| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 28 Jun 2007 21:14:24 +0530 From: "Satyam Sharma" <satyam.sharma@...il.com> To: "Oleg Nesterov" <oleg@...sign.ru> Cc: "Jeff Layton" <jlayton@...hat.com>, "Herbert Xu" <herbert@...dor.apana.org.au>, linux-kernel@...r.kernel.org, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Re: [PATCH] RFC: have tcp_recvmsg() check kthread_should_stop() and treat it as if it were signalled On 6/28/07, Oleg Nesterov <oleg@...sign.ru> wrote: > (trimmed the cc: list) > On 06/28, Satyam Sharma wrote: > > On 6/27/07, Oleg Nesterov <oleg@...sign.ru> wrote: > > > > > >Contrary, I believe we should avoid signals when it > > >comes to kernel threads. > > > > And I agree, but there's quite a subtle difference between signals being > > used like they normally are, and this case here. Fact is, there is simply > > no other way to break out of certain functions (if there was, I would've > > preferred that myself). > > > > In fact, what I'm proposing is that kthreads should *not* be tinkering > > with (flushing, handling, dequeueing, whatever) signals at all, because > > like you mentioned, if they do that, it's possible that the TIF_SIGPENDING > > could get lost. > > But we do have kthreads which call dequeue_signal(). And perhaps some > kthread treats SIGKILL as "urgent exit with a lot of printks" while > kthread_should_stop() means "exit gracefully". > [..] > I believe kthread_stop() should not send the signal. Just because it could > be actually dequeued by kthread, and it may have some special meaning for > this kthread. > [...] > Hmm... actually, such a change breaks the > > while (signal_pending(current)) > dequeue_signal_and_so_something(); > > loop, see jffs2_garbage_collect_thread() for example. > > In short, I think that kthread_stop() + TIF_SIGPENDING should be a special > case, the signal should be sent explicitly before kthread_stop(), like > cifs does. The existence of such kthreads (that dabble in signals, although I guess everybody here agrees kernel threads have no business dabbling in them) is the *only* reason I didn't submit my proposal as an actual patch :-) Perhaps "one day" we'll clean up all such cases, and fix up kthread semantics to simply outlaw signal-handling in kernel threads (I just can't convince myself there could be a good justifiable reason to do that). When that's done, and seeing that kthreadd_setup() does ignore_signals(), kthread_stop() could become simply force_sig() ... > [...] > This is what I can't understand completely. Why should we check SIGKILL > or signal_pending() in addition to kthread_stop_info.k, what is the point? ... so kthread_stop_info will go away too. > After all, the caller of kthread_stop(k) should know what and > why k does. One, the kthread code could change over time. Two, the solution to the problem is un-intuitive for the user to do. The API should know such cases, and handle them well too. The caller of kthread_stop() would expect it to do the expected, after all (i.e. stop the kthread :-) > In any case, that kind of the changes can break things, just because > this means API change. Well, kthreads are a kernel-internal API anyway, I guess as long as we fix all users, we're fine. > > >I am talking about the case > > >when wait_event_interruptible() should not fail (unless something bad > > >happens) inside the "while (!kthread_should_stop())" loop. > > >Note also that kthread could use TASK_INTERRUPTIBLE sleep > > >[...] and because it knows that all signals are ignored. > > > > Ok, I think you're saying that if a kthread used wait_event_interruptible > > (and was not expecting signals, because it ignores them), then bad > > things (say exit in inconsistent state, etc) will happen if we break that > > wait_event_interruptible unexpectedly. > > No. Of course, kthread should check the error and doesn't exit in > inconsistent state. > > The question is: why should we break (say) tcp_recvmsg() inside > "while (!kthread_should_stop())" loop if it is supposed to succeed > unless something bad happens? (I mean, we may have a kthread which > doesn't expect the failure unless something bad happens). First, I don't quite understand this "not expecting failure" / "something bad happens" bit at all. Second, we *must* break that tcp_recvmsg() inside the kthread's main loop, of course! We want it stopped, after all, and if we don't make it "break" out of that function, the kthread _will_never_exit_. [ What's worse, several kthreads are part of modules, and are created during the module_init() and so the module_exit() function needs to call kthread_stop() to clean it up. But the wait_for_completion() in kthread_stop() will never unblock, and so this would also mean the rmmod will _hang_ and module will never get unloaded too. ] > OK, let me give a silly example. The correctly written kthread should check > the result of kmalloc(), yes? kthread(k) means that k should exit anyway, yes? > So let's change kthread_stop(k) to also set TIF_MEMDIE, this means that > __alloc_pages() will fail quickly when get_page_from_freelist() doesn't > succeed, but won't start pageout() which may take a while. Please don't > explain me why this suggestion is bad :), I am just trying to illustrate > my point. Your example / analogy is indeed *very* bad :-) Please note that this whole thing is about functions that will _simply_*never*_exit_ever_ _unless_ given a signal. [ I think you've been misunderstanding my proposal that I want to send a SIGKILL / signal to the kthread just to ensure it gets stopped / killed "fast" or "asap" etc ... No! The only reason I got into this was because kthread_stop() is an API that fails to do what it should be doing if the corresponding kthread simply happens to be executing certain functions in the kernel that will *never* breakout unless given a signal. ] But finally, I do agree that kthreads already exist out there who want to dabble in signals and we can't break them, so perhaps the signal method for kthread_stop() will have to wait for now. [ BTW even there we're safe as long as we check kthread_stop() _before_ flushing or dequeueing the signals, but then that'll be an ugly rule to try and enforce, of course. ] Satyam - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists