original_kernel/kernel
Paul Jackson 181b648036 [PATCH] cpuset: fix obscure attach_task vs exiting race
Fix obscure race condition in kernel/cpuset.c attach_task() code.

There is basically zero chance of anyone accidentally being harmed by this
race.

It requires a special 'micro-stress' load and a special timing loop hacks
in the kernel to hit in less than an hour, and even then you'd have to hit
it hundreds or thousands of times, followed by some unusual and senseless
cpuset configuration requests, including removing the top cpuset, to cause
any visibly harm affects.

One could, with perhaps a few days or weeks of such effort, get the
reference count on the top cpuset below zero, and manage to crash the
kernel by asking to remove the top cpuset.

I found it by code inspection.

The race was introduced when 'the_top_cpuset_hack' was introduced, and one
piece of code was not updated.  An old check for a possibly null task
cpuset pointer needed to be changed to a check for a task marked
PF_EXITING.  The pointer can't be null anymore, thanks to
the_top_cpuset_hack (documented in kernel/cpuset.c).  But the task could
have gone into PF_EXITING state after it was found in the task_list scan.

If a task is PF_EXITING in this code, it is possible that its task->cpuset
pointer is pointing to the top cpuset due to the_top_cpuset_hack, rather
than because the top_cpuset was that tasks last valid cpuset.  In that
case, the wrong cpuset reference counter would be decremented.

The fix is trivial.  Instead of failing the system call if the tasks cpuset
pointer is null here, fail it if the task is in PF_EXITING state.

The code for 'the_top_cpuset_hack' that changes an exiting tasks cpuset to
the top_cpuset is done without locking, so could happen at anytime.  But it
is done during the exit handling, after the PF_EXITING flag is set.  So if
we verify that a task is still not PF_EXITING after we copy out its cpuset
pointer (into 'oldcs', below), we know that 'oldcs' is not one of these
hack references to the top_cpuset.

Signed-off-by: Paul Jackson <pj@sgi.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-09-29 09:18:25 -07:00
..
irq [PATCH] irq: remove a extra line 2006-09-29 09:18:07 -07:00
power Merge master.kernel.org:/pub/scm/linux/kernel/git/gregkh/driver-2.6 2006-09-26 11:49:46 -07:00
time
.gitignore
Kconfig.hz
Kconfig.preempt
Makefile
acct.c [PATCH] audit/accounting: tty locking 2006-09-29 09:18:25 -07:00
audit.c [PATCH] selinux: rename selinux_ctxid_to_string 2006-09-26 08:48:52 -07:00
audit.h
auditfilter.c [PATCH] selinux: rename selinux_ctxid_to_string 2006-09-26 08:48:52 -07:00
auditsc.c [PATCH] audit/accounting: tty locking 2006-09-29 09:18:25 -07:00
capability.c [PATCH] pidspace: is_init() 2006-09-29 09:18:12 -07:00
compat.c [PATCH] posix-timers: Fix clock_nanosleep() doesn't return the remaining time in compatibility mode 2006-09-29 09:18:15 -07:00
configs.c
cpu.c [PATCH] Disable CPU hotplug during suspend 2006-09-26 08:48:59 -07:00
cpuset.c [PATCH] cpuset: fix obscure attach_task vs exiting race 2006-09-29 09:18:25 -07:00
delayacct.c
dma.c
exec_domain.c
exit.c [PATCH] introduce TASK_DEAD state 2006-09-29 09:18:21 -07:00
extable.c
fork.c [PATCH] copy_process: cosmetic ->ioprio tweak 2006-09-29 09:18:18 -07:00
futex.c [PATCH] sys_get_robust_list(): don't take tasklist_lock 2006-09-29 09:18:18 -07:00
futex_compat.c
hrtimer.c [PATCH] posix-timers: Fix clock_nanosleep() doesn't return the remaining time in compatibility mode 2006-09-29 09:18:15 -07:00
itimer.c
kallsyms.c
kexec.c [PATCH] kexec warning fix 2006-09-29 09:18:15 -07:00
kfifo.c [PATCH] memory ordering in __kfifo primitives 2006-09-29 09:18:13 -07:00
kmod.c [PATCH] Fix ____call_usermodehelper errors being silently ignored 2006-09-29 09:18:16 -07:00
kprobes.c
ksysfs.c
kthread.c
lockdep.c [PATCH] lockdep core: improve the lock-chain-hash 2006-09-29 09:18:25 -07:00
lockdep_internals.h
lockdep_proc.c
module.c [PATCH] /sys/modules: allow full length section names 2006-09-29 09:18:23 -07:00
mutex-debug.c
mutex-debug.h
mutex.c
mutex.h
panic.c [PATCH] Add the __stack_chk_fail() function 2006-09-26 10:52:39 +02:00
params.c [PATCH] module_subsys: initialize earlier 2006-09-29 09:18:08 -07:00
pid.c [PATCH] pid: remove temporary debug code in attach_pid 2006-09-27 08:26:19 -07:00
posix-cpu-timers.c [PATCH] posix-timers: Fix the flags handling in posix_cpu_nsleep() 2006-09-29 09:18:15 -07:00
posix-timers.c [PATCH] posix-timers: Fix clock_nanosleep() doesn't return the remaining time in compatibility mode 2006-09-29 09:18:15 -07:00
printk.c [PATCH] PM: make it possible to disable console suspending 2006-09-26 08:49:03 -07:00
profile.c [PATCH] Profiling: require buffer allocation on the correct node 2006-09-26 08:48:50 -07:00
ptrace.c [PATCH] pidspace: is_init() 2006-09-29 09:18:12 -07:00
rcupdate.c
rcutorture.c [PATCH] rcu: add lock annotations to rcu{,_bh}_torture_read_{lock,unlock} 2006-09-29 09:18:08 -07:00
relay.c [PATCH] kernel-doc for relay interface 2006-09-29 09:18:06 -07:00
resource.c Resources: insert identical resources above existing resources 2006-09-26 17:43:52 -07:00
rtmutex-debug.c
rtmutex-debug.h
rtmutex-tester.c
rtmutex.c [PATCH] clean up and remove some extra spinlocks from rtmutex 2006-09-29 09:18:09 -07:00
rtmutex.h
rtmutex_common.h
rwsem.c
sched.c [PATCH] introduce TASK_DEAD state 2006-09-29 09:18:21 -07:00
seccomp.c
signal.c [PATCH] __dequeue_signal() cleanup 2006-09-29 09:18:15 -07:00
softirq.c [PATCH] check return value of cpu_callback 2006-09-29 09:18:14 -07:00
softlockup.c [PATCH] check return value of cpu_callback 2006-09-29 09:18:14 -07:00
spinlock.c [PATCH] remove generic__raw_read_trylock() 2006-09-29 09:18:03 -07:00
stacktrace.c
stop_machine.c [PATCH] stop_machine.c copyright 2006-09-29 09:18:24 -07:00
sys.c [PATCH] kill extraneous printk in kernel_restart() 2006-09-29 09:18:16 -07:00
sys_ni.c
sysctl.c [PATCH] pidspace: is_init() 2006-09-29 09:18:12 -07:00
taskstats.c
time.c
timer.c [PATCH] simplify update_times (avoid jiffies/jiffies_64 aliasing problem) 2006-09-29 09:18:15 -07:00
uid16.c
unwind.c [PATCH] unwind: fix unused variable warning when !CONFIG_MODULES 2006-09-29 09:18:11 -07:00
user.c
wait.c
workqueue.c