Home » Mailing list archives » linux-kernel » 2008 » April » 29

[13/37] cgroup: fix a race condition in manipulating tsk->cg_list

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Greg KH
Subject: [13/37] cgroup: fix a race condition in manipulating tsk->cg_list
Date: Tuesday, April 29, 2008 - 10:18 am

2.6.25-stable review patch.  If anyone has any objections, please let us
know.

------------------
From: Li Zefan <lizf@cn.fujitsu.com>

commit: 0e04388f0189fa1f6812a8e1cb6172136eada87e

When I ran a test program to fork mass processes and at the same time
'cat /cgroup/tasks', I got the following oops:

  ------------[ cut here ]------------
  kernel BUG at lib/list_debug.c:72!
  invalid opcode: 0000 [#1] SMP
  Pid: 4178, comm: a.out Not tainted (2.6.25-rc9 #72)
  ...
  Call Trace:
   [<c044a5f9>] ? cgroup_exit+0x55/0x94
   [<c0427acf>] ? do_exit+0x217/0x5ba
   [<c0427ed7>] ? do_group_exit+0.65/0x7c
   [<c0427efd>] ? sys_exit_group+0xf/0x11
   [<c0404842>] ? syscall_call+0x7/0xb
   [<c05e0000>] ? init_cyrix+0x2fa/0x479
  ...
  EIP: [<c04df671>] list_del+0x35/0x53 SS:ESP 0068:ebc7df4
  ---[ end trace caffb7332252612b ]---
  Fixing recursive fault but reboot is needed!

After digging into the code and debugging, I finlly found out a race
situation:

				do_exit()
				  ->cgroup_exit()
				    ->if (!list_empty(&tsk->cg_list))
				        list_del(&tsk->cg_list);

  cgroup_iter_start()
    ->cgroup_enable_task_cg_list()
      ->list_add(&tsk->cg_list, ..);

In this case the list won't be deleted though the process has exited.

We got two bug reports in the past, which seem to be the same bug as
this one:
	http://lkml.org/lkml/2008/3/5/332
	http://lkml.org/lkml/2007/10/17/224

Actually sometimes I got oops on list_del, sometimes oops on list_add.
And I can change my test program a bit to trigger other oops.

The patch has been tested both on x86_32 and x86_64.

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Acked-by: Paul Menage <menage@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 kernel/cgroup.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -1722,7 +1722,12 @@ void cgroup_enable_task_cg_lists(void)
 	use_task_css_set_links = 1;
 	do_each_thread(g, p) {
 		task_lock(p);
-		if (list_empty(&p->cg_list))
+		/*
+		 * We should check if the process is exiting, otherwise
+		 * it will race with cgroup_exit() in that the list
+		 * entry won't be deleted though the process has exited.
+		 */
+		if (!(p->flags & PF_EXITING) && list_empty(&p->cg_list))
 			list_add(&p->cg_list, &p->cgroups->tasks);
 		task_unlock(p);
 	} while_each_thread(g, p);

-- 
--
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
[00/37] 2.6.25-stable review, Greg KH, (Tue Apr 29, 10:17 am)
[01/37] USB: log an error message when USB enumeration fails, Greg KH, (Tue Apr 29, 10:17 am)
[02/37] USB: Add HP hs2300 Broadband Wireless Module to si ..., Greg KH, (Tue Apr 29, 10:17 am)
[03/37] JFFS2: Fix free space leak with in-band cleanmarkers, Greg KH, (Tue Apr 29, 10:17 am)
[04/37] tg3: 5701 DMA corruption fix, Greg KH, (Tue Apr 29, 10:18 am)
[05/37] tcp: tcp_probe buffer overflow and incorrect retur ..., Greg KH, (Tue Apr 29, 10:18 am)
[07/37] RTNETLINK: Fix bogus ASSERT_RTNL warning, Greg KH, (Tue Apr 29, 10:18 am)
[08/37] rose: Socket lock was not released before returnin ..., Greg KH, (Tue Apr 29, 10:18 am)
[09/37] net: Fix wrong interpretation of some copy_to_user ..., Greg KH, (Tue Apr 29, 10:18 am)
[10/37] IPSEC: Fix catch-22 with algorithm IDs above 31, Greg KH, (Tue Apr 29, 10:18 am)
[11/37] USB: OHCI: fix bug in controller resume, Greg KH, (Tue Apr 29, 10:18 am)
[12/37] dm snapshot: fix chunksize sector conversion, Greg KH, (Tue Apr 29, 10:18 am)
[13/37] cgroup: fix a race condition in manipulating tsk-> ..., Greg KH, (Tue Apr 29, 10:18 am)
[14/37] RDMA/nes: Free IRQ before killing tasklet, Greg KH, (Tue Apr 29, 10:18 am)
[15/37] V4L: Fix VIDIOCGAP corruption in ivtv, Greg KH, (Tue Apr 29, 10:18 am)
[16/37] V4L: tea5761: bugzilla #10462: tea5761 autodetecti ..., Greg KH, (Tue Apr 29, 10:18 am)
[17/37] V4L: cx88: enable radio GPIO correctly, Greg KH, (Tue Apr 29, 10:18 am)
[18/37] S2io: Fix memory leak during free_tx_buffers, Greg KH, (Tue Apr 29, 10:18 am)
[19/37] S2io: Version update for memory leak fix during fr ..., Greg KH, (Tue Apr 29, 10:18 am)
[20/37] SELinux: no BUG_ON(!ss_initialized) in selinux_clo ..., Greg KH, (Tue Apr 29, 10:18 am)
[21/37] x86, pci: fix off-by-one errors in some pirq warnings, Greg KH, (Tue Apr 29, 10:18 am)
[22/37] ssb: Fix all-ones boardflags, Greg KH, (Tue Apr 29, 10:18 am)
[23/37] b43: Workaround invalid bluetooth settings, Greg KH, (Tue Apr 29, 10:18 am)
[24/37] b43: Add more btcoexist workarounds, Greg KH, (Tue Apr 29, 10:18 am)
[25/37] b43: Workaround DMA quirks, Greg KH, (Tue Apr 29, 10:18 am)
[26/37] tehuti: check register size (CVE-2008-1675), Greg KH, (Tue Apr 29, 10:18 am)
[27/37] tehuti: move ioctl perm check closer to function s ..., Greg KH, (Tue Apr 29, 10:19 am)
[28/37] aio: io_getevents() should return if io_destroy() ..., Greg KH, (Tue Apr 29, 10:19 am)
[29/37] rtc-pcf8583 build fix, Greg KH, (Tue Apr 29, 10:19 am)
[30/37] dz: test after postfix decrement fails in dz_conso ..., Greg KH, (Tue Apr 29, 10:19 am)
[31/37] mm: fix possible off-by-one in walk_pte_range(), Greg KH, (Tue Apr 29, 10:19 am)
[32/37] hrtimer: timeout too long when using HRTIMER_CB_SO ..., Greg KH, (Tue Apr 29, 10:19 am)
[33/37] RDMA/nes: Fix adapter reset after PXE boot, Greg KH, (Tue Apr 29, 10:19 am)
[34/37] SCSI: qla2xxx: Correct regression in relogin code., Greg KH, (Tue Apr 29, 10:19 am)
[35/37] alpha: unbreak OSF/1 (a.out) binaries, Greg KH, (Tue Apr 29, 10:19 am)
[36/37] x86: Fix 32-bit x86 MSI-X allocation leakage, Greg KH, (Tue Apr 29, 10:19 am)
[37/37] hrtimer: raise softirq unlocked to avoid circular ..., Greg KH, (Tue Apr 29, 10:19 am)
Re: [27/37] tehuti: move ioctl perm check closer to functi ..., Alan Cox, (Tue Apr 29, 11:13 am)
Re: [27/37] tehuti: move ioctl perm check closer to functi ..., Greg KH, (Tue Apr 29, 11:55 am)
Re: [27/37] tehuti: move ioctl perm check closer to functi ..., Linus Torvalds, (Tue Apr 29, 12:02 pm)
Re: [00/37] 2.6.25-stable review, Andre Noll, (Wed Apr 30, 12:58 am)
Re: [stable] [27/37] tehuti: move ioctl perm check closer ..., Greg KH, (Wed Apr 30, 9:39 am)
Re: [stable] [00/37] 2.6.25-stable review, Chris Wright, (Wed Apr 30, 5:25 pm)