diff options
author | Kirill Korotaev <dev@sw.ru> | 2006-08-14 02:24:23 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-08-14 15:54:29 -0400 |
commit | 6997a6faaa129a1c91775f7344c8d371a05178ea (patch) | |
tree | d1dbf57afc7d561620ad1b192ae031fd234b085a | |
parent | 012c437d03cb299814e58ac8d574f7510f5989a5 (diff) |
[PATCH] sys_getppid oopses on debug kernel
sys_getppid() optimization can access a freed memory. On kernels with
DEBUG_SLAB turned ON, this results in Oops. As Dave Hansen noted, this
optimization is also unsafe for memory hotplug.
So this patch always takes the lock to be safe.
[oleg@tv-sign.ru: simplifications]
Signed-off-by: Kirill Korotaev <dev@openvz.org>
Cc: <stable@kernel.org>
Cc: Dave Hansen <haveblue@us.ibm.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | kernel/timer.c | 41 |
1 files changed, 7 insertions, 34 deletions
diff --git a/kernel/timer.c b/kernel/timer.c index b650f04888ed..1d7dd6267c2d 100644 --- a/kernel/timer.c +++ b/kernel/timer.c | |||
@@ -1324,46 +1324,19 @@ asmlinkage long sys_getpid(void) | |||
1324 | } | 1324 | } |
1325 | 1325 | ||
1326 | /* | 1326 | /* |
1327 | * Accessing ->group_leader->real_parent is not SMP-safe, it could | 1327 | * Accessing ->real_parent is not SMP-safe, it could |
1328 | * change from under us. However, rather than getting any lock | 1328 | * change from under us. However, we can use a stale |
1329 | * we can use an optimistic algorithm: get the parent | 1329 | * value of ->real_parent under rcu_read_lock(), see |
1330 | * pid, and go back and check that the parent is still | 1330 | * release_task()->call_rcu(delayed_put_task_struct). |
1331 | * the same. If it has changed (which is extremely unlikely | ||
1332 | * indeed), we just try again.. | ||
1333 | * | ||
1334 | * NOTE! This depends on the fact that even if we _do_ | ||
1335 | * get an old value of "parent", we can happily dereference | ||
1336 | * the pointer (it was and remains a dereferencable kernel pointer | ||
1337 | * no matter what): we just can't necessarily trust the result | ||
1338 | * until we know that the parent pointer is valid. | ||
1339 | * | ||
1340 | * NOTE2: ->group_leader never changes from under us. | ||
1341 | */ | 1331 | */ |
1342 | asmlinkage long sys_getppid(void) | 1332 | asmlinkage long sys_getppid(void) |
1343 | { | 1333 | { |
1344 | int pid; | 1334 | int pid; |
1345 | struct task_struct *me = current; | ||
1346 | struct task_struct *parent; | ||
1347 | 1335 | ||
1348 | parent = me->group_leader->real_parent; | 1336 | rcu_read_lock(); |
1349 | for (;;) { | 1337 | pid = rcu_dereference(current->real_parent)->tgid; |
1350 | pid = parent->tgid; | 1338 | rcu_read_unlock(); |
1351 | #if defined(CONFIG_SMP) || defined(CONFIG_PREEMPT) | ||
1352 | { | ||
1353 | struct task_struct *old = parent; | ||
1354 | 1339 | ||
1355 | /* | ||
1356 | * Make sure we read the pid before re-reading the | ||
1357 | * parent pointer: | ||
1358 | */ | ||
1359 | smp_rmb(); | ||
1360 | parent = me->group_leader->real_parent; | ||
1361 | if (old != parent) | ||
1362 | continue; | ||
1363 | } | ||
1364 | #endif | ||
1365 | break; | ||
1366 | } | ||
1367 | return pid; | 1340 | return pid; |
1368 | } | 1341 | } |
1369 | 1342 | ||