From nobody Tue Dec 16 23:40:37 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 65842C27C40 for ; Thu, 24 Aug 2023 14:34:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241715AbjHXOd4 (ORCPT ); Thu, 24 Aug 2023 10:33:56 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52784 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241689AbjHXOdV (ORCPT ); Thu, 24 Aug 2023 10:33:21 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABA2C19A2 for ; Thu, 24 Aug 2023 07:32:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1692887556; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dsOC4rI50hliPoJPpoEGUZrHCXo+EFetwI6VyN7asjY=; b=Eluo/8UdbH2yDhildmvNl7uQNO3l9hsP2mhtADqb9cKdHb7H0lMHeYZWIGn80ktFz16mrw MZkfFM584MspRbyE+hKqTeaeNJYgnVS+oN6VdTipDF4H4pqHjPaOL8V9Pz85Ub8TpFgOem 9PPmLkJPqG6WEEDrjB3Xs/dXpXAlSyg= Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-475-HN5FZ4ihN3mjj4wADRLsDw-1; Thu, 24 Aug 2023 10:32:32 -0400 X-MC-Unique: HN5FZ4ihN3mjj4wADRLsDw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B2A923C1350E; Thu, 24 Aug 2023 14:32:31 +0000 (UTC) Received: from dhcp-27-174.brq.redhat.com (unknown [10.45.225.43]) by smtp.corp.redhat.com (Postfix) with SMTP id 44C011121315; Thu, 24 Aug 2023 14:32:30 +0000 (UTC) Received: by dhcp-27-174.brq.redhat.com (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Thu, 24 Aug 2023 16:31:45 +0200 (CEST) Date: Thu, 24 Aug 2023 16:31:42 +0200 From: Oleg Nesterov To: Andrew Morton Cc: "Eric W. Biederman" , Linus Torvalds , peterz@redhat.com, linux-kernel@vger.kernel.org Subject: [PATCH 1/2] introduce __next_thread(), fix next_tid() vs exec() race Message-ID: <20230824143142.GA31222@redhat.com> References: <20230824143112.GA31208@redhat.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20230824143112.GA31208@redhat.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" next_tid(start) does: rcu_read_lock(); if (pid_alive(start)) { pos =3D next_thread(start); if (thread_group_leader(pos)) pos =3D NULL; else get_task_struct(pos); it should return pos =3D NULL when next_thread() wraps to the 1st thread in the thread group, group leader, and the thread_group_leader() check tries to detect this case. But this can race with exec. To simplify, suppose we have a main thread M and a single sub-thread T, next_tid(T) should return NULL. Now suppose that T execs. If next_tid(T) is called after T changes the leadership and before it does release_task() which removes the old leader from list, then next_thread() returns M and thread_group_leader(M) =3D F. Lockless use of next_thread() should be avoided. After this change only task_group_seq_get_next() does this, and I believe it should be changed as well. Signed-off-by: Oleg Nesterov --- fs/proc/base.c | 6 ++---- include/linux/sched/signal.h | 11 +++++++++++ 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/fs/proc/base.c b/fs/proc/base.c index 69dbb03ad55b..b9fb36cd5e9c 100644 --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -3838,10 +3838,8 @@ static struct task_struct *next_tid(struct task_stru= ct *start) struct task_struct *pos =3D NULL; rcu_read_lock(); if (pid_alive(start)) { - pos =3D next_thread(start); - if (thread_group_leader(pos)) - pos =3D NULL; - else + pos =3D __next_thread(start); + if (pos) get_task_struct(pos); } rcu_read_unlock(); diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h index 0014d3adaf84..7fb34b8cda54 100644 --- a/include/linux/sched/signal.h +++ b/include/linux/sched/signal.h @@ -715,6 +715,17 @@ bool same_thread_group(struct task_struct *p1, struct = task_struct *p2) return p1->signal =3D=3D p2->signal; } =20 +/* + * returns NULL if p is the last thread in the thread group + */ +static inline struct task_struct *__next_thread(struct task_struct *p) +{ + return list_next_or_null_rcu(&p->signal->thread_head, + &p->thread_node, + struct task_struct, + thread_node); +} + static inline struct task_struct *next_thread(const struct task_struct *p) { return list_entry_rcu(p->thread_group.next, --=20 2.25.1.362.g51ebf55 From nobody Tue Dec 16 23:40:37 2025 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 20F0EC6FA8F for ; Thu, 24 Aug 2023 14:34:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231547AbjHXOeT (ORCPT ); Thu, 24 Aug 2023 10:34:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55004 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241769AbjHXOdo (ORCPT ); Thu, 24 Aug 2023 10:33:44 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0DACD193 for ; Thu, 24 Aug 2023 07:32:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1692887576; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=/9R4uLDmVq3SZUrV7oyvoIl0ePP/hBf7OCHweYTv794=; b=NL7BcJIduPJ3Hk3Xy7GJYlvVye9bOSIsiVZ+hZAwTf6u9DvUs3jvFXrFeFesibaXMi8Dsn NwwU/pNY/I3dgufuYVKaYKn97NF80TqrSjgcDcJnwudHLwyz2OKiuE9Tn2VLmUa3el80W3 nrJ4UdsEDywJJxwSsYeTfbuUH64HAh8= Received: from mimecast-mx02.redhat.com (66.187.233.73 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-106-cVgN4S5PN1CUhvLzwSybrw-1; Thu, 24 Aug 2023 10:32:53 -0400 X-MC-Unique: cVgN4S5PN1CUhvLzwSybrw-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 41A9128237C3; Thu, 24 Aug 2023 14:32:50 +0000 (UTC) Received: from dhcp-27-174.brq.redhat.com (unknown [10.45.225.43]) by smtp.corp.redhat.com (Postfix) with SMTP id C76994A9005; Thu, 24 Aug 2023 14:32:48 +0000 (UTC) Received: by dhcp-27-174.brq.redhat.com (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Thu, 24 Aug 2023 16:32:03 +0200 (CEST) Date: Thu, 24 Aug 2023 16:32:01 +0200 From: Oleg Nesterov To: Andrew Morton Cc: "Eric W. Biederman" , Linus Torvalds , peterz@redhat.com, linux-kernel@vger.kernel.org Subject: [PATCH 2/2] change next_thread() to use __next_thread() ?: group_leader Message-ID: <20230824143201.GB31222@redhat.com> References: <20230824143112.GA31208@redhat.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20230824143112.GA31208@redhat.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" This relies on fact that group leader is always the 1st entry in the signal->thread_head list. With or without this change, if the lockless next_thread(last_thread) races with exec it can return the old or the new leader. We are almost ready to kill task->thread_group, after this change its only user is thread_group_empty(). Signed-off-by: Oleg Nesterov --- include/linux/sched/signal.h | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/include/linux/sched/signal.h b/include/linux/sched/signal.h index 7fb34b8cda54..cffc882d367f 100644 --- a/include/linux/sched/signal.h +++ b/include/linux/sched/signal.h @@ -726,10 +726,9 @@ static inline struct task_struct *__next_thread(struct= task_struct *p) thread_node); } =20 -static inline struct task_struct *next_thread(const struct task_struct *p) +static inline struct task_struct *next_thread(struct task_struct *p) { - return list_entry_rcu(p->thread_group.next, - struct task_struct, thread_group); + return __next_thread(p) ?: p->group_leader; } =20 static inline int thread_group_empty(struct task_struct *p) --=20 2.25.1.362.g51ebf55