lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 30 Aug 2017 18:23:50 +0530
From:   Neeraj Upadhyay <neeraju@...eaurora.org>
To:     tj@...nel.org, lizefan@...wei.com, mingo@...nel.org,
        longman@...hat.com, akpm@...ux-foundation.org
Cc:     linux-kernel@...r.kernel.org, sramana@...eaurora.org,
        prsood@...eaurora.org, Neeraj Upadhyay <neeraju@...eaurora.org>
Subject: [PATCH] cgroup: Fix potential race between cgroup_exit and cpuset_attach

There is a potential race between cgroup_exit() and the taskset
migration path. This race happens when all tasks associated
with the cg_list entries in mg_tasks, detach themselves
before the tasks can be attached to the destination cpuset in
cpuset_attach(). Below is the sequence where race is observed:

cpuset_hotplug_workfn()
  cgroup_transfer_tasks()
    cgroup_migrate()
      cgroup_migrate_execute()
          <TASK EXIT>
          list_del_init(&task->cg_list)
        cpuset_attach()
          cgroup_taskset_first(tset, &css) // css is not set
          guarantee_online_mems(cs, ...) // data abort

Fix this by adding a checking to verify that css is set from
cgroup_taskset_first(), before proceeding.

Signed-off-by: Neeraj Upadhyay <neeraju@...eaurora.org>
---
Hi,

We observed this issue for cgroup code corresponding to stable
v4.4.85 snapshot 3144d81 ("cgroup, kthread: close race window where
new kthreads can be migrated to non-root cgroups"). Can you please
tell us, if there are any patches in latest code, which
fixes these issue?

 kernel/cgroup/cpuset.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/kernel/cgroup/cpuset.c b/kernel/cgroup/cpuset.c
index 87a1213..7e245f26 100644
--- a/kernel/cgroup/cpuset.c
+++ b/kernel/cgroup/cpuset.c
@@ -1510,11 +1510,17 @@ static void cpuset_attach(struct cgroup_taskset *tset)
 	static nodemask_t cpuset_attach_nodemask_to;
 	struct task_struct *task;
 	struct task_struct *leader;
-	struct cgroup_subsys_state *css;
+	struct cgroup_subsys_state *css = NULL;
 	struct cpuset *cs;
 	struct cpuset *oldcs = cpuset_attach_old_cs;
 
 	cgroup_taskset_first(tset, &css);
+	/* If all mg_tasks detached (from cgroup_exit())
+	 * before we started scanning the mg_tasks in
+	 * cgroup_taskset_next().
+	 */
+	if (css == NULL)
+		return;
 	cs = css_cs(css);
 
 	mutex_lock(&cpuset_mutex);
-- 
QUALCOMM INDIA, on behalf of Qualcomm Innovation Center, Inc. is a
member of the Code Aurora Forum, hosted by The Linux Foundation

Powered by blists - more mailing lists