| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 23 Jun 2020 12:01:00 +0200
From: Christian Brauner <christian.brauner@...ntu.com>
To: Weilong Chen <chenweilong@...wei.com>
Cc: akpm@...ux-foundation.org, tglx@...utronix.de, lizefan@...wei.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] kernel/fork.c: annotate data races for copy_process
On Tue, Jun 23, 2020 at 12:12:40PM +0800, Weilong Chen wrote:
> KCSAN report there's a data race risk while using nr_threads.
> But according to the comment above it:
> '
> /*
> * If multiple threads are within copy_process(), then this check
> * triggers too late. This doesn't hurt, the check is only there
> * to stop root fork bombs.
> */
> '
> The concurrency problem is not care. And we needn't to use READ_ONCE/atomic/etc
> to protect it. Meanwhile 'max_threads' is a sysctl variable which can
> be modified concurrently while being read, we can use
> 'data_race(nr_threads >= max_threads)' to mark both of then.
>
> BUG: KCSAN: data-race in copy_process / copy_process
>
> write to 0xffffffff86205cf8 of 4 bytes by task 14779 on cpu 1:
> copy_process+0x2eba/0x3c40 kernel/fork.c:2273
> _do_fork+0xfe/0x7a0 kernel/fork.c:2421
> __do_sys_clone kernel/fork.c:2576 [inline]
> __se_sys_clone kernel/fork.c:2557 [inline]
> __x64_sys_clone+0x130/0x170 kernel/fork.c:2557
> do_syscall_64+0xcc/0x3a0 arch/x86/entry/common.c:294
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> read to 0xffffffff86205cf8 of 4 bytes by task 6944 on cpu 0:
> copy_process+0x94d/0x3c40 kernel/fork.c:1954
> _do_fork+0xfe/0x7a0 kernel/fork.c:2421
> __do_sys_clone kernel/fork.c:2576 [inline]
> __se_sys_clone kernel/fork.c:2557 [inline]
> __x64_sys_clone+0x130/0x170 kernel/fork.c:2557
> do_syscall_64+0xcc/0x3a0 arch/x86/entry/common.c:294
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
> Link: https://groups.google.com/forum/#!msg/syzkaller-upstream-mo
> deration/thvp7AHs5Ew/aPdYLXfYBQAJ
>
> Reported-by: syzbot+52fced2d288f8ecd2b20@...kaller.appspotmail.com
> Cc: Qian Cai <cai@....pw>
> Cc: Oleg Nesterov <oleg@...hat.com>
> Cc: Christian Brauner <christian.brauner@...ntu.com>
> Cc: Marco Elver <elver@...gle.com>
> Signed-off-by: Zefan Li <lizefan@...wei.com>
> Signed-off-by: Weilong Chen <chenweilong@...wei.com>
> ---
I'm going to fix up the commit message a little bit but otherwise I'm
going to take this unless I hear objections from someone.
Acked-by: Christian Brauner <christian.brauner@...ntu.com>
Thanks!
Christian
> kernel/fork.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/fork.c b/kernel/fork.c
> index 63c8fb2f5ca7..caa9c1f27444 100644
> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> @@ -1976,7 +1976,7 @@ static __latent_entropy struct task_struct *copy_process(
> * to stop root fork bombs.
> */
> retval = -EAGAIN;
> - if (nr_threads >= max_threads)
> + if (data_race(nr_threads >= max_threads))
> goto bad_fork_cleanup_count;
>
> delayacct_tsk_init(p); /* Must remain after dup_task_struct() */
> --
> 2.17.1
>
Powered by blists - more mailing lists