Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754250Ab2JJHtg (ORCPT ); Wed, 10 Oct 2012 03:49:36 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:56268 "EHLO out1-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752245Ab2JJHt2 (ORCPT ); Wed, 10 Oct 2012 03:49:28 -0400 X-Sasl-enc: /cOmN48NXt7wiNkdE6w3LTkysPL5ZKeCaDJAYafeDXW0 1349855366 Date: Wed, 10 Oct 2012 16:49:23 +0900 From: Greg KH To: Andrew Morton Cc: Andrew Vagin , linux-kernel@vger.kernel.org, criu@openvz.org, Pavel Emelyanov , Cyrill Gorcunov , "Eric W. Biederman" Subject: Re: [PATCH] pidns: remove recursion from free_pid_ns (v3) Message-ID: <20121010074923.GA11894@kroah.com> References: <1349553393-902065-1-git-send-email-avagin@openvz.org> <20121009114821.dc4c2aff.akpm@linux-foundation.org> <20121009190300.GB22108@kroah.com> <20121009120831.8a6d81d8.akpm@linux-foundation.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20121009120831.8a6d81d8.akpm@linux-foundation.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2558 Lines: 73 On Tue, Oct 09, 2012 at 12:08:31PM -0700, Andrew Morton wrote: > On Tue, 9 Oct 2012 12:03:00 -0700 > Greg KH wrote: > > > On Tue, Oct 09, 2012 at 11:48:21AM -0700, Andrew Morton wrote: > > > On Sat, 6 Oct 2012 23:56:33 +0400 > > > Andrew Vagin wrote: > > > > > > > Here is a stack trace of recursion: > > > > free_pid_ns(parent) > > > > put_pid_ns(parent) > > > > kref_put(&ns->kref, free_pid_ns); > > > > free_pid_ns > > > > > > > > This patch turns recursion into loops. > > > > > > > > pidns can be nested many times, so in case of recursion > > > > a simple user space program can provoke a kernel panic > > > > due to exceed of a kernel stack. > > > > > > So we should backport this into earlier kernels. > > > > > > > --- a/include/linux/kref.h > > > > +++ b/include/linux/kref.h > > > > @@ -95,6 +95,18 @@ static inline int kref_put(struct kref *kref, void (*release)(struct kref *kref) > > > > return kref_sub(kref, 1, release); > > > > } > > > > > > > > +/** > > > > + * kref_put - decrement refcount for object. > > > > + * @kref: object. > > > > + * > > > > + * Decrement the refcount. > > > > + * Return 1 if refcount is zero. > > > > + */ > > > > +static inline int __kref_put(struct kref *kref) > > > > +{ > > > > + return atomic_dec_and_test(&kref->refcount); > > > > +} > > > > > > Greg might be interested in this. > > > > > > It's a pretty specialised thing and perhaps it needs some stern words > > > in the description explaining when and why it should and shouldn't be > > > used. > > > > > > I wonder if people might (ab)use this to avoid the "doesn't > > > have a release function" warning. > > > > Yes they would, please don't do this at all. > > > > In fact, why is it needed? It doesn't solve anything (if it does, > > something in the way the kref is being used is wrong.) > > > > It's right there in the changelog. The patch fixes deep > kref_put->release->kref_put recursion by turning the operation for > pidns into a loop. But why would a kref release function ever decrement the same kref again causing a loop in the first place? That's what I was referring to. This strongly sounds like a problem in how the kref is being used, not in the kref code itself. Is a kref even the correct thing here? greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/