Re: [PATCH] posix-cpu-timers: fix nanosleep task_struct leak

From: Stanislaw Gruszka <sgruszka@redhat.com>
To: Oleg Nesterov <oleg@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>,
	LKML <linux-kernel@vger.kernel.org>,
	Dave Jones <davej@redhat.com>,
	John Stultz <john.stultz@linaro.org>,
	Tommi Rantala <tt.rantala@gmail.com>
Subject: Re: [PATCH] posix-cpu-timers: fix nanosleep task_struct leak
Date: Thu, 7 Feb 2013 13:22:13 +0100	[thread overview]
Message-ID: <20130207122212.GA2668@redhat.com> (raw)
In-Reply-To: <20130206161011.GA11161@redhat.com>

On Wed, Feb 06, 2013 at 05:10:11PM +0100, Oleg Nesterov wrote:
> First of all, thank you so much. I knew it was a good idea to cc you ;)

:-)

> On 02/06, Stanislaw Gruszka wrote:
> >
> > In do_cpu_nanosleep() we do posix_cpu_timer_create(), but forgot
> > corresponding posix_cpu_timer_del(), what lead to task_struct leak.
> 
> Plus, it seems we can leave the timer on ->cpu_timers list...
> 
> > @@ -1403,6 +1403,7 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags,
> >  				/*
> >  				 * Our timer fired and was reset.
> >  				 */
> > +				posix_cpu_timer_del(&timer);
> >  				spin_unlock_irq(&timer.it_lock);
> >  				return 0;
> >  			}
> > @@ -1420,9 +1421,17 @@ static int do_cpu_nanosleep(const clockid_t which_clock, int flags,
> >  		 * We were interrupted by a signal.
> >  		 */
> >  		sample_to_timespec(which_clock, timer.it.cpu.expires, rqtp);
> > -		posix_cpu_timer_set(&timer, 0, &zero_it, it);
> > +		error = posix_cpu_timer_set(&timer, 0, &zero_it, it);
> > +		if (!error)
> > +			posix_cpu_timer_del(&timer);
> >  		spin_unlock_irq(&timer.it_lock);
> >
> > +		while (error == TIMER_RETRY) {
> > +			spin_lock_irq(&timer.it_lock);
> > +			error = posix_cpu_timer_del(&timer);
> 
> It is not clear to me why other posix_cpu_timer_del's above can't fail..
> May be you can add a comment.

Sure, I'll add more comments.

Once posix_cpu_timer_set(..., &zero_it, it) succeed with 0 return value,
it's not possible to fire timer, so posix_cpu_timer_del() will not fail.
Similar assumption is with first posix_cpu_timer_del() call I added
in the patch.

> And I am not sure that TIMER_RETRY is the only error we should worry.
> And perhaps we need even more posix_cpu_timer_del's?
>
> For example. Suppose that posix_cpu_timer_create() succeeds and does
> get_task_struct(p). But than p dies, and the first posix_cpu_timer_set()
> fails with -ESRCH. No?

On second -ESRCH case posix_cpu_timer_set() internally call
put_task_struct(). It does not remove from cpu_timers list, but
that is done at exit(). First -ESRCH case, i.e. calling
posix_cpu_timer_set() with timer->it.cpu.task == NULL, is not possible
in our case.

BTW: I don't think we handle correctly case when traced process -
- timer->it.cpu.task will die. Tracing process - timer->it_process will
probably not be woken up.

Stanislaw