summaryrefslogtreecommitdiffstats
path: root/kernel/user_namespace.c
diff options
context:
space:
mode:
authorSuren Baghdasaryan <surenb@google.com>2019-07-17 19:21:00 +0200
committerChristian Brauner <christian@brauner.io>2019-07-22 16:02:03 +0200
commitb191d6491be67cef2b3fa83015561caca1394ab9 (patch)
tree6be65f501b18e03aeb3c456f87a36b04dc45043b /kernel/user_namespace.c
parentLinus 5.3-rc1 (diff)
downloadlinux-b191d6491be67cef2b3fa83015561caca1394ab9.tar.xz
linux-b191d6491be67cef2b3fa83015561caca1394ab9.zip
pidfd: fix a poll race when setting exit_state
There is a race between reading task->exit_state in pidfd_poll and writing it after do_notify_parent calls do_notify_pidfd. Expected sequence of events is: CPU 0 CPU 1 ------------------------------------------------ exit_notify do_notify_parent do_notify_pidfd tsk->exit_state = EXIT_DEAD pidfd_poll if (tsk->exit_state) However nothing prevents the following sequence: CPU 0 CPU 1 ------------------------------------------------ exit_notify do_notify_parent do_notify_pidfd pidfd_poll if (tsk->exit_state) tsk->exit_state = EXIT_DEAD This causes a polling task to wait forever, since poll blocks because exit_state is 0 and the waiting task is not notified again. A stress test continuously doing pidfd poll and process exits uncovered this bug. To fix it, we make sure that the task's exit_state is always set before calling do_notify_pidfd. Fixes: b53b0b9d9a6 ("pidfd: add polling support") Cc: kernel-team@android.com Cc: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Suren Baghdasaryan <surenb@google.com> Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org> Link: https://lore.kernel.org/r/20190717172100.261204-1-joel@joelfernandes.org [christian@brauner.io: adapt commit message and drop unneeded changes from wait_task_zombie] Signed-off-by: Christian Brauner <christian@brauner.io>
Diffstat (limited to 'kernel/user_namespace.c')
0 files changed, 0 insertions, 0 deletions