diff options
| author | Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp> | 2012-07-30 17:42:20 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-07-30 20:25:20 -0400 |
| commit | 0f20784d4ba3f88ca33b703b23372d8ccf6dbd42 (patch) | |
| tree | 3cb33ac4afdf3679e12520f579e2e1a607f33670 | |
| parent | 79c743dd1e8de61c31f484c0a1b48930543044b3 (diff) | |
kmod: avoid deadlock from recursive kmod call
The system deadlocks (at least since 2.6.10) when
call_usermodehelper(UMH_WAIT_EXEC) request triggers
call_usermodehelper(UMH_WAIT_PROC) request.
This is because "khelper thread is waiting for the worker thread at
wait_for_completion() in do_fork() since the worker thread was created
with CLONE_VFORK flag" and "the worker thread cannot call complete()
because do_execve() is blocked at UMH_WAIT_PROC request" and "the khelper
thread cannot start processing UMH_WAIT_PROC request because the khelper
thread is waiting for the worker thread at wait_for_completion() in
do_fork()".
The easiest example to observe this deadlock is to use a corrupted
/sbin/hotplug binary (like shown below).
# : > /tmp/dummy
# chmod 755 /tmp/dummy
# echo /tmp/dummy > /proc/sys/kernel/hotplug
# modprobe whatever
call_usermodehelper("/tmp/dummy", UMH_WAIT_EXEC) is called from
kobject_uevent_env() in lib/kobject_uevent.c upon loading/unloading a
module. do_execve("/tmp/dummy") triggers a call to
request_module("binfmt-0000") from search_binary_handler() which in turn
calls call_usermodehelper(UMH_WAIT_PROC).
In order to avoid deadlock, as a for-now and easy-to-backport solution, do
not try to call wait_for_completion() in call_usermodehelper_exec() if the
worker thread was created by khelper thread with CLONE_VFORK flag. Future
and fundamental solution might be replacing singleton khelper thread with
some workqueue so that recursive calls up to max_active dependency loop
can be handled without deadlock.
[akpm@linux-foundation.org: add comment to kmod_thread_locker]
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Rusty Russell <rusty@rustcorp.com.au>
Cc: Tejun Heo <tj@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | kernel/kmod.c | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/kernel/kmod.c b/kernel/kmod.c index 2a8351516a0e..6f99aead66c6 100644 --- a/kernel/kmod.c +++ b/kernel/kmod.c | |||
| @@ -45,6 +45,13 @@ extern int max_threads; | |||
| 45 | 45 | ||
| 46 | static struct workqueue_struct *khelper_wq; | 46 | static struct workqueue_struct *khelper_wq; |
| 47 | 47 | ||
| 48 | /* | ||
| 49 | * kmod_thread_locker is used for deadlock avoidance. There is no explicit | ||
| 50 | * locking to protect this global - it is private to the singleton khelper | ||
| 51 | * thread and should only ever be modified by that thread. | ||
| 52 | */ | ||
| 53 | static const struct task_struct *kmod_thread_locker; | ||
| 54 | |||
| 48 | #define CAP_BSET (void *)1 | 55 | #define CAP_BSET (void *)1 |
| 49 | #define CAP_PI (void *)2 | 56 | #define CAP_PI (void *)2 |
| 50 | 57 | ||
| @@ -221,6 +228,13 @@ fail: | |||
| 221 | return 0; | 228 | return 0; |
| 222 | } | 229 | } |
| 223 | 230 | ||
| 231 | static int call_helper(void *data) | ||
| 232 | { | ||
| 233 | /* Worker thread started blocking khelper thread. */ | ||
| 234 | kmod_thread_locker = current; | ||
| 235 | return ____call_usermodehelper(data); | ||
| 236 | } | ||
| 237 | |||
| 224 | static void call_usermodehelper_freeinfo(struct subprocess_info *info) | 238 | static void call_usermodehelper_freeinfo(struct subprocess_info *info) |
| 225 | { | 239 | { |
| 226 | if (info->cleanup) | 240 | if (info->cleanup) |
| @@ -295,9 +309,12 @@ static void __call_usermodehelper(struct work_struct *work) | |||
| 295 | if (wait == UMH_WAIT_PROC) | 309 | if (wait == UMH_WAIT_PROC) |
| 296 | pid = kernel_thread(wait_for_helper, sub_info, | 310 | pid = kernel_thread(wait_for_helper, sub_info, |
| 297 | CLONE_FS | CLONE_FILES | SIGCHLD); | 311 | CLONE_FS | CLONE_FILES | SIGCHLD); |
| 298 | else | 312 | else { |
| 299 | pid = kernel_thread(____call_usermodehelper, sub_info, | 313 | pid = kernel_thread(call_helper, sub_info, |
| 300 | CLONE_VFORK | SIGCHLD); | 314 | CLONE_VFORK | SIGCHLD); |
| 315 | /* Worker thread stopped blocking khelper thread. */ | ||
| 316 | kmod_thread_locker = NULL; | ||
| 317 | } | ||
| 301 | 318 | ||
| 302 | switch (wait) { | 319 | switch (wait) { |
| 303 | case UMH_NO_WAIT: | 320 | case UMH_NO_WAIT: |
| @@ -548,6 +565,16 @@ int call_usermodehelper_exec(struct subprocess_info *sub_info, int wait) | |||
| 548 | retval = -EBUSY; | 565 | retval = -EBUSY; |
| 549 | goto out; | 566 | goto out; |
| 550 | } | 567 | } |
| 568 | /* | ||
| 569 | * Worker thread must not wait for khelper thread at below | ||
| 570 | * wait_for_completion() if the thread was created with CLONE_VFORK | ||
| 571 | * flag, for khelper thread is already waiting for the thread at | ||
| 572 | * wait_for_completion() in do_fork(). | ||
| 573 | */ | ||
| 574 | if (wait != UMH_NO_WAIT && current == kmod_thread_locker) { | ||
| 575 | retval = -EBUSY; | ||
| 576 | goto out; | ||
| 577 | } | ||
| 551 | 578 | ||
| 552 | sub_info->complete = &done; | 579 | sub_info->complete = &done; |
| 553 | sub_info->wait = wait; | 580 | sub_info->wait = wait; |