diff options
| author | Oleg Nesterov <oleg@redhat.com> | 2015-01-08 17:32:12 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-01-08 18:10:51 -0500 |
| commit | 3245d6acab981a2388ffb877c7ecc97e763c59d4 (patch) | |
| tree | 9fcebbce2ca688948665292358d22809f80140ba /kernel/exit.c | |
| parent | eb4f73b4ca6c04f31af6f1ff1bf11b5020a1216f (diff) | |
exit: fix race between wait_consider_task() and wait_task_zombie()
wait_consider_task() checks EXIT_ZOMBIE after EXIT_DEAD/EXIT_TRACE and
both checks can fail if we race with EXIT_ZOMBIE -> EXIT_DEAD/EXIT_TRACE
change in between, gcc needs to reload p->exit_state after
security_task_wait(). In this case ->notask_error will be wrongly
cleared and do_wait() can hang forever if it was the last eligible
child.
Many thanks to Arne who carefully investigated the problem.
Note: this bug is very old but it was pure theoretical until commit
b3ab03160dfa ("wait: completely ignore the EXIT_DEAD tasks"). Before
this commit "-O2" was probably enough to guarantee that compiler won't
read ->exit_state twice.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Arne Goedeke <el@laramies.com>
Tested-by: Arne Goedeke <el@laramies.com>
Cc: <stable@vger.kernel.org> [3.15+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'kernel/exit.c')
| -rw-r--r-- | kernel/exit.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/kernel/exit.c b/kernel/exit.c index 1ea4369890a3..6806c55475ee 100644 --- a/kernel/exit.c +++ b/kernel/exit.c | |||
| @@ -1287,9 +1287,15 @@ static int wait_task_continued(struct wait_opts *wo, struct task_struct *p) | |||
| 1287 | static int wait_consider_task(struct wait_opts *wo, int ptrace, | 1287 | static int wait_consider_task(struct wait_opts *wo, int ptrace, |
| 1288 | struct task_struct *p) | 1288 | struct task_struct *p) |
| 1289 | { | 1289 | { |
| 1290 | /* | ||
| 1291 | * We can race with wait_task_zombie() from another thread. | ||
| 1292 | * Ensure that EXIT_ZOMBIE -> EXIT_DEAD/EXIT_TRACE transition | ||
| 1293 | * can't confuse the checks below. | ||
| 1294 | */ | ||
| 1295 | int exit_state = ACCESS_ONCE(p->exit_state); | ||
| 1290 | int ret; | 1296 | int ret; |
| 1291 | 1297 | ||
| 1292 | if (unlikely(p->exit_state == EXIT_DEAD)) | 1298 | if (unlikely(exit_state == EXIT_DEAD)) |
| 1293 | return 0; | 1299 | return 0; |
| 1294 | 1300 | ||
| 1295 | ret = eligible_child(wo, p); | 1301 | ret = eligible_child(wo, p); |
| @@ -1310,7 +1316,7 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace, | |||
| 1310 | return 0; | 1316 | return 0; |
| 1311 | } | 1317 | } |
| 1312 | 1318 | ||
| 1313 | if (unlikely(p->exit_state == EXIT_TRACE)) { | 1319 | if (unlikely(exit_state == EXIT_TRACE)) { |
| 1314 | /* | 1320 | /* |
| 1315 | * ptrace == 0 means we are the natural parent. In this case | 1321 | * ptrace == 0 means we are the natural parent. In this case |
| 1316 | * we should clear notask_error, debugger will notify us. | 1322 | * we should clear notask_error, debugger will notify us. |
| @@ -1337,7 +1343,7 @@ static int wait_consider_task(struct wait_opts *wo, int ptrace, | |||
| 1337 | } | 1343 | } |
| 1338 | 1344 | ||
| 1339 | /* slay zombie? */ | 1345 | /* slay zombie? */ |
| 1340 | if (p->exit_state == EXIT_ZOMBIE) { | 1346 | if (exit_state == EXIT_ZOMBIE) { |
| 1341 | /* we don't reap group leaders with subthreads */ | 1347 | /* we don't reap group leaders with subthreads */ |
| 1342 | if (!delay_group_leader(p)) { | 1348 | if (!delay_group_leader(p)) { |
| 1343 | /* | 1349 | /* |