| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 14 Nov 2011 14:54:08 +0100 From: Frederic Weisbecker <fweisbec@...il.com> To: Tejun Heo <tj@...nel.org> Cc: paul@...lmenage.org, rjw@...k.pl, lizf@...fujitsu.com, linux-pm@...ts.linux-foundation.org, linux-kernel@...r.kernel.org, containers@...ts.linux-foundation.org, matthltc@...ibm.com, akpm@...ux-foundation.org, oleg@...hat.com, kamezawa.hiroyu@...fujitsu.com Subject: Re: [PATCH 03/10] threadgroup: extend threadgroup_lock() to cover exit and exec On Sun, Nov 13, 2011 at 05:44:32PM +0100, Frederic Weisbecker wrote: > On Tue, Nov 01, 2011 at 04:46:26PM -0700, Tejun Heo wrote: > > threadgroup_lock() protected only protected against new addition to > > the threadgroup, which was inherently somewhat incomplete and > > problematic for its only user cgroup. On-going migration could race > > against exec and exit leading to interesting problems - the symmetry > > between various attach methods, task exiting during method execution, > > ->exit() racing against attach methods, migrating task switching basic > > properties during exec and so on. > > > > This patch extends threadgroup_lock() such that it protects against > > all three threadgroup altering operations - fork, exit and exec. For > > exit, threadgroup_change_begin/end() calls are added to exit path. > > For exec, threadgroup_[un]lock() are updated to also grab and release > > cred_guard_mutex. > > > > With this change, threadgroup_lock() guarantees that the target > > threadgroup will remain stable - no new task will be added, no new > > PF_EXITING will be set and exec won't happen. > > > > The next patch will update cgroup so that it can take full advantage > > of this change. > > I don't want to nitpick really, but IMHO the races involved in exit and exec > are too different, specific and complicated on their own to be solved in a > single one patch. This should be split in two things. > > The specific problems and their fix need to be described more in detail > in the changelog because the issues are very tricky. > > The exec case: > > IIUC, the race in exec is about the group leader that can be changed > to become the exec'ing thread, making while_each_thread() unsafe. > We also have other things happening there like all the other threads > in the group that get killed, but that should be handled by the threadgroup_change_begin() > you put in the exit path. > The old leader is also killed but release_task() -> __unhash_process() is called > for it manually from the exec path. However this thread too should be covered by your > synchronisation in exit(). > > So after your protection in the exit path, the only thing to protect against in exec > is that group_leader that can change concurrently. But I may be missing something in the picture. > Also note this is currently protected by the tasklist readlock. Cred guard mutex is > certainly better, I just don't remember if you remove the tasklist lock in a > further patch. Ah recalling what Ben Blum said, we also need the leader to stay stable because it is excpected to be passed in ->can_attach(), ->attach(), ->cancel_attach(), ... Although that's going to change after your patches that pass a flex array. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists