[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e0fa1641-d00b-acfc-91d7-9eb16fb61664@linux.alibaba.com>
Date: Fri, 8 Jan 2021 00:21:38 +0800
From: Wen Yang <wenyang@...ux.alibaba.com>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: Sasha Levin <sashal@...nel.org>,
Xunlei Pang <xlpang@...ux.alibaba.com>,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 4.9 00/10] fix a race in release_task when flushing the
dentry
在 2021/1/7 下午8:17, Greg Kroah-Hartman 写道:
> On Thu, Jan 07, 2021 at 03:52:12PM +0800, Wen Yang wrote:
>> The dentries such as /proc/<pid>/ns/ have the DCACHE_OP_DELETE flag, they
>> should be deleted when the process exits.
>>
>> Suppose the following race appears:
>>
>> release_task dput
>> -> proc_flush_task
>> -> dentry->d_op->d_delete(dentry)
>> -> __exit_signal
>> -> dentry->d_lockref.count-- and return.
>>
>> In the proc_flush_task(), if another process is using this dentry, it will
>> not be deleted. At the same time, in dput(), d_op->d_delete() can be executed
>> before __exit_signal(pid has not been hashed), d_delete returns false, so
>> this dentry still cannot be deleted.
>>
>> This dentry will always be cached (although its count is 0 and the
>> DCACHE_OP_DELETE flag is set), its parent denry will also be cached too, and
>> these dentries can only be deleted when drop_caches is manually triggered.
>>
>> This will result in wasted memory. What's more troublesome is that these
>> dentries reference pid, according to the commit f333c700c610 ("pidns: Add a
>> limit on the number of pid namespaces"), if the pid cannot be released, it
>> may result in the inability to create a new pid_ns.
>>
>> This issue was introduced by 60347f6716aa ("pid namespaces: prepare
>> proc_flust_task() to flush entries from multiple proc trees"), exposed by
>> f333c700c610 ("pidns: Add a limit on the number of pid namespaces"), and then
>> fixed by 7bc3e6e55acf ("proc: Use a list of inodes to flush from proc").
>
> Why are you just submitting a series for 4.9 and 4.19, what about 4.14?
> We can't have users move to a newer kernel and then experience old bugs,
> right?
>
Okay, the patches corresponding to 4.14 will be ready later.
> But the larger question is why are you backporting a whole new feature
> here? Why is CLONE_PIDFD needed? That feels really wrong...
>
The reason for backporting CLONE_PIDFD is because 7bc3e6e55acf ("proc:
Use a list of inodes to flush from proc") relies on wait_pidfd.lock.
There are indeed many associated modifications here. We are also testing
it. Please check the code more.
Thanks.
--
Best wishes,
Wen
Powered by blists - more mailing lists