z5j4ipDVyZHOrFgqHdvluWbnOLKdUvQo8CdYnRbZSa7+T 7JJxJRHmbQR60rpJ5MDn3GRrdYSOA96ZkZ7O2bF/HOZ0J+0q0kjKYmxWHpkKJerJucD/ rmLy4QY8IduKFni2m5wVCcQtLiX4IL7Y2PX8r9BIUqU8Iq30N90IVokYEg6g3sutEyVG i7iQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RdvAMuUQxe0Qi+V1vQERcuk1lbOQES8EHOAEiADwjx4=; b=m5Q9r71oR3IXcx5IJ3/AiFO8JPXJjXS7KoyAGdGRARXfodwgrkNaesBy57EbrKdvP+ qI4gy3A/rFkORc/q2+760jcYquLKcrDlc2sLQE0gPiXVIJOKgSmP9A42t8H84sgwNLDe 27Va7rYL0Nee24g+kLIutSN7kZHtjPAnTRUkJmaDua+v1njO/Rh4qRj2pz4j+6MYKtAf oc7M9v9K5xLar0RH7FWiGK5sDE0Q73qjeV82eNryDmGUVIzr0OfSqq05UALoIquT5Ebb 0jGx5UT0lBYzqeoSVfFdkBFmo/I+1oNR5ANVU+EAJsTZ+aRbzp9hiCjKxJwnfEP2M7Se mSeg== X-Gm-Message-State: APjAAAVHKb2WMs8jNBpxRwX6f2fHPh6bFhsYScy3Zx5wELyP6sb724ec 45BYLY78v4tF//UH//HFQBHIWT8tm6rvVIVD2Ybxjg== X-Received: by 2002:a9d:724e:: with SMTP id a14mr2516551otk.23.1570621719468; Wed, 09 Oct 2019 04:48:39 -0700 (PDT) MIME-Version: 1.0 References: <20191008154418.GA16972@andrea> <20191009113134.5171-1-christian.brauner@ubuntu.com> In-Reply-To: <20191009113134.5171-1-christian.brauner@ubuntu.com> From: Marco Elver Date: Wed, 9 Oct 2019 13:48:27 +0200 Message-ID: Subject: Re: [PATCH] taskstats: fix data-race To: Christian Brauner Cc: Andrea Parri , bsingharora@gmail.com, Dmitry Vyukov , LKML , stable@vger.kernel.org, syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 9 Oct 2019 at 13:31, Christian Brauner wrote: > > When assiging and testing taskstats in taskstats_exit() there's a race > when writing and reading sig->stats when a thread-group with more than > one thread exits: > > cpu0: > thread catches fatal signal and whole thread-group gets taken down > do_exit() > do_group_exit() > taskstats_exit() > taskstats_tgid_alloc() > The tasks reads sig->stats without holding sighand lock seeing garbage. > > cpu1: > task calls exit_group() > do_exit() > do_group_exit() > taskstats_exit() > taskstats_tgid_alloc() > The task takes sighand lock and assigns new stats to sig->stats. > > Fix this by using smp_load_acquire() and smp_store_release(). > > Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com > Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") > Cc: stable@vger.kernel.org > Signed-off-by: Christian Brauner > Reviewed-by: Dmitry Vyukov > --- > /* v1 */ > Link: https://lore.kernel.org/r/20191005112806.13960-1-christian.brauner@ubuntu.com > > /* v2 */ > Link: https://lore.kernel.org/r/20191006235216.7483-1-christian.brauner@ubuntu.com > - Dmitry Vyukov , Marco Elver : > - fix the original double-checked locking using memory barriers > > /* v3 */ > Link: https://lore.kernel.org/r/20191007110117.1096-1-christian.brauner@ubuntu.com/ > - Andrea Parri : > - document memory barriers to make checkpatch happy > > /* v4 */ > - Andrea Parri : > - use smp_load_acquire(), not READ_ONCE() > - update commit message Acked-by: Marco Elver Note that this now looks almost like what I suggested, except the return at the end of the function is accessing sig->stats again. In this case, it seems it's fine assuming sig->stats cannot be written elsewhere. Just wanted to point it out to make sure it's considered. Thanks! > --- > kernel/taskstats.c | 24 +++++++++++++++--------- > 1 file changed, 15 insertions(+), 9 deletions(-) > > diff --git a/kernel/taskstats.c b/kernel/taskstats.c > index 13a0f2e6ebc2..e6b45315607a 100644 > --- a/kernel/taskstats.c > +++ b/kernel/taskstats.c > @@ -554,24 +554,30 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) > static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) > { > struct signal_struct *sig = tsk->signal; > - struct taskstats *stats; > + struct taskstats *stats_new, *stats; > > - if (sig->stats || thread_group_empty(tsk)) > - goto ret; > + /* Pairs with smp_store_release() below. */ > + stats = smp_load_acquire(sig->stats); > + if (stats || thread_group_empty(tsk)) > + return stats; > > /* No problem if kmem_cache_zalloc() fails */ > - stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); > + stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); > > spin_lock_irq(&tsk->sighand->siglock); > if (!sig->stats) { > - sig->stats = stats; > - stats = NULL; > + /* > + * Pairs with smp_store_release() above and order the > + * kmem_cache_zalloc(). > + */ > + smp_store_release(&sig->stats, stats_new); > + stats_new = NULL; > } > spin_unlock_irq(&tsk->sighand->siglock); > > - if (stats) > - kmem_cache_free(taskstats_cache, stats); > -ret: > + if (stats_new) > + kmem_cache_free(taskstats_cache, stats_new); > + > return sig->stats; > } > > -- > 2.23.0 >