From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Peter Zijlstra (Intel)" <peterz@infradead.org>,
Valentin Schneider <Valentin.Schneider@arm.com>,
Patrick Schaaf <bof@bof.de>
Subject: [PATCH 5.4 06/37] kthread: Fix PF_KTHREAD vs to_kthread() race
Date: Fri, 10 Sep 2021 14:30:09 +0200 [thread overview]
Message-ID: <20210910122917.386721069@linuxfoundation.org> (raw)
In-Reply-To: <20210910122917.149278545@linuxfoundation.org>
From: Peter Zijlstra <peterz@infradead.org>
commit 3a7956e25e1d7b3c148569e78895e1f3178122a9 upstream.
The kthread_is_per_cpu() construct relies on only being called on
PF_KTHREAD tasks (per the WARN in to_kthread). This gives rise to the
following usage pattern:
if ((p->flags & PF_KTHREAD) && kthread_is_per_cpu(p))
However, as reported by syzcaller, this is broken. The scenario is:
CPU0 CPU1 (running p)
(p->flags & PF_KTHREAD) // true
begin_new_exec()
me->flags &= ~(PF_KTHREAD|...);
kthread_is_per_cpu(p)
to_kthread(p)
WARN(!(p->flags & PF_KTHREAD) <-- *SPLAT*
Introduce __to_kthread() that omits the WARN and is sure to check both
values.
Use this to remove the problematic pattern for kthread_is_per_cpu()
and fix a number of other kthread_*() functions that have similar
issues but are currently not used in ways that would expose the
problem.
Notably kthread_func() is only ever called on 'current', while
kthread_probe_data() is only used for PF_WQ_WORKER, which implies the
task is from kthread_create*().
Fixes: ac687e6e8c26 ("kthread: Extract KTHREAD_IS_PER_CPU")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Valentin Schneider <Valentin.Schneider@arm.com>
Link: https://lkml.kernel.org/r/YH6WJc825C4P0FCK@hirez.programming.kicks-ass.net
Signed-off-by: Patrick Schaaf <bof@bof.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kthread.c | 43 +++++++++++++++++++++++++++++--------------
kernel/sched/fair.c | 2 +-
2 files changed, 30 insertions(+), 15 deletions(-)
--- a/kernel/kthread.c
+++ b/kernel/kthread.c
@@ -76,6 +76,25 @@ static inline struct kthread *to_kthread
return (__force void *)k->set_child_tid;
}
+/*
+ * Variant of to_kthread() that doesn't assume @p is a kthread.
+ *
+ * Per construction; when:
+ *
+ * (p->flags & PF_KTHREAD) && p->set_child_tid
+ *
+ * the task is both a kthread and struct kthread is persistent. However
+ * PF_KTHREAD on it's own is not, kernel_thread() can exec() (See umh.c and
+ * begin_new_exec()).
+ */
+static inline struct kthread *__to_kthread(struct task_struct *p)
+{
+ void *kthread = (__force void *)p->set_child_tid;
+ if (kthread && !(p->flags & PF_KTHREAD))
+ kthread = NULL;
+ return kthread;
+}
+
void free_kthread_struct(struct task_struct *k)
{
struct kthread *kthread;
@@ -176,10 +195,11 @@ void *kthread_data(struct task_struct *t
*/
void *kthread_probe_data(struct task_struct *task)
{
- struct kthread *kthread = to_kthread(task);
+ struct kthread *kthread = __to_kthread(task);
void *data = NULL;
- probe_kernel_read(&data, &kthread->data, sizeof(data));
+ if (kthread)
+ probe_kernel_read(&data, &kthread->data, sizeof(data));
return data;
}
@@ -490,9 +510,9 @@ void kthread_set_per_cpu(struct task_str
set_bit(KTHREAD_IS_PER_CPU, &kthread->flags);
}
-bool kthread_is_per_cpu(struct task_struct *k)
+bool kthread_is_per_cpu(struct task_struct *p)
{
- struct kthread *kthread = to_kthread(k);
+ struct kthread *kthread = __to_kthread(p);
if (!kthread)
return false;
@@ -1272,11 +1292,9 @@ EXPORT_SYMBOL(kthread_destroy_worker);
*/
void kthread_associate_blkcg(struct cgroup_subsys_state *css)
{
- struct kthread *kthread;
+ struct kthread *kthread = __to_kthread(current);
+
- if (!(current->flags & PF_KTHREAD))
- return;
- kthread = to_kthread(current);
if (!kthread)
return;
@@ -1298,13 +1316,10 @@ EXPORT_SYMBOL(kthread_associate_blkcg);
*/
struct cgroup_subsys_state *kthread_blkcg(void)
{
- struct kthread *kthread;
+ struct kthread *kthread = __to_kthread(current);
- if (current->flags & PF_KTHREAD) {
- kthread = to_kthread(current);
- if (kthread)
- return kthread->blkcg_css;
- }
+ if (kthread)
+ return kthread->blkcg_css;
return NULL;
}
EXPORT_SYMBOL(kthread_blkcg);
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -7301,7 +7301,7 @@ int can_migrate_task(struct task_struct
return 0;
/* Disregard pcpu kthreads; they are where they need to be. */
- if ((p->flags & PF_KTHREAD) && kthread_is_per_cpu(p))
+ if (kthread_is_per_cpu(p))
return 0;
if (!cpumask_test_cpu(env->dst_cpu, p->cpus_ptr)) {
next prev parent reply other threads:[~2021-09-10 12:36 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-10 12:30 [PATCH 5.4 00/37] 5.4.145-rc1 review Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 01/37] ext4: fix race writing to an inline_data file while its xattrs are changing Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 02/37] fscrypt: add fscrypt_symlink_getattr() for computing st_size Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 03/37] ext4: report correct st_size for encrypted symlinks Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 04/37] f2fs: " Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 05/37] ubifs: " Greg Kroah-Hartman
2021-09-10 12:30 ` Greg Kroah-Hartman [this message]
2021-09-10 12:30 ` [PATCH 5.4 07/37] xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 08/37] gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar U/V formats Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 09/37] reset: reset-zynqmp: Fixed the argument data type Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 10/37] qed: Fix the VF msix vectors flow Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 11/37] net: macb: Add a NULL check on desc_ptp Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 12/37] qede: Fix memset corruption Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 13/37] perf/x86/intel/pt: Fix mask of num_address_ranges Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 14/37] perf/x86/amd/ibs: Work around erratum #1197 Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 15/37] perf/x86/amd/power: Assign pmu.module Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 16/37] cryptoloop: add a deprecation warning Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 17/37] ARM: 8918/2: only build return_address() if needed Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 18/37] ALSA: hda/realtek: Workaround for conflicting SSID on ASUS ROG Strix G17 Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 19/37] ALSA: pcm: fix divide error in snd_pcm_lib_ioctl Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 20/37] ARC: wireup clone3 syscall Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 21/37] media: stkwebcam: fix memory leak in stk_camera_probe Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 22/37] igmp: Add ip_mc_list lock in ip_check_mc_rcu Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 23/37] USB: serial: mos7720: improve OOM-handling in read_mos_reg() Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 24/37] ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 25/37] powerpc/boot: Delete unneeded .globl _zimage_start Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 26/37] net: ll_temac: Remove left-over debug message Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 27/37] mm/page_alloc: speed up the iteration of max_order Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 28/37] Revert "r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM" Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 29/37] x86/events/amd/iommu: Fix invalid Perf result due to IOMMU PMC power-gating Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 30/37] Revert "btrfs: compression: dont try to compress if we dont have enough pages" Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 31/37] ALSA: usb-audio: Add registration quirk for JBL Quantum 800 Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 32/37] usb: host: xhci-rcar: Dont reload firmware after the completion Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 33/37] usb: mtu3: use @mult for HS isoc or intr Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 34/37] usb: mtu3: fix the wrong HS mult value Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 35/37] xhci: fix unsafe memory usage in xhci tracing Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 36/37] x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions Greg Kroah-Hartman
2021-09-10 12:30 ` [PATCH 5.4 37/37] PCI: Call Max Payload Size-related fixup quirks early Greg Kroah-Hartman
2021-09-10 18:45 ` [PATCH 5.4 00/37] 5.4.145-rc1 review Florian Fainelli
2021-09-10 23:18 ` Shuah Khan
2021-09-11 6:11 ` Samuel Zou
2021-09-11 15:58 ` Sudip Mukherjee
2021-09-11 19:37 ` Guenter Roeck
2021-09-12 0:50 ` Daniel Díaz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210910122917.386721069@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=Valentin.Schneider@arm.com \
--cc=bof@bof.de \
--cc=linux-kernel@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).