From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751308AbcFWREK (ORCPT ); Thu, 23 Jun 2016 13:04:10 -0400 Received: from mx1.redhat.com ([209.132.183.28]:39174 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750785AbcFWREH (ORCPT ); Thu, 23 Jun 2016 13:04:07 -0400 Date: Thu, 23 Jun 2016 19:03:52 +0200 From: Oleg Nesterov To: Linus Torvalds Cc: Andy Lutomirski , Andy Lutomirski , the arch/x86 maintainers , Linux Kernel Mailing List , "linux-arch@vger.kernel.org" , Borislav Petkov , Nadav Amit , Kees Cook , Brian Gerst , "kernel-hardening@lists.openwall.com" , Josh Poimboeuf , Jann Horn , Heiko Carstens Subject: Re: [PATCH v3 00/13] Virtually mapped stacks with guard pages (x86, core) Message-ID: <20160623170352.GA17372@redhat.com> References: <20160623143126.GA16664@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 23 Jun 2016 17:03:56 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/23, Linus Torvalds wrote: > > But that does bring up another possibility: do it at wait() time, when > we do release_thread(). That's when we *used* to synchronously free > it, before we did the lockless RCU walks. Let me quote my previous email ;) And we can't free/nullify it when the parent/debuger reaps a zombie, say, mark_oom_victim() expects that get_task_struct() protects thread_info as well. probably we can fix all such users though... > At that point, it has been removed from all the thread lists. So the > only way to find it is through the RCU walks. Do any of *those* touch > ti->flags? I'm not seeing it, Neither me, although I didn't try to grep too much. > and it sounds fixable if any do probably yes, but this would mean that tasklist_lock protects task->stack, doesn't look really nice... Oleg. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Oleg Nesterov Subject: Re: [PATCH v3 00/13] Virtually mapped stacks with guard pages (x86, core) Date: Thu, 23 Jun 2016 19:03:52 +0200 Message-ID: <20160623170352.GA17372@redhat.com> References: <20160623143126.GA16664@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from mx1.redhat.com ([209.132.183.28]:39174 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750785AbcFWREH (ORCPT ); Thu, 23 Jun 2016 13:04:07 -0400 Content-Disposition: inline In-Reply-To: Sender: linux-arch-owner@vger.kernel.org List-ID: To: Linus Torvalds Cc: Andy Lutomirski , Andy Lutomirski , the arch/x86 maintainers , Linux Kernel Mailing List , "linux-arch@vger.kernel.org" , Borislav Petkov , Nadav Amit , Kees Cook , Brian Gerst , "kernel-hardening@lists.openwall.com" , Josh Poimboeuf , Jann Horn , Heiko Carstens On 06/23, Linus Torvalds wrote: > > But that does bring up another possibility: do it at wait() time, when > we do release_thread(). That's when we *used* to synchronously free > it, before we did the lockless RCU walks. Let me quote my previous email ;) And we can't free/nullify it when the parent/debuger reaps a zombie, say, mark_oom_victim() expects that get_task_struct() protects thread_info as well. probably we can fix all such users though... > At that point, it has been removed from all the thread lists. So the > only way to find it is through the RCU walks. Do any of *those* touch > ti->flags? I'm not seeing it, Neither me, although I didn't try to grep too much. > and it sounds fixable if any do probably yes, but this would mean that tasklist_lock protects task->stack, doesn't look really nice... Oleg. From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com Date: Thu, 23 Jun 2016 19:03:52 +0200 From: Oleg Nesterov Message-ID: <20160623170352.GA17372@redhat.com> References: <20160623143126.GA16664@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: [kernel-hardening] Re: [PATCH v3 00/13] Virtually mapped stacks with guard pages (x86, core) To: Linus Torvalds Cc: Andy Lutomirski , Andy Lutomirski , the arch/x86 maintainers , Linux Kernel Mailing List , "linux-arch@vger.kernel.org" , Borislav Petkov , Nadav Amit , Kees Cook , Brian Gerst , "kernel-hardening@lists.openwall.com" , Josh Poimboeuf , Jann Horn , Heiko Carstens List-ID: On 06/23, Linus Torvalds wrote: > > But that does bring up another possibility: do it at wait() time, when > we do release_thread(). That's when we *used* to synchronously free > it, before we did the lockless RCU walks. Let me quote my previous email ;) And we can't free/nullify it when the parent/debuger reaps a zombie, say, mark_oom_victim() expects that get_task_struct() protects thread_info as well. probably we can fix all such users though... > At that point, it has been removed from all the thread lists. So the > only way to find it is through the RCU walks. Do any of *those* touch > ti->flags? I'm not seeing it, Neither me, although I didn't try to grep too much. > and it sounds fixable if any do probably yes, but this would mean that tasklist_lock protects task->stack, doesn't look really nice... Oleg.