2019-05-19 12:08:55 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
* linux/kernel/exit.c
|
|
|
|
*
|
|
|
|
* Copyright (C) 1991, 1992 Linus Torvalds
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/mm.h>
|
|
|
|
#include <linux/slab.h>
|
2017-02-08 17:51:29 +00:00
|
|
|
#include <linux/sched/autogroup.h>
|
2017-02-08 17:51:29 +00:00
|
|
|
#include <linux/sched/mm.h>
|
2017-02-08 17:51:35 +00:00
|
|
|
#include <linux/sched/stat.h>
|
2017-02-08 17:51:36 +00:00
|
|
|
#include <linux/sched/task.h>
|
2017-02-08 17:51:37 +00:00
|
|
|
#include <linux/sched/task_stack.h>
|
2017-02-05 10:48:36 +00:00
|
|
|
#include <linux/sched/cputime.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/interrupt.h>
|
|
|
|
#include <linux/module.h>
|
2006-01-11 20:17:46 +00:00
|
|
|
#include <linux/capability.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/completion.h>
|
|
|
|
#include <linux/personality.h>
|
|
|
|
#include <linux/tty.h>
|
2008-06-30 18:42:08 +00:00
|
|
|
#include <linux/iocontext.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/key.h>
|
|
|
|
#include <linux/cpu.h>
|
|
|
|
#include <linux/acct.h>
|
2006-10-01 06:28:59 +00:00
|
|
|
#include <linux/tsacct_kern.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/file.h>
|
2013-02-28 01:03:20 +00:00
|
|
|
#include <linux/freezer.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/binfmts.h>
|
2006-10-02 09:18:06 +00:00
|
|
|
#include <linux/nsproxy.h>
|
2006-12-08 10:38:01 +00:00
|
|
|
#include <linux/pid_namespace.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/ptrace.h>
|
|
|
|
#include <linux/profile.h>
|
|
|
|
#include <linux/mount.h>
|
|
|
|
#include <linux/proc_fs.h>
|
2007-05-09 09:34:33 +00:00
|
|
|
#include <linux/kthread.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/mempolicy.h>
|
2006-07-14 07:24:40 +00:00
|
|
|
#include <linux/taskstats_kern.h>
|
2006-07-14 07:24:36 +00:00
|
|
|
#include <linux/delayacct.h>
|
2007-10-19 06:39:33 +00:00
|
|
|
#include <linux/cgroup.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/syscalls.h>
|
2005-05-01 15:59:14 +00:00
|
|
|
#include <linux/signal.h>
|
2006-03-29 00:11:18 +00:00
|
|
|
#include <linux/posix-timers.h>
|
2005-11-07 08:59:16 +00:00
|
|
|
#include <linux/cn_proc.h>
|
2006-01-09 23:59:21 +00:00
|
|
|
#include <linux/mutex.h>
|
2006-03-27 09:16:22 +00:00
|
|
|
#include <linux/futex.h>
|
2006-04-11 11:52:07 +00:00
|
|
|
#include <linux/pipe_fs_i.h>
|
2006-03-30 01:30:19 +00:00
|
|
|
#include <linux/audit.h> /* for audit_free() */
|
2006-06-25 12:47:41 +00:00
|
|
|
#include <linux/resource.h>
|
2007-05-11 05:22:37 +00:00
|
|
|
#include <linux/task_io_accounting_ops.h>
|
2022-02-09 18:47:08 +00:00
|
|
|
#include <linux/blkdev.h>
|
|
|
|
#include <linux/task_work.h>
|
2009-03-29 23:50:06 +00:00
|
|
|
#include <linux/fs_struct.h>
|
CRED: Inaugurate COW credentials
Inaugurate copy-on-write credentials management. This uses RCU to manage the
credentials pointer in the task_struct with respect to accesses by other tasks.
A process may only modify its own credentials, and so does not need locking to
access or modify its own credentials.
A mutex (cred_replace_mutex) is added to the task_struct to control the effect
of PTRACE_ATTACHED on credential calculations, particularly with respect to
execve().
With this patch, the contents of an active credentials struct may not be
changed directly; rather a new set of credentials must be prepared, modified
and committed using something like the following sequence of events:
struct cred *new = prepare_creds();
int ret = blah(new);
if (ret < 0) {
abort_creds(new);
return ret;
}
return commit_creds(new);
There are some exceptions to this rule: the keyrings pointed to by the active
credentials may be instantiated - keyrings violate the COW rule as managing
COW keyrings is tricky, given that it is possible for a task to directly alter
the keys in a keyring in use by another task.
To help enforce this, various pointers to sets of credentials, such as those in
the task_struct, are declared const. The purpose of this is compile-time
discouragement of altering credentials through those pointers. Once a set of
credentials has been made public through one of these pointers, it may not be
modified, except under special circumstances:
(1) Its reference count may incremented and decremented.
(2) The keyrings to which it points may be modified, but not replaced.
The only safe way to modify anything else is to create a replacement and commit
using the functions described in Documentation/credentials.txt (which will be
added by a later patch).
This patch and the preceding patches have been tested with the LTP SELinux
testsuite.
This patch makes several logical sets of alteration:
(1) execve().
This now prepares and commits credentials in various places in the
security code rather than altering the current creds directly.
(2) Temporary credential overrides.
do_coredump() and sys_faccessat() now prepare their own credentials and
temporarily override the ones currently on the acting thread, whilst
preventing interference from other threads by holding cred_replace_mutex
on the thread being dumped.
This will be replaced in a future patch by something that hands down the
credentials directly to the functions being called, rather than altering
the task's objective credentials.
(3) LSM interface.
A number of functions have been changed, added or removed:
(*) security_capset_check(), ->capset_check()
(*) security_capset_set(), ->capset_set()
Removed in favour of security_capset().
(*) security_capset(), ->capset()
New. This is passed a pointer to the new creds, a pointer to the old
creds and the proposed capability sets. It should fill in the new
creds or return an error. All pointers, barring the pointer to the
new creds, are now const.
(*) security_bprm_apply_creds(), ->bprm_apply_creds()
Changed; now returns a value, which will cause the process to be
killed if it's an error.
(*) security_task_alloc(), ->task_alloc_security()
Removed in favour of security_prepare_creds().
(*) security_cred_free(), ->cred_free()
New. Free security data attached to cred->security.
(*) security_prepare_creds(), ->cred_prepare()
New. Duplicate any security data attached to cred->security.
(*) security_commit_creds(), ->cred_commit()
New. Apply any security effects for the upcoming installation of new
security by commit_creds().
(*) security_task_post_setuid(), ->task_post_setuid()
Removed in favour of security_task_fix_setuid().
(*) security_task_fix_setuid(), ->task_fix_setuid()
Fix up the proposed new credentials for setuid(). This is used by
cap_set_fix_setuid() to implicitly adjust capabilities in line with
setuid() changes. Changes are made to the new credentials, rather
than the task itself as in security_task_post_setuid().
(*) security_task_reparent_to_init(), ->task_reparent_to_init()
Removed. Instead the task being reparented to init is referred
directly to init's credentials.
NOTE! This results in the loss of some state: SELinux's osid no
longer records the sid of the thread that forked it.
(*) security_key_alloc(), ->key_alloc()
(*) security_key_permission(), ->key_permission()
Changed. These now take cred pointers rather than task pointers to
refer to the security context.
(4) sys_capset().
This has been simplified and uses less locking. The LSM functions it
calls have been merged.
(5) reparent_to_kthreadd().
This gives the current thread the same credentials as init by simply using
commit_thread() to point that way.
(6) __sigqueue_alloc() and switch_uid()
__sigqueue_alloc() can't stop the target task from changing its creds
beneath it, so this function gets a reference to the currently applicable
user_struct which it then passes into the sigqueue struct it returns if
successful.
switch_uid() is now called from commit_creds(), and possibly should be
folded into that. commit_creds() should take care of protecting
__sigqueue_alloc().
(7) [sg]et[ug]id() and co and [sg]et_current_groups.
The set functions now all use prepare_creds(), commit_creds() and
abort_creds() to build and check a new set of credentials before applying
it.
security_task_set[ug]id() is called inside the prepared section. This
guarantees that nothing else will affect the creds until we've finished.
The calling of set_dumpable() has been moved into commit_creds().
Much of the functionality of set_user() has been moved into
commit_creds().
The get functions all simply access the data directly.
(8) security_task_prctl() and cap_task_prctl().
security_task_prctl() has been modified to return -ENOSYS if it doesn't
want to handle a function, or otherwise return the return value directly
rather than through an argument.
Additionally, cap_task_prctl() now prepares a new set of credentials, even
if it doesn't end up using it.
(9) Keyrings.
A number of changes have been made to the keyrings code:
(a) switch_uid_keyring(), copy_keys(), exit_keys() and suid_keys() have
all been dropped and built in to the credentials functions directly.
They may want separating out again later.
(b) key_alloc() and search_process_keyrings() now take a cred pointer
rather than a task pointer to specify the security context.
(c) copy_creds() gives a new thread within the same thread group a new
thread keyring if its parent had one, otherwise it discards the thread
keyring.
(d) The authorisation key now points directly to the credentials to extend
the search into rather pointing to the task that carries them.
(e) Installing thread, process or session keyrings causes a new set of
credentials to be created, even though it's not strictly necessary for
process or session keyrings (they're shared).
(10) Usermode helper.
The usermode helper code now carries a cred struct pointer in its
subprocess_info struct instead of a new session keyring pointer. This set
of credentials is derived from init_cred and installed on the new process
after it has been cloned.
call_usermodehelper_setup() allocates the new credentials and
call_usermodehelper_freeinfo() discards them if they haven't been used. A
special cred function (prepare_usermodeinfo_creds()) is provided
specifically for call_usermodehelper_setup() to call.
call_usermodehelper_setkeys() adjusts the credentials to sport the
supplied keyring as the new session keyring.
(11) SELinux.
SELinux has a number of changes, in addition to those to support the LSM
interface changes mentioned above:
(a) selinux_setprocattr() no longer does its check for whether the
current ptracer can access processes with the new SID inside the lock
that covers getting the ptracer's SID. Whilst this lock ensures that
the check is done with the ptracer pinned, the result is only valid
until the lock is released, so there's no point doing it inside the
lock.
(12) is_single_threaded().
This function has been extracted from selinux_setprocattr() and put into
a file of its own in the lib/ directory as join_session_keyring() now
wants to use it too.
The code in SELinux just checked to see whether a task shared mm_structs
with other tasks (CLONE_VM), but that isn't good enough. We really want
to know if they're part of the same thread group (CLONE_THREAD).
(13) nfsd.
The NFS server daemon now has to use the COW credentials to set the
credentials it is going to use. It really needs to pass the credentials
down to the functions it calls, but it can't do that until other patches
in this series have been applied.
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-11-13 23:39:23 +00:00
|
|
|
#include <linux/init_task.h>
|
perf: Do the big rename: Performance Counters -> Performance Events
Bye-bye Performance Counters, welcome Performance Events!
In the past few months the perfcounters subsystem has grown out its
initial role of counting hardware events, and has become (and is
becoming) a much broader generic event enumeration, reporting, logging,
monitoring, analysis facility.
Naming its core object 'perf_counter' and naming the subsystem
'perfcounters' has become more and more of a misnomer. With pending
code like hw-breakpoints support the 'counter' name is less and
less appropriate.
All in one, we've decided to rename the subsystem to 'performance
events' and to propagate this rename through all fields, variables
and API names. (in an ABI compatible fashion)
The word 'event' is also a bit shorter than 'counter' - which makes
it slightly more convenient to write/handle as well.
Thanks goes to Stephane Eranian who first observed this misnomer and
suggested a rename.
User-space tooling and ABI compatibility is not affected - this patch
should be function-invariant. (Also, defconfigs were not touched to
keep the size down.)
This patch has been generated via the following script:
FILES=$(find * -type f | grep -vE 'oprofile|[^K]config')
sed -i \
-e 's/PERF_EVENT_/PERF_RECORD_/g' \
-e 's/PERF_COUNTER/PERF_EVENT/g' \
-e 's/perf_counter/perf_event/g' \
-e 's/nb_counters/nb_events/g' \
-e 's/swcounter/swevent/g' \
-e 's/tpcounter_event/tp_event/g' \
$FILES
for N in $(find . -name perf_counter.[ch]); do
M=$(echo $N | sed 's/perf_counter/perf_event/g')
mv $N $M
done
FILES=$(find . -name perf_event.*)
sed -i \
-e 's/COUNTER_MASK/REG_MASK/g' \
-e 's/COUNTER/EVENT/g' \
-e 's/\<event\>/event_id/g' \
-e 's/counter/event/g' \
-e 's/Counter/Event/g' \
$FILES
... to keep it as correct as possible. This script can also be
used by anyone who has pending perfcounters patches - it converts
a Linux kernel tree over to the new naming. We tried to time this
change to the point in time where the amount of pending patches
is the smallest: the end of the merge window.
Namespace clashes were fixed up in a preparatory patch - and some
stylistic fallout will be fixed up in a subsequent patch.
( NOTE: 'counters' are still the proper terminology when we deal
with hardware registers - and these sed scripts are a bit
over-eager in renaming them. I've undone some of that, but
in case there's something left where 'counter' would be
better than 'event' we can undo that on an individual basis
instead of touching an otherwise nicely automated patch. )
Suggested-by: Stephane Eranian <eranian@google.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Paul Mackerras <paulus@samba.org>
Reviewed-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: David Howells <dhowells@redhat.com>
Cc: Kyle McMartin <kyle@mcmartin.ca>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <linux-arch@vger.kernel.org>
LKML-Reference: <new-submission>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-09-21 10:02:48 +00:00
|
|
|
#include <linux/perf_event.h>
|
2009-04-14 23:39:12 +00:00
|
|
|
#include <trace/events/sched.h>
|
2009-09-09 17:22:48 +00:00
|
|
|
#include <linux/hw_breakpoint.h>
|
2010-10-26 21:21:23 +00:00
|
|
|
#include <linux/oom.h>
|
2011-04-05 19:21:19 +00:00
|
|
|
#include <linux/writeback.h>
|
2012-02-13 03:58:52 +00:00
|
|
|
#include <linux/shm.h>
|
kernel: add kcov code coverage
kcov provides code coverage collection for coverage-guided fuzzing
(randomized testing). Coverage-guided fuzzing is a testing technique
that uses coverage feedback to determine new interesting inputs to a
system. A notable user-space example is AFL
(http://lcamtuf.coredump.cx/afl/). However, this technique is not
widely used for kernel testing due to missing compiler and kernel
support.
kcov does not aim to collect as much coverage as possible. It aims to
collect more or less stable coverage that is function of syscall inputs.
To achieve this goal it does not collect coverage in soft/hard
interrupts and instrumentation of some inherently non-deterministic or
non-interesting parts of kernel is disbled (e.g. scheduler, locking).
Currently there is a single coverage collection mode (tracing), but the
API anticipates additional collection modes. Initially I also
implemented a second mode which exposes coverage in a fixed-size hash
table of counters (what Quentin used in his original patch). I've
dropped the second mode for simplicity.
This patch adds the necessary support on kernel side. The complimentary
compiler support was added in gcc revision 231296.
We've used this support to build syzkaller system call fuzzer, which has
found 90 kernel bugs in just 2 months:
https://github.com/google/syzkaller/wiki/Found-Bugs
We've also found 30+ bugs in our internal systems with syzkaller.
Another (yet unexplored) direction where kcov coverage would greatly
help is more traditional "blob mutation". For example, mounting a
random blob as a filesystem, or receiving a random blob over wire.
Why not gcov. Typical fuzzing loop looks as follows: (1) reset
coverage, (2) execute a bit of code, (3) collect coverage, repeat. A
typical coverage can be just a dozen of basic blocks (e.g. an invalid
input). In such context gcov becomes prohibitively expensive as
reset/collect coverage steps depend on total number of basic
blocks/edges in program (in case of kernel it is about 2M). Cost of
kcov depends only on number of executed basic blocks/edges. On top of
that, kernel requires per-thread coverage because there are always
background threads and unrelated processes that also produce coverage.
With inlined gcov instrumentation per-thread coverage is not possible.
kcov exposes kernel PCs and control flow to user-space which is
insecure. But debugfs should not be mapped as user accessible.
Based on a patch by Quentin Casasnovas.
[akpm@linux-foundation.org: make task_struct.kcov_mode have type `enum kcov_mode']
[akpm@linux-foundation.org: unbreak allmodconfig]
[akpm@linux-foundation.org: follow x86 Makefile layout standards]
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Tavis Ormandy <taviso@google.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@google.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: David Drysdale <drysdale@google.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-03-22 21:27:30 +00:00
|
|
|
#include <linux/kcov.h>
|
2022-09-15 15:03:50 +00:00
|
|
|
#include <linux/kmsan.h>
|
2016-11-11 05:10:09 +00:00
|
|
|
#include <linux/random.h>
|
sched/wait, RCU: Introduce rcuwait machinery
rcuwait provides support for (single) RCU-safe task wait/wake functionality,
with the caveat that it must not be called after exit_notify(), such that
we avoid racing with rcu delayed_put_task_struct callbacks, task_struct
being rcu unaware in this context -- for which we similarly have
task_rcu_dereference() magic, but with different return semantics, which
can conflict with the wakeup side.
The interfaces are quite straightforward:
rcuwait_wait_event()
rcuwait_wake_up()
More details are in the comments, but it's perhaps worth mentioning at least,
that users must provide proper serialization when waiting on a condition, and
avoid corrupting a concurrent waiter. Also care must be taken between the task
and the condition for when calling the wakeup -- we cannot miss wakeups. When
porting users, this is for example, a given when using waitqueues in that
everything is done under the q->lock. As such, it can remove sources of non
preemptable unbounded work for realtime.
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1484148146-14210-2-git-send-email-dave@stgolabs.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-11 15:22:25 +00:00
|
|
|
#include <linux/rcuwait.h>
|
2017-05-14 23:52:01 +00:00
|
|
|
#include <linux/compat.h>
|
2020-12-30 21:34:16 +00:00
|
|
|
#include <linux/io_uring.h>
|
2021-09-28 12:24:28 +00:00
|
|
|
#include <linux/kprobes.h>
|
2022-03-15 14:00:50 +00:00
|
|
|
#include <linux/rethook.h>
|
2022-11-17 23:43:23 +00:00
|
|
|
#include <linux/sysfs.h>
|
2023-03-28 23:52:09 +00:00
|
|
|
#include <linux/user_events.h>
|
2016-12-24 19:46:01 +00:00
|
|
|
#include <linux/uaccess.h>
|
2023-12-11 18:14:41 +00:00
|
|
|
|
|
|
|
#include <uapi/linux/wait.h>
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <asm/unistd.h>
|
|
|
|
#include <asm/mmu_context.h>
|
|
|
|
|
2023-07-11 16:40:31 +00:00
|
|
|
#include "exit.h"
|
|
|
|
|
exit: Put an upper limit on how often we can oops
Many Linux systems are configured to not panic on oops; but allowing an
attacker to oops the system **really** often can make even bugs that look
completely unexploitable exploitable (like NULL dereferences and such) if
each crash elevates a refcount by one or a lock is taken in read mode, and
this causes a counter to eventually overflow.
The most interesting counters for this are 32 bits wide (like open-coded
refcounts that don't use refcount_t). (The ldsem reader count on 32-bit
platforms is just 16 bits, but probably nobody cares about 32-bit platforms
that much nowadays.)
So let's panic the system if the kernel is constantly oopsing.
The speed of oopsing 2^32 times probably depends on several factors, like
how long the stack trace is and which unwinder you're using; an empirically
important one is whether your console is showing a graphical environment or
a text console that oopses will be printed to.
In a quick single-threaded benchmark, it looks like oopsing in a vfork()
child with a very short stack trace only takes ~510 microseconds per run
when a graphical console is active; but switching to a text console that
oopses are printed to slows it down around 87x, to ~45 milliseconds per
run.
(Adding more threads makes this faster, but the actual oops printing
happens under &die_lock on x86, so you can maybe speed this up by a factor
of around 2 and then any further improvement gets eaten up by lock
contention.)
It looks like it would take around 8-12 days to overflow a 32-bit counter
with repeated oopsing on a multi-core X86 system running a graphical
environment; both me (in an X86 VM) and Seth (with a distro kernel on
normal hardware in a standard configuration) got numbers in that ballpark.
12 days aren't *that* short on a desktop system, and you'd likely need much
longer on a typical server system (assuming that people don't run graphical
desktop environments on their servers), and this is a *very* noisy and
violent approach to exploiting the kernel; and it also seems to take orders
of magnitude longer on some machines, probably because stuff like EFI
pstore will slow it down a ton if that's active.
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20221107201317.324457-1-jannh@google.com
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221117234328.594699-2-keescook@chromium.org
2022-11-17 23:43:22 +00:00
|
|
|
/*
|
|
|
|
* The default value should be high enough to not crash a system that randomly
|
|
|
|
* crashes its kernel from time to time, but low enough to at least not permit
|
|
|
|
* overflowing 32-bit refcounts or the ldsem writer count.
|
|
|
|
*/
|
|
|
|
static unsigned int oops_limit = 10000;
|
|
|
|
|
|
|
|
#ifdef CONFIG_SYSCTL
|
|
|
|
static struct ctl_table kern_exit_table[] = {
|
|
|
|
{
|
|
|
|
.procname = "oops_limit",
|
|
|
|
.data = &oops_limit,
|
|
|
|
.maxlen = sizeof(oops_limit),
|
|
|
|
.mode = 0644,
|
|
|
|
.proc_handler = proc_douintvec,
|
|
|
|
},
|
|
|
|
};
|
|
|
|
|
|
|
|
static __init int kernel_exit_sysctls_init(void)
|
|
|
|
{
|
|
|
|
register_sysctl_init("kernel", kern_exit_table);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
late_initcall(kernel_exit_sysctls_init);
|
|
|
|
#endif
|
|
|
|
|
2022-11-17 23:43:23 +00:00
|
|
|
static atomic_t oops_count = ATOMIC_INIT(0);
|
|
|
|
|
|
|
|
#ifdef CONFIG_SYSFS
|
|
|
|
static ssize_t oops_count_show(struct kobject *kobj, struct kobj_attribute *attr,
|
|
|
|
char *page)
|
|
|
|
{
|
|
|
|
return sysfs_emit(page, "%d\n", atomic_read(&oops_count));
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct kobj_attribute oops_count_attr = __ATTR_RO(oops_count);
|
|
|
|
|
|
|
|
static __init int kernel_exit_sysfs_init(void)
|
|
|
|
{
|
|
|
|
sysfs_add_file_to_group(kernel_kobj, &oops_count_attr.attr, NULL);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
late_initcall(kernel_exit_sysfs_init);
|
|
|
|
#endif
|
|
|
|
|
2010-05-26 21:43:19 +00:00
|
|
|
static void __unhash_process(struct task_struct *p, bool group_dead)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
nr_threads--;
|
2012-06-20 19:53:04 +00:00
|
|
|
detach_pid(p, PIDTYPE_PID);
|
2010-05-26 21:43:19 +00:00
|
|
|
if (group_dead) {
|
2017-06-04 09:32:13 +00:00
|
|
|
detach_pid(p, PIDTYPE_TGID);
|
2005-04-16 22:20:36 +00:00
|
|
|
detach_pid(p, PIDTYPE_PGID);
|
|
|
|
detach_pid(p, PIDTYPE_SID);
|
2006-03-29 00:11:06 +00:00
|
|
|
|
2006-04-19 05:20:16 +00:00
|
|
|
list_del_rcu(&p->tasks);
|
2009-12-17 23:27:15 +00:00
|
|
|
list_del_init(&p->sibling);
|
2010-12-08 15:22:55 +00:00
|
|
|
__this_cpu_dec(process_counts);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
introduce for_each_thread() to replace the buggy while_each_thread()
while_each_thread() and next_thread() should die, almost every lockless
usage is wrong.
1. Unless g == current, the lockless while_each_thread() is not safe.
while_each_thread(g, t) can loop forever if g exits, next_thread()
can't reach the unhashed thread in this case. Note that this can
happen even if g is the group leader, it can exec.
2. Even if while_each_thread() itself was correct, people often use
it wrongly.
It was never safe to just take rcu_read_lock() and loop unless
you verify that pid_alive(g) == T, even the first next_thread()
can point to the already freed/reused memory.
This patch adds signal_struct->thread_head and task->thread_node to
create the normal rcu-safe list with the stable head. The new
for_each_thread(g, t) helper is always safe under rcu_read_lock() as
long as this task_struct can't go away.
Note: of course it is ugly to have both task_struct->thread_node and the
old task_struct->thread_group, we will kill it later, after we change
the users of while_each_thread() to use for_each_thread().
Perhaps we can kill it even before we convert all users, we can
reimplement next_thread(t) using the new thread_head/thread_node. But
we can't do this right now because this will lead to subtle behavioural
changes. For example, do/while_each_thread() always sees at least one
task, while for_each_thread() can do nothing if the whole thread group
has died. Or thread_group_empty(), currently its semantics is not clear
unless thread_group_leader(p) and we need to audit the callers before we
can change it.
So this patch adds the new interface which has to coexist with the old
one for some time, hopefully the next changes will be more or less
straightforward and the old one will go away soon.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Sergey Dyasly <dserrg@gmail.com>
Tested-by: Sergey Dyasly <dserrg@gmail.com>
Reviewed-by: Sameer Nanda <snanda@chromium.org>
Acked-by: David Rientjes <rientjes@google.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Mandeep Singh Baines <msb@chromium.org>
Cc: "Ma, Xindong" <xindong.ma@intel.com>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: "Tu, Xiaobing" <xiaobing.tu@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-01-21 23:49:56 +00:00
|
|
|
list_del_rcu(&p->thread_node);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2006-03-29 00:11:18 +00:00
|
|
|
/*
|
|
|
|
* This function expects the tasklist_lock write-locked.
|
|
|
|
*/
|
|
|
|
static void __exit_signal(struct task_struct *tsk)
|
|
|
|
{
|
|
|
|
struct signal_struct *sig = tsk->signal;
|
2010-05-26 21:43:19 +00:00
|
|
|
bool group_dead = thread_group_leader(tsk);
|
2006-03-29 00:11:18 +00:00
|
|
|
struct sighand_struct *sighand;
|
treewide: Remove uninitialized_var() usage
Using uninitialized_var() is dangerous as it papers over real bugs[1]
(or can in the future), and suppresses unrelated compiler warnings
(e.g. "unused variable"). If the compiler thinks it is uninitialized,
either simply initialize the variable or make compiler changes.
In preparation for removing[2] the[3] macro[4], remove all remaining
needless uses with the following script:
git grep '\buninitialized_var\b' | cut -d: -f1 | sort -u | \
xargs perl -pi -e \
's/\buninitialized_var\(([^\)]+)\)/\1/g;
s:\s*/\* (GCC be quiet|to make compiler happy) \*/$::g;'
drivers/video/fbdev/riva/riva_hw.c was manually tweaked to avoid
pathological white-space.
No outstanding warnings were found building allmodconfig with GCC 9.3.0
for x86_64, i386, arm64, arm, powerpc, powerpc64le, s390x, mips, sparc64,
alpha, and m68k.
[1] https://lore.kernel.org/lkml/20200603174714.192027-1-glider@google.com/
[2] https://lore.kernel.org/lkml/CA+55aFw+Vbj0i=1TGqCR5vQkCzWJ0QxK6CernOU6eedsudAixw@mail.gmail.com/
[3] https://lore.kernel.org/lkml/CA+55aFwgbgqhbp1fkxvRKEpzyR5J8n1vKT1VZdz9knmPuXhOeg@mail.gmail.com/
[4] https://lore.kernel.org/lkml/CA+55aFz2500WfbKXAx8s67wrm9=yVJu65TpLgN_ybYNv0VEOKA@mail.gmail.com/
Reviewed-by: Leon Romanovsky <leonro@mellanox.com> # drivers/infiniband and mlx4/mlx5
Acked-by: Jason Gunthorpe <jgg@mellanox.com> # IB
Acked-by: Kalle Valo <kvalo@codeaurora.org> # wireless drivers
Reviewed-by: Chao Yu <yuchao0@huawei.com> # erofs
Signed-off-by: Kees Cook <keescook@chromium.org>
2020-06-03 20:09:38 +00:00
|
|
|
struct tty_struct *tty;
|
2017-01-31 03:09:23 +00:00
|
|
|
u64 utime, stime;
|
2006-03-29 00:11:18 +00:00
|
|
|
|
2010-02-23 01:04:50 +00:00
|
|
|
sighand = rcu_dereference_check(tsk->sighand,
|
2010-03-03 15:46:56 +00:00
|
|
|
lockdep_tasklist_lock_is_held());
|
2006-03-29 00:11:18 +00:00
|
|
|
spin_lock(&sighand->siglock);
|
|
|
|
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 05:10:10 +00:00
|
|
|
#ifdef CONFIG_POSIX_TIMERS
|
2006-03-29 00:11:18 +00:00
|
|
|
posix_cpu_timers_exit(tsk);
|
2020-02-28 17:15:03 +00:00
|
|
|
if (group_dead)
|
2006-03-29 00:11:18 +00:00
|
|
|
posix_cpu_timers_exit_group(tsk);
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 05:10:10 +00:00
|
|
|
#endif
|
2010-11-05 15:53:42 +00:00
|
|
|
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 05:10:10 +00:00
|
|
|
if (group_dead) {
|
|
|
|
tty = sig->tty;
|
|
|
|
sig->tty = NULL;
|
|
|
|
} else {
|
2006-03-29 00:11:18 +00:00
|
|
|
/*
|
|
|
|
* If there is any task waiting for the group exit
|
|
|
|
* then notify it:
|
|
|
|
*/
|
2010-05-26 21:43:11 +00:00
|
|
|
if (sig->notify_count > 0 && !--sig->notify_count)
|
2021-06-06 18:47:53 +00:00
|
|
|
wake_up_process(sig->group_exec_task);
|
2007-10-17 06:27:23 +00:00
|
|
|
|
2006-03-29 00:11:18 +00:00
|
|
|
if (tsk == sig->curr_target)
|
|
|
|
sig->curr_target = next_thread(tsk);
|
|
|
|
}
|
|
|
|
|
2016-11-11 05:10:09 +00:00
|
|
|
add_device_randomness((const void*) &tsk->se.sum_exec_runtime,
|
|
|
|
sizeof(unsigned long long));
|
|
|
|
|
2014-08-15 20:05:36 +00:00
|
|
|
/*
|
2014-12-10 23:54:54 +00:00
|
|
|
* Accumulate here the counters for all threads as they die. We could
|
|
|
|
* skip the group leader because it is the last user of signal_struct,
|
|
|
|
* but we want to avoid the race with thread_group_cputime() which can
|
|
|
|
* see the empty ->thread_head list.
|
2014-08-15 20:05:36 +00:00
|
|
|
*/
|
|
|
|
task_cputime(tsk, &utime, &stime);
|
2014-08-16 17:40:10 +00:00
|
|
|
write_seqlock(&sig->stats_lock);
|
2014-08-15 20:05:36 +00:00
|
|
|
sig->utime += utime;
|
|
|
|
sig->stime += stime;
|
|
|
|
sig->gtime += task_gtime(tsk);
|
|
|
|
sig->min_flt += tsk->min_flt;
|
|
|
|
sig->maj_flt += tsk->maj_flt;
|
|
|
|
sig->nvcsw += tsk->nvcsw;
|
|
|
|
sig->nivcsw += tsk->nivcsw;
|
|
|
|
sig->inblock += task_io_get_inblock(tsk);
|
|
|
|
sig->oublock += task_io_get_oublock(tsk);
|
|
|
|
task_io_accounting_add(&sig->ioac, &tsk->ioac);
|
|
|
|
sig->sum_sched_runtime += tsk->se.sum_exec_runtime;
|
2010-05-26 21:43:24 +00:00
|
|
|
sig->nr_threads--;
|
2010-05-26 21:43:19 +00:00
|
|
|
__unhash_process(tsk, group_dead);
|
2014-08-16 17:40:10 +00:00
|
|
|
write_sequnlock(&sig->stats_lock);
|
2006-03-29 00:11:20 +00:00
|
|
|
|
2008-05-23 20:04:41 +00:00
|
|
|
/*
|
|
|
|
* Do this under ->siglock, we can race with another thread
|
|
|
|
* doing sigqueue_free() if we have SIGQUEUE_PREALLOC signals.
|
|
|
|
*/
|
|
|
|
flush_sigqueue(&tsk->pending);
|
2006-03-29 00:11:27 +00:00
|
|
|
tsk->sighand = NULL;
|
2006-03-29 00:11:18 +00:00
|
|
|
spin_unlock(&sighand->siglock);
|
|
|
|
|
2006-03-29 00:11:27 +00:00
|
|
|
__cleanup_sighand(sighand);
|
2014-08-08 21:21:18 +00:00
|
|
|
clear_tsk_thread_flag(tsk, TIF_SIGPENDING);
|
2010-05-26 21:43:19 +00:00
|
|
|
if (group_dead) {
|
2006-03-29 00:11:18 +00:00
|
|
|
flush_sigqueue(&sig->shared_pending);
|
2010-05-26 21:43:17 +00:00
|
|
|
tty_kref_put(tty);
|
2006-03-29 00:11:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-03-31 10:31:37 +00:00
|
|
|
static void delayed_put_task_struct(struct rcu_head *rhp)
|
|
|
|
{
|
tracing, sched: LTTng instrumentation - scheduler
Instrument the scheduler activity (sched_switch, migration, wakeups,
wait for a task, signal delivery) and process/thread
creation/destruction (fork, exit, kthread stop). Actually, kthread
creation is not instrumented in this patch because it is architecture
dependent. It allows to connect tracers such as ftrace which detects
scheduling latencies, good/bad scheduler decisions. Tools like LTTng can
export this scheduler information along with instrumentation of the rest
of the kernel activity to perform post-mortem analysis on the scheduler
activity.
About the performance impact of tracepoints (which is comparable to
markers), even without immediate values optimizations, tests done by
Hideo Aoki on ia64 show no regression. His test case was using hackbench
on a kernel where scheduler instrumentation (about 5 events in code
scheduler code) was added. See the "Tracepoints" patch header for
performance result detail.
Changelog :
- Change instrumentation location and parameter to match ftrace
instrumentation, previously done with kernel markers.
[ mingo@elte.hu: conflict resolutions ]
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
Acked-by: 'Peter Zijlstra' <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-07-18 16:16:17 +00:00
|
|
|
struct task_struct *tsk = container_of(rhp, struct task_struct, rcu);
|
|
|
|
|
2021-09-28 12:24:28 +00:00
|
|
|
kprobe_flush_task(tsk);
|
2022-03-15 14:00:50 +00:00
|
|
|
rethook_flush_task(tsk);
|
2010-09-09 19:01:59 +00:00
|
|
|
perf_event_delayed_put(tsk);
|
tracing, sched: LTTng instrumentation - scheduler
Instrument the scheduler activity (sched_switch, migration, wakeups,
wait for a task, signal delivery) and process/thread
creation/destruction (fork, exit, kthread stop). Actually, kthread
creation is not instrumented in this patch because it is architecture
dependent. It allows to connect tracers such as ftrace which detects
scheduling latencies, good/bad scheduler decisions. Tools like LTTng can
export this scheduler information along with instrumentation of the rest
of the kernel activity to perform post-mortem analysis on the scheduler
activity.
About the performance impact of tracepoints (which is comparable to
markers), even without immediate values optimizations, tests done by
Hideo Aoki on ia64 show no regression. His test case was using hackbench
on a kernel where scheduler instrumentation (about 5 events in code
scheduler code) was added. See the "Tracepoints" patch header for
performance result detail.
Changelog :
- Change instrumentation location and parameter to match ftrace
instrumentation, previously done with kernel markers.
[ mingo@elte.hu: conflict resolutions ]
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
Acked-by: 'Peter Zijlstra' <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-07-18 16:16:17 +00:00
|
|
|
trace_sched_process_free(tsk);
|
|
|
|
put_task_struct(tsk);
|
2006-03-31 10:31:37 +00:00
|
|
|
}
|
|
|
|
|
2019-09-14 12:33:34 +00:00
|
|
|
void put_task_struct_rcu_user(struct task_struct *task)
|
|
|
|
{
|
|
|
|
if (refcount_dec_and_test(&task->rcu_users))
|
|
|
|
call_rcu(&task->rcu, delayed_put_task_struct);
|
|
|
|
}
|
2008-03-25 01:36:23 +00:00
|
|
|
|
2022-08-19 01:44:06 +00:00
|
|
|
void __weak release_thread(struct task_struct *dead_task)
|
|
|
|
{
|
|
|
|
}
|
|
|
|
|
2014-08-08 21:21:18 +00:00
|
|
|
void release_task(struct task_struct *p)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2006-07-03 07:25:41 +00:00
|
|
|
struct task_struct *leader;
|
2020-02-20 00:22:26 +00:00
|
|
|
struct pid *thread_pid;
|
2005-04-16 22:20:36 +00:00
|
|
|
int zap_leader;
|
2006-03-29 00:11:11 +00:00
|
|
|
repeat:
|
2008-11-13 23:39:19 +00:00
|
|
|
/* don't need to get the RCU readlock here - the process is dead and
|
2010-02-23 01:04:50 +00:00
|
|
|
* can't be modifying its own credentials. But shut RCU-lockdep up */
|
|
|
|
rcu_read_lock();
|
2021-04-22 12:27:11 +00:00
|
|
|
dec_rlimit_ucounts(task_ucounts(p), UCOUNT_RLIMIT_NPROC, 1);
|
2010-02-23 01:04:50 +00:00
|
|
|
rcu_read_unlock();
|
2008-11-13 23:39:19 +00:00
|
|
|
|
2019-05-31 17:38:57 +00:00
|
|
|
cgroup_release(p);
|
2009-05-17 09:24:08 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
write_lock_irq(&tasklist_lock);
|
2011-06-17 14:50:37 +00:00
|
|
|
ptrace_release_task(p);
|
2020-02-20 00:22:26 +00:00
|
|
|
thread_pid = get_pid(p->thread_pid);
|
2005-04-16 22:20:36 +00:00
|
|
|
__exit_signal(p);
|
2006-03-29 00:11:19 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
* If we are the last non-leader member of the thread
|
|
|
|
* group, and the leader is zombie, then notify the
|
|
|
|
* group leader's parent process. (if it wants notification.)
|
|
|
|
*/
|
|
|
|
zap_leader = 0;
|
|
|
|
leader = p->group_leader;
|
2014-08-08 21:21:18 +00:00
|
|
|
if (leader != p && thread_group_empty(leader)
|
|
|
|
&& leader->exit_state == EXIT_ZOMBIE) {
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
* If we were the last child thread and the leader has
|
|
|
|
* exited already, and the leader's parent ignores SIGCHLD,
|
|
|
|
* then we are the one who should release the leader.
|
2008-07-26 02:45:48 +00:00
|
|
|
*/
|
2011-06-22 21:09:09 +00:00
|
|
|
zap_leader = do_notify_parent(leader, leader->exit_signal);
|
2008-07-26 02:45:48 +00:00
|
|
|
if (zap_leader)
|
|
|
|
leader->exit_state = EXIT_DEAD;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
write_unlock_irq(&tasklist_lock);
|
2020-02-20 00:22:26 +00:00
|
|
|
proc_flush_pid(thread_pid);
|
2020-04-24 20:41:20 +00:00
|
|
|
put_pid(thread_pid);
|
2005-04-16 22:20:36 +00:00
|
|
|
release_thread(p);
|
2019-09-14 12:33:34 +00:00
|
|
|
put_task_struct_rcu_user(p);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
p = leader;
|
|
|
|
if (unlikely(zap_leader))
|
|
|
|
goto repeat;
|
|
|
|
}
|
|
|
|
|
2020-04-24 05:48:34 +00:00
|
|
|
int rcuwait_wake_up(struct rcuwait *w)
|
sched/wait, RCU: Introduce rcuwait machinery
rcuwait provides support for (single) RCU-safe task wait/wake functionality,
with the caveat that it must not be called after exit_notify(), such that
we avoid racing with rcu delayed_put_task_struct callbacks, task_struct
being rcu unaware in this context -- for which we similarly have
task_rcu_dereference() magic, but with different return semantics, which
can conflict with the wakeup side.
The interfaces are quite straightforward:
rcuwait_wait_event()
rcuwait_wake_up()
More details are in the comments, but it's perhaps worth mentioning at least,
that users must provide proper serialization when waiting on a condition, and
avoid corrupting a concurrent waiter. Also care must be taken between the task
and the condition for when calling the wakeup -- we cannot miss wakeups. When
porting users, this is for example, a given when using waitqueues in that
everything is done under the q->lock. As such, it can remove sources of non
preemptable unbounded work for realtime.
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1484148146-14210-2-git-send-email-dave@stgolabs.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-11 15:22:25 +00:00
|
|
|
{
|
2020-04-24 05:48:34 +00:00
|
|
|
int ret = 0;
|
sched/wait, RCU: Introduce rcuwait machinery
rcuwait provides support for (single) RCU-safe task wait/wake functionality,
with the caveat that it must not be called after exit_notify(), such that
we avoid racing with rcu delayed_put_task_struct callbacks, task_struct
being rcu unaware in this context -- for which we similarly have
task_rcu_dereference() magic, but with different return semantics, which
can conflict with the wakeup side.
The interfaces are quite straightforward:
rcuwait_wait_event()
rcuwait_wake_up()
More details are in the comments, but it's perhaps worth mentioning at least,
that users must provide proper serialization when waiting on a condition, and
avoid corrupting a concurrent waiter. Also care must be taken between the task
and the condition for when calling the wakeup -- we cannot miss wakeups. When
porting users, this is for example, a given when using waitqueues in that
everything is done under the q->lock. As such, it can remove sources of non
preemptable unbounded work for realtime.
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1484148146-14210-2-git-send-email-dave@stgolabs.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-11 15:22:25 +00:00
|
|
|
struct task_struct *task;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Order condition vs @task, such that everything prior to the load
|
|
|
|
* of @task is visible. This is the condition as to why the user called
|
2020-04-24 05:48:33 +00:00
|
|
|
* rcuwait_wake() in the first place. Pairs with set_current_state()
|
sched/wait, RCU: Introduce rcuwait machinery
rcuwait provides support for (single) RCU-safe task wait/wake functionality,
with the caveat that it must not be called after exit_notify(), such that
we avoid racing with rcu delayed_put_task_struct callbacks, task_struct
being rcu unaware in this context -- for which we similarly have
task_rcu_dereference() magic, but with different return semantics, which
can conflict with the wakeup side.
The interfaces are quite straightforward:
rcuwait_wait_event()
rcuwait_wake_up()
More details are in the comments, but it's perhaps worth mentioning at least,
that users must provide proper serialization when waiting on a condition, and
avoid corrupting a concurrent waiter. Also care must be taken between the task
and the condition for when calling the wakeup -- we cannot miss wakeups. When
porting users, this is for example, a given when using waitqueues in that
everything is done under the q->lock. As such, it can remove sources of non
preemptable unbounded work for realtime.
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1484148146-14210-2-git-send-email-dave@stgolabs.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-11 15:22:25 +00:00
|
|
|
* barrier (A) in rcuwait_wait_event().
|
|
|
|
*
|
|
|
|
* WAIT WAKE
|
|
|
|
* [S] tsk = current [S] cond = true
|
|
|
|
* MB (A) MB (B)
|
|
|
|
* [L] cond [L] tsk
|
|
|
|
*/
|
2018-11-30 15:10:56 +00:00
|
|
|
smp_mb(); /* (B) */
|
sched/wait, RCU: Introduce rcuwait machinery
rcuwait provides support for (single) RCU-safe task wait/wake functionality,
with the caveat that it must not be called after exit_notify(), such that
we avoid racing with rcu delayed_put_task_struct callbacks, task_struct
being rcu unaware in this context -- for which we similarly have
task_rcu_dereference() magic, but with different return semantics, which
can conflict with the wakeup side.
The interfaces are quite straightforward:
rcuwait_wait_event()
rcuwait_wake_up()
More details are in the comments, but it's perhaps worth mentioning at least,
that users must provide proper serialization when waiting on a condition, and
avoid corrupting a concurrent waiter. Also care must be taken between the task
and the condition for when calling the wakeup -- we cannot miss wakeups. When
porting users, this is for example, a given when using waitqueues in that
everything is done under the q->lock. As such, it can remove sources of non
preemptable unbounded work for realtime.
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1484148146-14210-2-git-send-email-dave@stgolabs.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-11 15:22:25 +00:00
|
|
|
|
|
|
|
task = rcu_dereference(w->task);
|
|
|
|
if (task)
|
2020-04-24 05:48:34 +00:00
|
|
|
ret = wake_up_process(task);
|
sched/wait, RCU: Introduce rcuwait machinery
rcuwait provides support for (single) RCU-safe task wait/wake functionality,
with the caveat that it must not be called after exit_notify(), such that
we avoid racing with rcu delayed_put_task_struct callbacks, task_struct
being rcu unaware in this context -- for which we similarly have
task_rcu_dereference() magic, but with different return semantics, which
can conflict with the wakeup side.
The interfaces are quite straightforward:
rcuwait_wait_event()
rcuwait_wake_up()
More details are in the comments, but it's perhaps worth mentioning at least,
that users must provide proper serialization when waiting on a condition, and
avoid corrupting a concurrent waiter. Also care must be taken between the task
and the condition for when calling the wakeup -- we cannot miss wakeups. When
porting users, this is for example, a given when using waitqueues in that
everything is done under the q->lock. As such, it can remove sources of non
preemptable unbounded work for realtime.
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1484148146-14210-2-git-send-email-dave@stgolabs.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-11 15:22:25 +00:00
|
|
|
rcu_read_unlock();
|
2020-04-24 05:48:34 +00:00
|
|
|
|
|
|
|
return ret;
|
sched/wait, RCU: Introduce rcuwait machinery
rcuwait provides support for (single) RCU-safe task wait/wake functionality,
with the caveat that it must not be called after exit_notify(), such that
we avoid racing with rcu delayed_put_task_struct callbacks, task_struct
being rcu unaware in this context -- for which we similarly have
task_rcu_dereference() magic, but with different return semantics, which
can conflict with the wakeup side.
The interfaces are quite straightforward:
rcuwait_wait_event()
rcuwait_wake_up()
More details are in the comments, but it's perhaps worth mentioning at least,
that users must provide proper serialization when waiting on a condition, and
avoid corrupting a concurrent waiter. Also care must be taken between the task
and the condition for when calling the wakeup -- we cannot miss wakeups. When
porting users, this is for example, a given when using waitqueues in that
everything is done under the q->lock. As such, it can remove sources of non
preemptable unbounded work for realtime.
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1484148146-14210-2-git-send-email-dave@stgolabs.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-11 15:22:25 +00:00
|
|
|
}
|
2019-11-18 23:19:35 +00:00
|
|
|
EXPORT_SYMBOL_GPL(rcuwait_wake_up);
|
sched/wait, RCU: Introduce rcuwait machinery
rcuwait provides support for (single) RCU-safe task wait/wake functionality,
with the caveat that it must not be called after exit_notify(), such that
we avoid racing with rcu delayed_put_task_struct callbacks, task_struct
being rcu unaware in this context -- for which we similarly have
task_rcu_dereference() magic, but with different return semantics, which
can conflict with the wakeup side.
The interfaces are quite straightforward:
rcuwait_wait_event()
rcuwait_wake_up()
More details are in the comments, but it's perhaps worth mentioning at least,
that users must provide proper serialization when waiting on a condition, and
avoid corrupting a concurrent waiter. Also care must be taken between the task
and the condition for when calling the wakeup -- we cannot miss wakeups. When
porting users, this is for example, a given when using waitqueues in that
everything is done under the q->lock. As such, it can remove sources of non
preemptable unbounded work for realtime.
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1484148146-14210-2-git-send-email-dave@stgolabs.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-01-11 15:22:25 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
* Determine if a process group is "orphaned", according to the POSIX
|
|
|
|
* definition in 2.2.2.52. Orphaned process groups are not to be affected
|
|
|
|
* by terminal-generated stop signals. Newly orphaned process groups are
|
|
|
|
* to receive a SIGHUP and a SIGCONT.
|
|
|
|
*
|
|
|
|
* "I ask you, have you ever known what it is to be an orphan?"
|
|
|
|
*/
|
2014-08-08 21:21:18 +00:00
|
|
|
static int will_become_orphaned_pgrp(struct pid *pgrp,
|
|
|
|
struct task_struct *ignored_task)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct task_struct *p;
|
|
|
|
|
2007-02-12 08:52:57 +00:00
|
|
|
do_each_pid_task(pgrp, PIDTYPE_PGID, p) {
|
2008-03-02 18:44:42 +00:00
|
|
|
if ((p == ignored_task) ||
|
|
|
|
(p->exit_state && thread_group_empty(p)) ||
|
|
|
|
is_global_init(p->real_parent))
|
2005-04-16 22:20:36 +00:00
|
|
|
continue;
|
2008-03-02 18:44:42 +00:00
|
|
|
|
2007-02-12 08:52:57 +00:00
|
|
|
if (task_pgrp(p->real_parent) != pgrp &&
|
2008-03-02 18:44:42 +00:00
|
|
|
task_session(p->real_parent) == task_session(p))
|
|
|
|
return 0;
|
2007-02-12 08:52:57 +00:00
|
|
|
} while_each_pid_task(pgrp, PIDTYPE_PGID, p);
|
2008-03-02 18:44:42 +00:00
|
|
|
|
|
|
|
return 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2007-02-12 08:52:58 +00:00
|
|
|
int is_current_pgrp_orphaned(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
read_lock(&tasklist_lock);
|
2007-02-12 08:52:58 +00:00
|
|
|
retval = will_become_orphaned_pgrp(task_pgrp(current), NULL);
|
2005-04-16 22:20:36 +00:00
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
2011-07-07 19:33:54 +00:00
|
|
|
static bool has_stopped_jobs(struct pid *pgrp)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct task_struct *p;
|
|
|
|
|
2007-02-12 08:52:57 +00:00
|
|
|
do_each_pid_task(pgrp, PIDTYPE_PGID, p) {
|
2011-07-07 19:33:54 +00:00
|
|
|
if (p->signal->flags & SIGNAL_STOP_STOPPED)
|
|
|
|
return true;
|
2007-02-12 08:52:57 +00:00
|
|
|
} while_each_pid_task(pgrp, PIDTYPE_PGID, p);
|
2011-07-07 19:33:54 +00:00
|
|
|
|
|
|
|
return false;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2008-03-02 18:44:40 +00:00
|
|
|
/*
|
|
|
|
* Check to see if any process groups have become orphaned as
|
|
|
|
* a result of our exiting, and if they have any stopped jobs,
|
|
|
|
* send them a SIGHUP and then a SIGCONT. (POSIX 3.2.2.2)
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
kill_orphaned_pgrp(struct task_struct *tsk, struct task_struct *parent)
|
|
|
|
{
|
|
|
|
struct pid *pgrp = task_pgrp(tsk);
|
|
|
|
struct task_struct *ignored_task = tsk;
|
|
|
|
|
|
|
|
if (!parent)
|
2014-08-08 21:21:18 +00:00
|
|
|
/* exit: our father is in a different pgrp than
|
|
|
|
* we are and we were the only connection outside.
|
|
|
|
*/
|
2008-03-02 18:44:40 +00:00
|
|
|
parent = tsk->real_parent;
|
|
|
|
else
|
|
|
|
/* reparent: our child is in a different pgrp than
|
|
|
|
* we are, and it was the only connection outside.
|
|
|
|
*/
|
|
|
|
ignored_task = NULL;
|
|
|
|
|
|
|
|
if (task_pgrp(parent) != pgrp &&
|
|
|
|
task_session(parent) == task_session(tsk) &&
|
|
|
|
will_become_orphaned_pgrp(pgrp, ignored_task) &&
|
|
|
|
has_stopped_jobs(pgrp)) {
|
|
|
|
__kill_pgrp_info(SIGHUP, SEND_SIG_PRIV, pgrp);
|
|
|
|
__kill_pgrp_info(SIGCONT, SEND_SIG_PRIV, pgrp);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-09-01 16:33:50 +00:00
|
|
|
static void coredump_task_exit(struct task_struct *tsk)
|
2021-09-01 16:23:38 +00:00
|
|
|
{
|
|
|
|
struct core_state *core_state;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Serialize with any possible pending coredump.
|
2021-09-22 16:24:02 +00:00
|
|
|
* We must hold siglock around checking core_state
|
2021-09-01 16:33:50 +00:00
|
|
|
* and setting PF_POSTCOREDUMP. The core-inducing thread
|
2021-09-01 16:23:38 +00:00
|
|
|
* will increment ->nr_threads for each thread in the
|
2021-09-01 16:33:50 +00:00
|
|
|
* group without PF_POSTCOREDUMP set.
|
2021-09-01 16:23:38 +00:00
|
|
|
*/
|
2021-09-22 16:24:02 +00:00
|
|
|
spin_lock_irq(&tsk->sighand->siglock);
|
2021-09-01 16:33:50 +00:00
|
|
|
tsk->flags |= PF_POSTCOREDUMP;
|
2021-09-22 16:24:02 +00:00
|
|
|
core_state = tsk->signal->core_state;
|
|
|
|
spin_unlock_irq(&tsk->sighand->siglock);
|
2024-03-16 00:47:07 +00:00
|
|
|
if (core_state) {
|
2021-09-01 16:23:38 +00:00
|
|
|
struct core_thread self;
|
|
|
|
|
|
|
|
self.task = current;
|
|
|
|
if (self.task->flags & PF_SIGNALED)
|
|
|
|
self.next = xchg(&core_state->dumper.next, &self);
|
|
|
|
else
|
|
|
|
self.task = NULL;
|
|
|
|
/*
|
|
|
|
* Implies mb(), the result of xchg() must be visible
|
|
|
|
* to core_state->dumper.
|
|
|
|
*/
|
|
|
|
if (atomic_dec_and_test(&core_state->nr_threads))
|
|
|
|
complete(&core_state->startup);
|
|
|
|
|
|
|
|
for (;;) {
|
exit: Sleep at TASK_IDLE when waiting for application core dump
Currently, the coredump_task_exit() function sets the task state
to TASK_UNINTERRUPTIBLE|TASK_FREEZABLE, which usually works well.
But a combination of large memory and slow (and/or highly contended)
mass storage can cause application core dumps to take more than
two minutes, which can cause check_hung_task(), which is invoked by
check_hung_uninterruptible_tasks(), to produce task-blocked splats.
There does not seem to be any reasonable benefit to getting these splats.
Furthermore, as Oleg Nesterov points out, TASK_UNINTERRUPTIBLE could
be misleading because the task sleeping in coredump_task_exit() really
is killable, albeit indirectly. See the check of signal->core_state
in prepare_signal() and the check of fatal_signal_pending()
in dump_interrupted(), which bypass the normal unkillability of
TASK_UNINTERRUPTIBLE, resulting in coredump_finish() invoking
wake_up_process() on any threads sleeping in coredump_task_exit().
Therefore, change that TASK_UNINTERRUPTIBLE to TASK_IDLE.
Reported-by: Anhad Jai Singh <ffledgling@meta.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Christian Brauner <brauner@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Cc: Chris Mason <clm@fb.com>
Cc: Rik van Riel <riel@surriel.com>
2024-07-24 23:51:52 +00:00
|
|
|
set_current_state(TASK_IDLE|TASK_FREEZABLE);
|
2021-09-01 16:23:38 +00:00
|
|
|
if (!self.task) /* see coredump_finish() */
|
|
|
|
break;
|
freezer,sched: Rewrite core freezer logic
Rewrite the core freezer to behave better wrt thawing and be simpler
in general.
By replacing PF_FROZEN with TASK_FROZEN, a special block state, it is
ensured frozen tasks stay frozen until thawed and don't randomly wake
up early, as is currently possible.
As such, it does away with PF_FROZEN and PF_FREEZER_SKIP, freeing up
two PF_flags (yay!).
Specifically; the current scheme works a little like:
freezer_do_not_count();
schedule();
freezer_count();
And either the task is blocked, or it lands in try_to_freezer()
through freezer_count(). Now, when it is blocked, the freezer
considers it frozen and continues.
However, on thawing, once pm_freezing is cleared, freezer_count()
stops working, and any random/spurious wakeup will let a task run
before its time.
That is, thawing tries to thaw things in explicit order; kernel
threads and workqueues before doing bringing SMP back before userspace
etc.. However due to the above mentioned races it is entirely possible
for userspace tasks to thaw (by accident) before SMP is back.
This can be a fatal problem in asymmetric ISA architectures (eg ARMv9)
where the userspace task requires a special CPU to run.
As said; replace this with a special task state TASK_FROZEN and add
the following state transitions:
TASK_FREEZABLE -> TASK_FROZEN
__TASK_STOPPED -> TASK_FROZEN
__TASK_TRACED -> TASK_FROZEN
The new TASK_FREEZABLE can be set on any state part of TASK_NORMAL
(IOW. TASK_INTERRUPTIBLE and TASK_UNINTERRUPTIBLE) -- any such state
is already required to deal with spurious wakeups and the freezer
causes one such when thawing the task (since the original state is
lost).
The special __TASK_{STOPPED,TRACED} states *can* be restored since
their canonical state is in ->jobctl.
With this, frozen tasks need an explicit TASK_FROZEN wakeup and are
free of undue (early / spurious) wakeups.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Link: https://lore.kernel.org/r/20220822114649.055452969@infradead.org
2022-08-22 11:18:22 +00:00
|
|
|
schedule();
|
2021-09-01 16:23:38 +00:00
|
|
|
}
|
|
|
|
__set_current_state(TASK_RUNNING);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-06-04 23:07:34 +00:00
|
|
|
#ifdef CONFIG_MEMCG
|
2024-06-26 15:29:24 +00:00
|
|
|
/* drops tasklist_lock if succeeds */
|
2024-06-26 15:29:30 +00:00
|
|
|
static bool __try_to_set_owner(struct task_struct *tsk, struct mm_struct *mm)
|
2024-06-26 15:29:24 +00:00
|
|
|
{
|
|
|
|
bool ret = false;
|
|
|
|
|
|
|
|
task_lock(tsk);
|
|
|
|
if (likely(tsk->mm == mm)) {
|
|
|
|
/* tsk can't pass exit_mm/exec_mmap and exit */
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
WRITE_ONCE(mm->owner, tsk);
|
|
|
|
lru_gen_migrate_mm(mm);
|
|
|
|
ret = true;
|
|
|
|
}
|
|
|
|
task_unlock(tsk);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2024-06-26 15:29:30 +00:00
|
|
|
static bool try_to_set_owner(struct task_struct *g, struct mm_struct *mm)
|
|
|
|
{
|
|
|
|
struct task_struct *t;
|
|
|
|
|
|
|
|
for_each_thread(g, t) {
|
|
|
|
struct mm_struct *t_mm = READ_ONCE(t->mm);
|
|
|
|
if (t_mm == mm) {
|
|
|
|
if (__try_to_set_owner(t, mm))
|
|
|
|
return true;
|
|
|
|
} else if (t_mm)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
/*
|
2011-06-15 22:08:43 +00:00
|
|
|
* A task is exiting. If it owned this mm, find a new owner for the mm.
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
*/
|
|
|
|
void mm_update_next_owner(struct mm_struct *mm)
|
|
|
|
{
|
2024-06-26 15:29:30 +00:00
|
|
|
struct task_struct *g, *p = current;
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
|
2011-06-15 22:08:43 +00:00
|
|
|
/*
|
|
|
|
* If the exiting or execing task is not the owner, it's
|
|
|
|
* someone else's problem.
|
|
|
|
*/
|
|
|
|
if (mm->owner != p)
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
return;
|
2011-06-15 22:08:43 +00:00
|
|
|
/*
|
|
|
|
* The current owner is exiting/execing and there are no other
|
|
|
|
* candidates. Do not leave the mm pointing to a possibly
|
|
|
|
* freed task structure.
|
|
|
|
*/
|
|
|
|
if (atomic_read(&mm->mm_users) <= 1) {
|
2019-05-14 22:40:50 +00:00
|
|
|
WRITE_ONCE(mm->owner, NULL);
|
2011-06-15 22:08:43 +00:00
|
|
|
return;
|
|
|
|
}
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
|
|
|
|
read_lock(&tasklist_lock);
|
|
|
|
/*
|
|
|
|
* Search in the children
|
|
|
|
*/
|
2024-06-26 15:29:30 +00:00
|
|
|
list_for_each_entry(g, &p->children, sibling) {
|
|
|
|
if (try_to_set_owner(g, mm))
|
2024-06-26 15:29:24 +00:00
|
|
|
goto ret;
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Search in the siblings
|
|
|
|
*/
|
2024-06-26 15:29:30 +00:00
|
|
|
list_for_each_entry(g, &p->real_parent->children, sibling) {
|
|
|
|
if (try_to_set_owner(g, mm))
|
2024-06-26 15:29:24 +00:00
|
|
|
goto ret;
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
}
|
|
|
|
/*
|
2014-06-04 23:07:52 +00:00
|
|
|
* Search through everything else, we should not get here often.
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
*/
|
2014-06-04 23:07:54 +00:00
|
|
|
for_each_process(g) {
|
2024-06-20 12:21:24 +00:00
|
|
|
if (atomic_read(&mm->mm_users) <= 1)
|
|
|
|
break;
|
2014-06-04 23:07:54 +00:00
|
|
|
if (g->flags & PF_KTHREAD)
|
|
|
|
continue;
|
2024-06-26 15:29:30 +00:00
|
|
|
if (try_to_set_owner(g, mm))
|
|
|
|
goto ret;
|
2014-06-04 23:07:52 +00:00
|
|
|
}
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
read_unlock(&tasklist_lock);
|
mm owner: fix race between swapoff and exit
There's a race between mm->owner assignment and swapoff, more easily
seen when task slab poisoning is turned on. The condition occurs when
try_to_unuse() runs in parallel with an exiting task. A similar race
can occur with callers of get_task_mm(), such as /proc/<pid>/<mmstats>
or ptrace or page migration.
CPU0 CPU1
try_to_unuse
looks at mm = task0->mm
increments mm->mm_users
task 0 exits
mm->owner needs to be updated, but no
new owner is found (mm_users > 1, but
no other task has task->mm = task0->mm)
mm_update_next_owner() leaves
mmput(mm) decrements mm->mm_users
task0 freed
dereferencing mm->owner fails
The fix is to notify the subsystem via mm_owner_changed callback(),
if no new owner is found, by specifying the new task as NULL.
Jiri Slaby:
mm->owner was set to NULL prior to calling cgroup_mm_owner_callbacks(), but
must be set after that, so as not to pass NULL as old owner causing oops.
Daisuke Nishimura:
mm_update_next_owner() may set mm->owner to NULL, but mem_cgroup_from_task()
and its callers need to take account of this situation to avoid oops.
Hugh Dickins:
Lockdep warning and hang below exec_mmap() when testing these patches.
exit_mm() up_reads mmap_sem before calling mm_update_next_owner(),
so exec_mmap() now needs to do the same. And with that repositioning,
there's now no point in mm_need_new_owner() allowing for NULL mm.
Reported-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-09-28 22:09:31 +00:00
|
|
|
/*
|
|
|
|
* We found no owner yet mm_users > 1: this implies that we are
|
|
|
|
* most likely racing with swapoff (try_to_unuse()) or /proc or
|
2009-01-06 22:39:22 +00:00
|
|
|
* ptrace or page migration (get_task_mm()). Mark owner as NULL.
|
mm owner: fix race between swapoff and exit
There's a race between mm->owner assignment and swapoff, more easily
seen when task slab poisoning is turned on. The condition occurs when
try_to_unuse() runs in parallel with an exiting task. A similar race
can occur with callers of get_task_mm(), such as /proc/<pid>/<mmstats>
or ptrace or page migration.
CPU0 CPU1
try_to_unuse
looks at mm = task0->mm
increments mm->mm_users
task 0 exits
mm->owner needs to be updated, but no
new owner is found (mm_users > 1, but
no other task has task->mm = task0->mm)
mm_update_next_owner() leaves
mmput(mm) decrements mm->mm_users
task0 freed
dereferencing mm->owner fails
The fix is to notify the subsystem via mm_owner_changed callback(),
if no new owner is found, by specifying the new task as NULL.
Jiri Slaby:
mm->owner was set to NULL prior to calling cgroup_mm_owner_callbacks(), but
must be set after that, so as not to pass NULL as old owner causing oops.
Daisuke Nishimura:
mm_update_next_owner() may set mm->owner to NULL, but mem_cgroup_from_task()
and its callers need to take account of this situation to avoid oops.
Hugh Dickins:
Lockdep warning and hang below exec_mmap() when testing these patches.
exit_mm() up_reads mmap_sem before calling mm_update_next_owner(),
so exec_mmap() now needs to do the same. And with that repositioning,
there's now no point in mm_need_new_owner() allowing for NULL mm.
Reported-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-09-28 22:09:31 +00:00
|
|
|
*/
|
2019-05-14 22:40:50 +00:00
|
|
|
WRITE_ONCE(mm->owner, NULL);
|
2024-06-26 15:29:24 +00:00
|
|
|
ret:
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
return;
|
|
|
|
|
|
|
|
}
|
2014-06-04 23:07:34 +00:00
|
|
|
#endif /* CONFIG_MEMCG */
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
* Turn us into a lazy TLB process if we
|
|
|
|
* aren't already..
|
|
|
|
*/
|
2017-01-03 21:43:11 +00:00
|
|
|
static void exit_mm(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-01-03 21:43:11 +00:00
|
|
|
struct mm_struct *mm = current->mm;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2019-11-06 21:55:38 +00:00
|
|
|
exit_mm_release(current, mm);
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!mm)
|
|
|
|
return;
|
2020-06-09 04:33:25 +00:00
|
|
|
mmap_read_lock(mm);
|
2023-02-03 07:18:34 +00:00
|
|
|
mmgrab_lazy_tlb(mm);
|
2017-01-03 21:43:11 +00:00
|
|
|
BUG_ON(mm != current->active_mm);
|
2005-04-16 22:20:36 +00:00
|
|
|
/* more a memory barrier than a real lock */
|
2017-01-03 21:43:11 +00:00
|
|
|
task_lock(current);
|
2020-10-20 13:47:13 +00:00
|
|
|
/*
|
|
|
|
* When a thread stops operating on an address space, the loop
|
|
|
|
* in membarrier_private_expedited() may not observe that
|
|
|
|
* tsk->mm, and the loop in membarrier_global_expedited() may
|
|
|
|
* not observe a MEMBARRIER_STATE_GLOBAL_EXPEDITED
|
|
|
|
* rq->membarrier_state, so those would not issue an IPI.
|
|
|
|
* Membarrier requires a memory barrier after accessing
|
|
|
|
* user-space memory, before clearing tsk->mm or the
|
|
|
|
* rq->membarrier_state.
|
|
|
|
*/
|
|
|
|
smp_mb__after_spinlock();
|
|
|
|
local_irq_disable();
|
2017-01-03 21:43:11 +00:00
|
|
|
current->mm = NULL;
|
2020-10-20 13:47:13 +00:00
|
|
|
membarrier_update_current_mm(NULL);
|
2005-04-16 22:20:36 +00:00
|
|
|
enter_lazy_tlb(mm, current);
|
2020-10-20 13:47:13 +00:00
|
|
|
local_irq_enable();
|
2017-01-03 21:43:11 +00:00
|
|
|
task_unlock(current);
|
2020-10-20 13:47:13 +00:00
|
|
|
mmap_read_unlock(mm);
|
cgroups: add an owner to the mm_struct
Remove the mem_cgroup member from mm_struct and instead adds an owner.
This approach was suggested by Paul Menage. The advantage of this approach
is that, once the mm->owner is known, using the subsystem id, the cgroup
can be determined. It also allows several control groups that are
virtually grouped by mm_struct, to exist independent of the memory
controller i.e., without adding mem_cgroup's for each controller, to
mm_struct.
A new config option CONFIG_MM_OWNER is added and the memory resource
controller selects this config option.
This patch also adds cgroup callbacks to notify subsystems when mm->owner
changes. The mm_cgroup_changed callback is called with the task_lock() of
the new task held and is called just prior to changing the mm->owner.
I am indebted to Paul Menage for the several reviews of this patchset and
helping me make it lighter and simpler.
This patch was tested on a powerpc box, it was compiled with both the
MM_OWNER config turned on and off.
After the thread group leader exits, it's moved to init_css_state by
cgroup_exit(), thus all future charges from runnings threads would be
redirected to the init_css_set's subsystem.
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Cc: Pavel Emelianov <xemul@openvz.org>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: YAMAMOTO Takashi <yamamoto@valinux.co.jp>
Cc: Hirokazu Takahashi <taka@valinux.co.jp>
Cc: David Rientjes <rientjes@google.com>,
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Paul Menage <menage@google.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 08:00:16 +00:00
|
|
|
mm_update_next_owner(mm);
|
2005-04-16 22:20:36 +00:00
|
|
|
mmput(mm);
|
2015-02-11 23:26:24 +00:00
|
|
|
if (test_thread_flag(TIF_MEMDIE))
|
2016-10-07 23:59:03 +00:00
|
|
|
exit_oom_victim();
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2014-12-10 23:55:14 +00:00
|
|
|
static struct task_struct *find_alive_thread(struct task_struct *p)
|
|
|
|
{
|
|
|
|
struct task_struct *t;
|
|
|
|
|
|
|
|
for_each_thread(p, t) {
|
|
|
|
if (!(t->flags & PF_EXITING))
|
|
|
|
return t;
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2019-02-01 22:20:24 +00:00
|
|
|
static struct task_struct *find_child_reaper(struct task_struct *father,
|
|
|
|
struct list_head *dead)
|
2014-12-10 23:55:11 +00:00
|
|
|
__releases(&tasklist_lock)
|
|
|
|
__acquires(&tasklist_lock)
|
|
|
|
{
|
|
|
|
struct pid_namespace *pid_ns = task_active_pid_ns(father);
|
|
|
|
struct task_struct *reaper = pid_ns->child_reaper;
|
2019-02-01 22:20:24 +00:00
|
|
|
struct task_struct *p, *n;
|
2014-12-10 23:55:11 +00:00
|
|
|
|
|
|
|
if (likely(reaper != father))
|
|
|
|
return reaper;
|
|
|
|
|
2014-12-10 23:55:14 +00:00
|
|
|
reaper = find_alive_thread(father);
|
|
|
|
if (reaper) {
|
2014-12-10 23:55:11 +00:00
|
|
|
pid_ns->child_reaper = reaper;
|
|
|
|
return reaper;
|
|
|
|
}
|
|
|
|
|
|
|
|
write_unlock_irq(&tasklist_lock);
|
2019-02-01 22:20:24 +00:00
|
|
|
|
|
|
|
list_for_each_entry_safe(p, n, dead, ptrace_entry) {
|
|
|
|
list_del_init(&p->ptrace_entry);
|
|
|
|
release_task(p);
|
|
|
|
}
|
|
|
|
|
2014-12-10 23:55:11 +00:00
|
|
|
zap_pid_ns_processes(pid_ns);
|
|
|
|
write_lock_irq(&tasklist_lock);
|
|
|
|
|
|
|
|
return father;
|
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
prctl: add PR_{SET,GET}_CHILD_SUBREAPER to allow simple process supervision
Userspace service managers/supervisors need to track their started
services. Many services daemonize by double-forking and get implicitly
re-parented to PID 1. The service manager will no longer be able to
receive the SIGCHLD signals for them, and is no longer in charge of
reaping the children with wait(). All information about the children is
lost at the moment PID 1 cleans up the re-parented processes.
With this prctl, a service manager process can mark itself as a sort of
'sub-init', able to stay as the parent for all orphaned processes
created by the started services. All SIGCHLD signals will be delivered
to the service manager.
Receiving SIGCHLD and doing wait() is in cases of a service-manager much
preferred over any possible asynchronous notification about specific
PIDs, because the service manager has full access to the child process
data in /proc and the PID can not be re-used until the wait(), the
service-manager itself is in charge of, has happened.
As a side effect, the relevant parent PID information does not get lost
by a double-fork, which results in a more elaborate process tree and
'ps' output:
before:
# ps afx
253 ? Ss 0:00 /bin/dbus-daemon --system --nofork
294 ? Sl 0:00 /usr/libexec/polkit-1/polkitd
328 ? S 0:00 /usr/sbin/modem-manager
608 ? Sl 0:00 /usr/libexec/colord
658 ? Sl 0:00 /usr/libexec/upowerd
819 ? Sl 0:00 /usr/libexec/imsettings-daemon
916 ? Sl 0:00 /usr/libexec/udisks-daemon
917 ? S 0:00 \_ udisks-daemon: not polling any devices
after:
# ps afx
294 ? Ss 0:00 /bin/dbus-daemon --system --nofork
426 ? Sl 0:00 \_ /usr/libexec/polkit-1/polkitd
449 ? S 0:00 \_ /usr/sbin/modem-manager
635 ? Sl 0:00 \_ /usr/libexec/colord
705 ? Sl 0:00 \_ /usr/libexec/upowerd
959 ? Sl 0:00 \_ /usr/libexec/udisks-daemon
960 ? S 0:00 | \_ udisks-daemon: not polling any devices
977 ? Sl 0:00 \_ /usr/libexec/packagekitd
This prctl is orthogonal to PID namespaces. PID namespaces are isolated
from each other, while a service management process usually requires the
services to live in the same namespace, to be able to talk to each
other.
Users of this will be the systemd per-user instance, which provides
init-like functionality for the user's login session and D-Bus, which
activates bus services on-demand. Both need init-like capabilities to
be able to properly keep track of the services they start.
Many thanks to Oleg for several rounds of review and insights.
[akpm@linux-foundation.org: fix comment layout and spelling]
[akpm@linux-foundation.org: add lengthy code comment from Oleg]
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Kay Sievers <kay.sievers@vrfy.org>
Acked-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-23 22:01:54 +00:00
|
|
|
* When we die, we re-parent all our children, and try to:
|
|
|
|
* 1. give them to another thread in our thread group, if such a member exists
|
|
|
|
* 2. give it to the first ancestor process which prctl'd itself as a
|
|
|
|
* child_subreaper for its children (like a service manager)
|
|
|
|
* 3. give it to the init process (PID 1) in our pid namespace
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2014-12-10 23:55:11 +00:00
|
|
|
static struct task_struct *find_new_reaper(struct task_struct *father,
|
|
|
|
struct task_struct *child_reaper)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2014-12-10 23:55:14 +00:00
|
|
|
struct task_struct *thread, *reaper;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2014-12-10 23:55:14 +00:00
|
|
|
thread = find_alive_thread(father);
|
|
|
|
if (thread)
|
2008-09-02 21:35:49 +00:00
|
|
|
return thread;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
exit: reparent: fix the cross-namespace PR_SET_CHILD_SUBREAPER reparenting
find_new_reaper() assumes that "has_child_subreaper" logic is safe as
long as we are not the exiting ->child_reaper and this is doubly wrong:
1. In fact it is safe if "pid_ns->child_reaper == father"; there must
be no children after zap_pid_ns_processes() returns, so it doesn't
matter what we return in this case and even pid_ns->child_reaper is
wrong otherwise: we can't reparent to ->child_reaper == current.
This is not a bug, but this is confusing.
2. It is not safe if we are not pid_ns->child_reaper but from the same
thread group. We drop tasklist_lock before zap_pid_ns_processes(),
so another thread can lock it and choose the new reaper from the
upper namespace if has_child_subreaper == T, and this is obviously
wrong.
This is not that bad, zap_pid_ns_processes() won't return until the
the new reaper reaps all zombies, but this should be fixed anyway.
We could change for_each_thread() loop to use ->exit_state instead of
PF_EXITING which we had to use until 8aac62706ada, or we could change
copy_signal() to check CLONE_NEWPID before setting has_child_subreaper,
but lets change this code so that it is clear we can't look outside of
our namespace, otherwise same_thread_group(reaper, child_reaper) check
will look wrong and confusing anyway.
We can simply start from "father" and fix the problem. We can't wrongly
return a thread from the same thread group if ->is_child_subreaper == T,
we know that all threads have PF_EXITING set.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Aaron Tomlin <atomlin@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Kay Sievers <kay@vrfy.org>
Cc: Lennart Poettering <lennart@poettering.net>
Cc: Sterling Alexander <stalexan@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-12-10 23:55:02 +00:00
|
|
|
if (father->signal->has_child_subreaper) {
|
2017-01-30 18:17:35 +00:00
|
|
|
unsigned int ns_level = task_pid(father)->level;
|
prctl: add PR_{SET,GET}_CHILD_SUBREAPER to allow simple process supervision
Userspace service managers/supervisors need to track their started
services. Many services daemonize by double-forking and get implicitly
re-parented to PID 1. The service manager will no longer be able to
receive the SIGCHLD signals for them, and is no longer in charge of
reaping the children with wait(). All information about the children is
lost at the moment PID 1 cleans up the re-parented processes.
With this prctl, a service manager process can mark itself as a sort of
'sub-init', able to stay as the parent for all orphaned processes
created by the started services. All SIGCHLD signals will be delivered
to the service manager.
Receiving SIGCHLD and doing wait() is in cases of a service-manager much
preferred over any possible asynchronous notification about specific
PIDs, because the service manager has full access to the child process
data in /proc and the PID can not be re-used until the wait(), the
service-manager itself is in charge of, has happened.
As a side effect, the relevant parent PID information does not get lost
by a double-fork, which results in a more elaborate process tree and
'ps' output:
before:
# ps afx
253 ? Ss 0:00 /bin/dbus-daemon --system --nofork
294 ? Sl 0:00 /usr/libexec/polkit-1/polkitd
328 ? S 0:00 /usr/sbin/modem-manager
608 ? Sl 0:00 /usr/libexec/colord
658 ? Sl 0:00 /usr/libexec/upowerd
819 ? Sl 0:00 /usr/libexec/imsettings-daemon
916 ? Sl 0:00 /usr/libexec/udisks-daemon
917 ? S 0:00 \_ udisks-daemon: not polling any devices
after:
# ps afx
294 ? Ss 0:00 /bin/dbus-daemon --system --nofork
426 ? Sl 0:00 \_ /usr/libexec/polkit-1/polkitd
449 ? S 0:00 \_ /usr/sbin/modem-manager
635 ? Sl 0:00 \_ /usr/libexec/colord
705 ? Sl 0:00 \_ /usr/libexec/upowerd
959 ? Sl 0:00 \_ /usr/libexec/udisks-daemon
960 ? S 0:00 | \_ udisks-daemon: not polling any devices
977 ? Sl 0:00 \_ /usr/libexec/packagekitd
This prctl is orthogonal to PID namespaces. PID namespaces are isolated
from each other, while a service management process usually requires the
services to live in the same namespace, to be able to talk to each
other.
Users of this will be the systemd per-user instance, which provides
init-like functionality for the user's login session and D-Bus, which
activates bus services on-demand. Both need init-like capabilities to
be able to properly keep track of the services they start.
Many thanks to Oleg for several rounds of review and insights.
[akpm@linux-foundation.org: fix comment layout and spelling]
[akpm@linux-foundation.org: add lengthy code comment from Oleg]
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Kay Sievers <kay.sievers@vrfy.org>
Acked-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-23 22:01:54 +00:00
|
|
|
/*
|
2014-12-10 23:55:08 +00:00
|
|
|
* Find the first ->is_child_subreaper ancestor in our pid_ns.
|
2017-01-30 18:17:35 +00:00
|
|
|
* We can't check reaper != child_reaper to ensure we do not
|
|
|
|
* cross the namespaces, the exiting parent could be injected
|
|
|
|
* by setns() + fork().
|
|
|
|
* We check pid->level, this is slightly more efficient than
|
|
|
|
* task_active_pid_ns(reaper) != task_active_pid_ns(father).
|
prctl: add PR_{SET,GET}_CHILD_SUBREAPER to allow simple process supervision
Userspace service managers/supervisors need to track their started
services. Many services daemonize by double-forking and get implicitly
re-parented to PID 1. The service manager will no longer be able to
receive the SIGCHLD signals for them, and is no longer in charge of
reaping the children with wait(). All information about the children is
lost at the moment PID 1 cleans up the re-parented processes.
With this prctl, a service manager process can mark itself as a sort of
'sub-init', able to stay as the parent for all orphaned processes
created by the started services. All SIGCHLD signals will be delivered
to the service manager.
Receiving SIGCHLD and doing wait() is in cases of a service-manager much
preferred over any possible asynchronous notification about specific
PIDs, because the service manager has full access to the child process
data in /proc and the PID can not be re-used until the wait(), the
service-manager itself is in charge of, has happened.
As a side effect, the relevant parent PID information does not get lost
by a double-fork, which results in a more elaborate process tree and
'ps' output:
before:
# ps afx
253 ? Ss 0:00 /bin/dbus-daemon --system --nofork
294 ? Sl 0:00 /usr/libexec/polkit-1/polkitd
328 ? S 0:00 /usr/sbin/modem-manager
608 ? Sl 0:00 /usr/libexec/colord
658 ? Sl 0:00 /usr/libexec/upowerd
819 ? Sl 0:00 /usr/libexec/imsettings-daemon
916 ? Sl 0:00 /usr/libexec/udisks-daemon
917 ? S 0:00 \_ udisks-daemon: not polling any devices
after:
# ps afx
294 ? Ss 0:00 /bin/dbus-daemon --system --nofork
426 ? Sl 0:00 \_ /usr/libexec/polkit-1/polkitd
449 ? S 0:00 \_ /usr/sbin/modem-manager
635 ? Sl 0:00 \_ /usr/libexec/colord
705 ? Sl 0:00 \_ /usr/libexec/upowerd
959 ? Sl 0:00 \_ /usr/libexec/udisks-daemon
960 ? S 0:00 | \_ udisks-daemon: not polling any devices
977 ? Sl 0:00 \_ /usr/libexec/packagekitd
This prctl is orthogonal to PID namespaces. PID namespaces are isolated
from each other, while a service management process usually requires the
services to live in the same namespace, to be able to talk to each
other.
Users of this will be the systemd per-user instance, which provides
init-like functionality for the user's login session and D-Bus, which
activates bus services on-demand. Both need init-like capabilities to
be able to properly keep track of the services they start.
Many thanks to Oleg for several rounds of review and insights.
[akpm@linux-foundation.org: fix comment layout and spelling]
[akpm@linux-foundation.org: add lengthy code comment from Oleg]
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Kay Sievers <kay.sievers@vrfy.org>
Acked-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-23 22:01:54 +00:00
|
|
|
*/
|
2017-01-30 18:17:35 +00:00
|
|
|
for (reaper = father->real_parent;
|
|
|
|
task_pid(reaper)->level == ns_level;
|
prctl: add PR_{SET,GET}_CHILD_SUBREAPER to allow simple process supervision
Userspace service managers/supervisors need to track their started
services. Many services daemonize by double-forking and get implicitly
re-parented to PID 1. The service manager will no longer be able to
receive the SIGCHLD signals for them, and is no longer in charge of
reaping the children with wait(). All information about the children is
lost at the moment PID 1 cleans up the re-parented processes.
With this prctl, a service manager process can mark itself as a sort of
'sub-init', able to stay as the parent for all orphaned processes
created by the started services. All SIGCHLD signals will be delivered
to the service manager.
Receiving SIGCHLD and doing wait() is in cases of a service-manager much
preferred over any possible asynchronous notification about specific
PIDs, because the service manager has full access to the child process
data in /proc and the PID can not be re-used until the wait(), the
service-manager itself is in charge of, has happened.
As a side effect, the relevant parent PID information does not get lost
by a double-fork, which results in a more elaborate process tree and
'ps' output:
before:
# ps afx
253 ? Ss 0:00 /bin/dbus-daemon --system --nofork
294 ? Sl 0:00 /usr/libexec/polkit-1/polkitd
328 ? S 0:00 /usr/sbin/modem-manager
608 ? Sl 0:00 /usr/libexec/colord
658 ? Sl 0:00 /usr/libexec/upowerd
819 ? Sl 0:00 /usr/libexec/imsettings-daemon
916 ? Sl 0:00 /usr/libexec/udisks-daemon
917 ? S 0:00 \_ udisks-daemon: not polling any devices
after:
# ps afx
294 ? Ss 0:00 /bin/dbus-daemon --system --nofork
426 ? Sl 0:00 \_ /usr/libexec/polkit-1/polkitd
449 ? S 0:00 \_ /usr/sbin/modem-manager
635 ? Sl 0:00 \_ /usr/libexec/colord
705 ? Sl 0:00 \_ /usr/libexec/upowerd
959 ? Sl 0:00 \_ /usr/libexec/udisks-daemon
960 ? S 0:00 | \_ udisks-daemon: not polling any devices
977 ? Sl 0:00 \_ /usr/libexec/packagekitd
This prctl is orthogonal to PID namespaces. PID namespaces are isolated
from each other, while a service management process usually requires the
services to live in the same namespace, to be able to talk to each
other.
Users of this will be the systemd per-user instance, which provides
init-like functionality for the user's login session and D-Bus, which
activates bus services on-demand. Both need init-like capabilities to
be able to properly keep track of the services they start.
Many thanks to Oleg for several rounds of review and insights.
[akpm@linux-foundation.org: fix comment layout and spelling]
[akpm@linux-foundation.org: add lengthy code comment from Oleg]
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Kay Sievers <kay.sievers@vrfy.org>
Acked-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-23 22:01:54 +00:00
|
|
|
reaper = reaper->real_parent) {
|
2014-12-10 23:55:08 +00:00
|
|
|
if (reaper == &init_task)
|
prctl: add PR_{SET,GET}_CHILD_SUBREAPER to allow simple process supervision
Userspace service managers/supervisors need to track their started
services. Many services daemonize by double-forking and get implicitly
re-parented to PID 1. The service manager will no longer be able to
receive the SIGCHLD signals for them, and is no longer in charge of
reaping the children with wait(). All information about the children is
lost at the moment PID 1 cleans up the re-parented processes.
With this prctl, a service manager process can mark itself as a sort of
'sub-init', able to stay as the parent for all orphaned processes
created by the started services. All SIGCHLD signals will be delivered
to the service manager.
Receiving SIGCHLD and doing wait() is in cases of a service-manager much
preferred over any possible asynchronous notification about specific
PIDs, because the service manager has full access to the child process
data in /proc and the PID can not be re-used until the wait(), the
service-manager itself is in charge of, has happened.
As a side effect, the relevant parent PID information does not get lost
by a double-fork, which results in a more elaborate process tree and
'ps' output:
before:
# ps afx
253 ? Ss 0:00 /bin/dbus-daemon --system --nofork
294 ? Sl 0:00 /usr/libexec/polkit-1/polkitd
328 ? S 0:00 /usr/sbin/modem-manager
608 ? Sl 0:00 /usr/libexec/colord
658 ? Sl 0:00 /usr/libexec/upowerd
819 ? Sl 0:00 /usr/libexec/imsettings-daemon
916 ? Sl 0:00 /usr/libexec/udisks-daemon
917 ? S 0:00 \_ udisks-daemon: not polling any devices
after:
# ps afx
294 ? Ss 0:00 /bin/dbus-daemon --system --nofork
426 ? Sl 0:00 \_ /usr/libexec/polkit-1/polkitd
449 ? S 0:00 \_ /usr/sbin/modem-manager
635 ? Sl 0:00 \_ /usr/libexec/colord
705 ? Sl 0:00 \_ /usr/libexec/upowerd
959 ? Sl 0:00 \_ /usr/libexec/udisks-daemon
960 ? S 0:00 | \_ udisks-daemon: not polling any devices
977 ? Sl 0:00 \_ /usr/libexec/packagekitd
This prctl is orthogonal to PID namespaces. PID namespaces are isolated
from each other, while a service management process usually requires the
services to live in the same namespace, to be able to talk to each
other.
Users of this will be the systemd per-user instance, which provides
init-like functionality for the user's login session and D-Bus, which
activates bus services on-demand. Both need init-like capabilities to
be able to properly keep track of the services they start.
Many thanks to Oleg for several rounds of review and insights.
[akpm@linux-foundation.org: fix comment layout and spelling]
[akpm@linux-foundation.org: add lengthy code comment from Oleg]
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Kay Sievers <kay.sievers@vrfy.org>
Acked-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-23 22:01:54 +00:00
|
|
|
break;
|
|
|
|
if (!reaper->signal->is_child_subreaper)
|
|
|
|
continue;
|
2014-12-10 23:55:14 +00:00
|
|
|
thread = find_alive_thread(reaper);
|
|
|
|
if (thread)
|
|
|
|
return thread;
|
prctl: add PR_{SET,GET}_CHILD_SUBREAPER to allow simple process supervision
Userspace service managers/supervisors need to track their started
services. Many services daemonize by double-forking and get implicitly
re-parented to PID 1. The service manager will no longer be able to
receive the SIGCHLD signals for them, and is no longer in charge of
reaping the children with wait(). All information about the children is
lost at the moment PID 1 cleans up the re-parented processes.
With this prctl, a service manager process can mark itself as a sort of
'sub-init', able to stay as the parent for all orphaned processes
created by the started services. All SIGCHLD signals will be delivered
to the service manager.
Receiving SIGCHLD and doing wait() is in cases of a service-manager much
preferred over any possible asynchronous notification about specific
PIDs, because the service manager has full access to the child process
data in /proc and the PID can not be re-used until the wait(), the
service-manager itself is in charge of, has happened.
As a side effect, the relevant parent PID information does not get lost
by a double-fork, which results in a more elaborate process tree and
'ps' output:
before:
# ps afx
253 ? Ss 0:00 /bin/dbus-daemon --system --nofork
294 ? Sl 0:00 /usr/libexec/polkit-1/polkitd
328 ? S 0:00 /usr/sbin/modem-manager
608 ? Sl 0:00 /usr/libexec/colord
658 ? Sl 0:00 /usr/libexec/upowerd
819 ? Sl 0:00 /usr/libexec/imsettings-daemon
916 ? Sl 0:00 /usr/libexec/udisks-daemon
917 ? S 0:00 \_ udisks-daemon: not polling any devices
after:
# ps afx
294 ? Ss 0:00 /bin/dbus-daemon --system --nofork
426 ? Sl 0:00 \_ /usr/libexec/polkit-1/polkitd
449 ? S 0:00 \_ /usr/sbin/modem-manager
635 ? Sl 0:00 \_ /usr/libexec/colord
705 ? Sl 0:00 \_ /usr/libexec/upowerd
959 ? Sl 0:00 \_ /usr/libexec/udisks-daemon
960 ? S 0:00 | \_ udisks-daemon: not polling any devices
977 ? Sl 0:00 \_ /usr/libexec/packagekitd
This prctl is orthogonal to PID namespaces. PID namespaces are isolated
from each other, while a service management process usually requires the
services to live in the same namespace, to be able to talk to each
other.
Users of this will be the systemd per-user instance, which provides
init-like functionality for the user's login session and D-Bus, which
activates bus services on-demand. Both need init-like capabilities to
be able to properly keep track of the services they start.
Many thanks to Oleg for several rounds of review and insights.
[akpm@linux-foundation.org: fix comment layout and spelling]
[akpm@linux-foundation.org: add lengthy code comment from Oleg]
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Lennart Poettering <lennart@poettering.net>
Signed-off-by: Kay Sievers <kay.sievers@vrfy.org>
Acked-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-23 22:01:54 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
pid namespaces: rework forget_original_parent()
A pid namespace is a "view" of a particular set of tasks on the system. They
work in a similar way to filesystem namespaces. A file (or a process) can be
accessed in multiple namespaces, but it may have a different name in each. In
a filesystem, this name might be /etc/passwd in one namespace, but
/chroot/etc/passwd in another.
For processes, a process may have pid 1234 in one namespace, but be pid 1 in
another. This allows new pid namespaces to have basically arbitrary pids, and
not have to worry about what pids exist in other namespaces. This is
essential for checkpoint/restart where a restarted process's pid might collide
with an existing process on the system's pid.
In this particular implementation, pid namespaces have a parent-child
relationship, just like processes. A process in a pid namespace may see all
of the processes in the same namespace, as well as all of the processes in all
of the namespaces which are children of its namespace. Processes may not,
however, see others which are in their parent's namespace, but not in their
own. The same goes for sibling namespaces.
The know issue to be solved in the nearest future is signal handling in the
namespace boundary. That is, currently the namespace's init is treated like
an ordinary task that can be killed from within an namespace. Ideally, the
signal handling by the namespace's init should have two sides: when signaling
the init from its namespace, the init should look like a real init task, i.e.
receive only those signals, that is explicitly wants to; when signaling the
init from one of the parent namespaces, init should look like an ordinary
task, i.e. receive any signal, only taking the general permissions into
account.
The pid namespace was developed by Pavel Emlyanov and Sukadev Bhattiprolu and
we eventually came to almost the same implementation, which differed in some
details. This set is based on Pavel's patches, but it includes comments and
patches that from Sukadev.
Many thanks to Oleg, who reviewed the patches, pointed out many BUGs and made
valuable advises on how to make this set cleaner.
This patch:
We have to call exit_task_namespaces() only after the exiting task has
reparented all his children and is sure that no other threads will reparent
theirs for it. Why this is needed is explained in appropriate patch. This
one only reworks the forget_original_parent() so that after calling this a
task cannot be/become parent of any other task.
We check PF_EXITING instead of ->exit_state while choosing the new parent.
Note that tasklits_lock acts as a barrier, everyone who takes tasklist after
us (when forget_original_parent() drops it) must see PF_EXITING.
The other changes are just cleanups. They just move some code from
exit_notify to forget_original_parent(). It is a bit silly to declare
ptrace_dead in exit_notify(), take tasklist, pass ptrace_dead to
forget_original_parent(), unlock-lock-unlock tasklist, and then use
ptrace_dead.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Cc: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Cc: Paul Menage <menage@google.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-19 06:40:00 +00:00
|
|
|
|
2014-12-10 23:55:11 +00:00
|
|
|
return child_reaper;
|
2008-09-02 21:35:49 +00:00
|
|
|
}
|
|
|
|
|
2009-04-02 23:58:19 +00:00
|
|
|
/*
|
|
|
|
* Any that need to be release_task'd are put on the @dead list.
|
|
|
|
*/
|
2009-12-17 23:27:15 +00:00
|
|
|
static void reparent_leader(struct task_struct *father, struct task_struct *p,
|
2009-04-02 23:58:19 +00:00
|
|
|
struct list_head *dead)
|
|
|
|
{
|
2014-12-10 23:45:30 +00:00
|
|
|
if (unlikely(p->exit_state == EXIT_DEAD))
|
2009-04-02 23:58:19 +00:00
|
|
|
return;
|
|
|
|
|
wait: introduce EXIT_TRACE to avoid the racy EXIT_DEAD->EXIT_ZOMBIE transition
wait_task_zombie() first does EXIT_ZOMBIE->EXIT_DEAD transition and
drops tasklist_lock. If this task is not the natural child and it is
traced, we change its state back to EXIT_ZOMBIE for ->real_parent.
The last transition is racy, this is even documented in 50b8d257486a
"ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE
race". wait_consider_task() tries to detect this transition and clear
->notask_error but we can't rely on ptrace_reparented(), debugger can
exit and do ptrace_unlink() before its sub-thread sets EXIT_ZOMBIE.
And there is another problem which were missed before: this transition
can also race with reparent_leader() which doesn't reset >exit_signal if
EXIT_DEAD, assuming that this task must be reaped by someone else. So
the tracee can be re-parented with ->exit_signal != SIGCHLD, and if
/sbin/init doesn't use __WALL it becomes unreapable. This was fixed by
the previous commit, but it was the temporary hack.
1. Add the new exit_state, EXIT_TRACE. It means that the task is the
traced zombie, debugger is going to detach and notify its natural
parent.
This new state is actually EXIT_ZOMBIE | EXIT_DEAD. This way we
can avoid the changes in proc/kgdb code, get_task_state() still
reports "X (dead)" in this case.
Note: with or without this change userspace can see Z -> X -> Z
transition. Not really bad, but probably makes sense to fix.
2. Change wait_task_zombie() to use EXIT_TRACE instead of EXIT_DEAD
if we need to notify the ->real_parent.
3. Revert the previous hack in reparent_leader(), now that EXIT_DEAD
is always the final state we can safely ignore such a task.
4. Change wait_consider_task() to check EXIT_TRACE separately and kill
the racy and no longer needed ptrace_reparented() case.
If ptrace == T an EXIT_TRACE thread should be simply ignored, the
owner of this state is going to ptrace_unlink() this task. We can
pretend that it was already removed from ->ptraced list.
Otherwise we should skip this thread too but clear ->notask_error,
we must be the natural parent and debugger is going to untrace and
notify us. IOW, this doesn't differ from "EXIT_ZOMBIE && p->ptrace"
even if the task was already untraced.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Jan Kratochvil <jan.kratochvil@redhat.com>
Reported-by: Michal Schmidt <mschmidt@redhat.com>
Tested-by: Michal Schmidt <mschmidt@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Lennart Poettering <lpoetter@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-07 22:38:42 +00:00
|
|
|
/* We don't want people slaying init. */
|
2009-04-02 23:58:19 +00:00
|
|
|
p->exit_signal = SIGCHLD;
|
|
|
|
|
|
|
|
/* If it has exited notify the new parent about this child's death. */
|
2011-06-17 14:50:34 +00:00
|
|
|
if (!p->ptrace &&
|
2009-04-02 23:58:19 +00:00
|
|
|
p->exit_state == EXIT_ZOMBIE && thread_group_empty(p)) {
|
2011-06-22 21:09:09 +00:00
|
|
|
if (do_notify_parent(p, p->exit_signal)) {
|
2009-04-02 23:58:19 +00:00
|
|
|
p->exit_state = EXIT_DEAD;
|
exit: reparent: use ->ptrace_entry rather than ->sibling for EXIT_DEAD tasks
reparent_leader() reuses ->sibling as a list node to add an EXIT_DEAD task
into dead_children list we are going to release. This obviously removes
the dead task from its real_parent->children list and this is even good;
the parent can do nothing with the EXIT_DEAD reparented zombie, it only
makes do_wait() slower.
But, this also means that it can not be reparented once again, so if its
new parent dies too nobody will update ->parent/real_parent, they can
point to the freed memory even before release_task() we are going to call,
this breaks the code which relies on pid_alive() to access
->real_parent/parent.
Fortunately this is mostly theoretical, this can only happen if init or
PR_SET_CHILD_SUBREAPER process ignores SIGCHLD and the new parent
sub-thread exits right after we drop tasklist_lock.
Change this code to use ->ptrace_entry instead, we know that the child is
not traced so nobody can ever use this member. This also allows to unify
this logic with exit_ptrace(), see the next changes.
Note: we really need to change release_task() to nullify real_parent/
parent/group_leader pointers, but we need to change the current users
first somehow. And it would be better to reap this zombie immediately but
release_task_locked() we need is complicated by proc_flush_task().
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Aaron Tomlin <atomlin@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Cc: Sterling Alexander <stalexan@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Roland McGrath <roland@hack.frob.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-12-10 23:45:24 +00:00
|
|
|
list_add(&p->ptrace_entry, dead);
|
2009-04-02 23:58:19 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
kill_orphaned_pgrp(p, father);
|
|
|
|
}
|
|
|
|
|
2014-12-10 23:55:20 +00:00
|
|
|
/*
|
|
|
|
* This does two things:
|
|
|
|
*
|
|
|
|
* A. Make init inherit all the child processes
|
|
|
|
* B. Check to see if any process groups have become orphaned
|
|
|
|
* as a result of our exiting, and if they have any stopped
|
|
|
|
* jobs, send them a SIGHUP and then a SIGCONT. (POSIX 3.2.2.2)
|
|
|
|
*/
|
|
|
|
static void forget_original_parent(struct task_struct *father,
|
|
|
|
struct list_head *dead)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2014-12-10 23:55:20 +00:00
|
|
|
struct task_struct *p, *t, *reaper;
|
pid namespaces: rework forget_original_parent()
A pid namespace is a "view" of a particular set of tasks on the system. They
work in a similar way to filesystem namespaces. A file (or a process) can be
accessed in multiple namespaces, but it may have a different name in each. In
a filesystem, this name might be /etc/passwd in one namespace, but
/chroot/etc/passwd in another.
For processes, a process may have pid 1234 in one namespace, but be pid 1 in
another. This allows new pid namespaces to have basically arbitrary pids, and
not have to worry about what pids exist in other namespaces. This is
essential for checkpoint/restart where a restarted process's pid might collide
with an existing process on the system's pid.
In this particular implementation, pid namespaces have a parent-child
relationship, just like processes. A process in a pid namespace may see all
of the processes in the same namespace, as well as all of the processes in all
of the namespaces which are children of its namespace. Processes may not,
however, see others which are in their parent's namespace, but not in their
own. The same goes for sibling namespaces.
The know issue to be solved in the nearest future is signal handling in the
namespace boundary. That is, currently the namespace's init is treated like
an ordinary task that can be killed from within an namespace. Ideally, the
signal handling by the namespace's init should have two sides: when signaling
the init from its namespace, the init should look like a real init task, i.e.
receive only those signals, that is explicitly wants to; when signaling the
init from one of the parent namespaces, init should look like an ordinary
task, i.e. receive any signal, only taking the general permissions into
account.
The pid namespace was developed by Pavel Emlyanov and Sukadev Bhattiprolu and
we eventually came to almost the same implementation, which differed in some
details. This set is based on Pavel's patches, but it includes comments and
patches that from Sukadev.
Many thanks to Oleg, who reviewed the patches, pointed out many BUGs and made
valuable advises on how to make this set cleaner.
This patch:
We have to call exit_task_namespaces() only after the exiting task has
reparented all his children and is sure that no other threads will reparent
theirs for it. Why this is needed is explained in appropriate patch. This
one only reworks the forget_original_parent() so that after calling this a
task cannot be/become parent of any other task.
We check PF_EXITING instead of ->exit_state while choosing the new parent.
Note that tasklits_lock acts as a barrier, everyone who takes tasklist after
us (when forget_original_parent() drops it) must see PF_EXITING.
The other changes are just cleanups. They just move some code from
exit_notify to forget_original_parent(). It is a bit silly to declare
ptrace_dead in exit_notify(), take tasklist, pass ptrace_dead to
forget_original_parent(), unlock-lock-unlock tasklist, and then use
ptrace_dead.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Cc: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Cc: Paul Menage <menage@google.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-19 06:40:00 +00:00
|
|
|
|
2014-12-10 23:45:33 +00:00
|
|
|
if (unlikely(!list_empty(&father->ptraced)))
|
2014-12-10 23:55:20 +00:00
|
|
|
exit_ptrace(father, dead);
|
2008-03-25 01:36:23 +00:00
|
|
|
|
2014-12-10 23:45:33 +00:00
|
|
|
/* Can drop and reacquire tasklist_lock */
|
2019-02-01 22:20:24 +00:00
|
|
|
reaper = find_child_reaper(father, dead);
|
2014-12-10 23:55:17 +00:00
|
|
|
if (list_empty(&father->children))
|
2014-12-10 23:55:20 +00:00
|
|
|
return;
|
2014-12-10 23:55:11 +00:00
|
|
|
|
|
|
|
reaper = find_new_reaper(father, reaper);
|
2014-12-10 23:45:30 +00:00
|
|
|
list_for_each_entry(p, &father->children, sibling) {
|
2014-12-10 23:45:27 +00:00
|
|
|
for_each_thread(p, t) {
|
2020-01-30 06:20:28 +00:00
|
|
|
RCU_INIT_POINTER(t->real_parent, reaper);
|
|
|
|
BUG_ON((!t->ptrace) != (rcu_access_pointer(t->parent) == father));
|
2014-12-10 23:45:27 +00:00
|
|
|
if (likely(!t->ptrace))
|
2009-12-17 23:27:15 +00:00
|
|
|
t->parent = t->real_parent;
|
|
|
|
if (t->pdeath_signal)
|
|
|
|
group_send_sig_info(t->pdeath_signal,
|
2018-07-13 23:40:57 +00:00
|
|
|
SEND_SIG_NOINFO, t,
|
|
|
|
PIDTYPE_TGID);
|
2014-12-10 23:45:27 +00:00
|
|
|
}
|
2014-12-10 23:45:30 +00:00
|
|
|
/*
|
|
|
|
* If this is a threaded reparent there is no need to
|
|
|
|
* notify anyone anything has happened.
|
|
|
|
*/
|
|
|
|
if (!same_thread_group(reaper, father))
|
2014-12-10 23:55:20 +00:00
|
|
|
reparent_leader(father, p, dead);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2014-12-10 23:45:30 +00:00
|
|
|
list_splice_tail_init(&father->children, &reaper->children);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Send signals to all our closest relatives so that they know
|
|
|
|
* to properly mourn us..
|
|
|
|
*/
|
2008-03-02 18:44:44 +00:00
|
|
|
static void exit_notify(struct task_struct *tsk, int group_dead)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2011-06-22 21:08:18 +00:00
|
|
|
bool autoreap;
|
2014-12-10 23:55:20 +00:00
|
|
|
struct task_struct *p, *n;
|
|
|
|
LIST_HEAD(dead);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
pid namespaces: rework forget_original_parent()
A pid namespace is a "view" of a particular set of tasks on the system. They
work in a similar way to filesystem namespaces. A file (or a process) can be
accessed in multiple namespaces, but it may have a different name in each. In
a filesystem, this name might be /etc/passwd in one namespace, but
/chroot/etc/passwd in another.
For processes, a process may have pid 1234 in one namespace, but be pid 1 in
another. This allows new pid namespaces to have basically arbitrary pids, and
not have to worry about what pids exist in other namespaces. This is
essential for checkpoint/restart where a restarted process's pid might collide
with an existing process on the system's pid.
In this particular implementation, pid namespaces have a parent-child
relationship, just like processes. A process in a pid namespace may see all
of the processes in the same namespace, as well as all of the processes in all
of the namespaces which are children of its namespace. Processes may not,
however, see others which are in their parent's namespace, but not in their
own. The same goes for sibling namespaces.
The know issue to be solved in the nearest future is signal handling in the
namespace boundary. That is, currently the namespace's init is treated like
an ordinary task that can be killed from within an namespace. Ideally, the
signal handling by the namespace's init should have two sides: when signaling
the init from its namespace, the init should look like a real init task, i.e.
receive only those signals, that is explicitly wants to; when signaling the
init from one of the parent namespaces, init should look like an ordinary
task, i.e. receive any signal, only taking the general permissions into
account.
The pid namespace was developed by Pavel Emlyanov and Sukadev Bhattiprolu and
we eventually came to almost the same implementation, which differed in some
details. This set is based on Pavel's patches, but it includes comments and
patches that from Sukadev.
Many thanks to Oleg, who reviewed the patches, pointed out many BUGs and made
valuable advises on how to make this set cleaner.
This patch:
We have to call exit_task_namespaces() only after the exiting task has
reparented all his children and is sure that no other threads will reparent
theirs for it. Why this is needed is explained in appropriate patch. This
one only reworks the forget_original_parent() so that after calling this a
task cannot be/become parent of any other task.
We check PF_EXITING instead of ->exit_state while choosing the new parent.
Note that tasklits_lock acts as a barrier, everyone who takes tasklist after
us (when forget_original_parent() drops it) must see PF_EXITING.
The other changes are just cleanups. They just move some code from
exit_notify to forget_original_parent(). It is a bit silly to declare
ptrace_dead in exit_notify(), take tasklist, pass ptrace_dead to
forget_original_parent(), unlock-lock-unlock tasklist, and then use
ptrace_dead.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Cc: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Cc: Paul Menage <menage@google.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-19 06:40:00 +00:00
|
|
|
write_lock_irq(&tasklist_lock);
|
2014-12-10 23:55:20 +00:00
|
|
|
forget_original_parent(tsk, &dead);
|
|
|
|
|
2008-03-02 18:44:44 +00:00
|
|
|
if (group_dead)
|
|
|
|
kill_orphaned_pgrp(tsk->group_leader, NULL);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2019-07-17 17:21:00 +00:00
|
|
|
tsk->exit_state = EXIT_ZOMBIE;
|
2024-01-31 13:26:02 +00:00
|
|
|
/*
|
|
|
|
* sub-thread or delay_group_leader(), wake up the
|
|
|
|
* PIDFD_THREAD waiters.
|
|
|
|
*/
|
|
|
|
if (!thread_group_empty(tsk))
|
|
|
|
do_notify_pidfd(tsk);
|
|
|
|
|
2011-06-23 17:06:50 +00:00
|
|
|
if (unlikely(tsk->ptrace)) {
|
|
|
|
int sig = thread_group_leader(tsk) &&
|
|
|
|
thread_group_empty(tsk) &&
|
|
|
|
!ptrace_reparented(tsk) ?
|
|
|
|
tsk->exit_signal : SIGCHLD;
|
|
|
|
autoreap = do_notify_parent(tsk, sig);
|
|
|
|
} else if (thread_group_leader(tsk)) {
|
|
|
|
autoreap = thread_group_empty(tsk) &&
|
|
|
|
do_notify_parent(tsk, tsk->exit_signal);
|
|
|
|
} else {
|
|
|
|
autoreap = true;
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2019-07-29 15:48:24 +00:00
|
|
|
if (autoreap) {
|
|
|
|
tsk->exit_state = EXIT_DEAD;
|
2014-12-10 23:55:23 +00:00
|
|
|
list_add(&tsk->ptrace_entry, &dead);
|
2019-07-29 15:48:24 +00:00
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2010-05-26 21:43:10 +00:00
|
|
|
/* mt-exec, de_thread() is waiting for group leader */
|
|
|
|
if (unlikely(tsk->signal->notify_count < 0))
|
2021-06-06 18:47:53 +00:00
|
|
|
wake_up_process(tsk->signal->group_exec_task);
|
2005-04-16 22:20:36 +00:00
|
|
|
write_unlock_irq(&tasklist_lock);
|
|
|
|
|
2014-12-10 23:55:20 +00:00
|
|
|
list_for_each_entry_safe(p, n, &dead, ptrace_entry) {
|
|
|
|
list_del_init(&p->ptrace_entry);
|
|
|
|
release_task(p);
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2007-07-16 06:38:48 +00:00
|
|
|
#ifdef CONFIG_DEBUG_STACK_USAGE
|
2024-07-24 20:33:22 +00:00
|
|
|
unsigned long stack_not_used(struct task_struct *p)
|
|
|
|
{
|
|
|
|
unsigned long *n = end_of_stack(p);
|
|
|
|
|
|
|
|
do { /* Skip over canary */
|
|
|
|
# ifdef CONFIG_STACK_GROWSUP
|
|
|
|
n--;
|
|
|
|
# else
|
|
|
|
n++;
|
|
|
|
# endif
|
|
|
|
} while (!*n);
|
|
|
|
|
|
|
|
# ifdef CONFIG_STACK_GROWSUP
|
|
|
|
return (unsigned long)end_of_stack(p) - (unsigned long)n;
|
|
|
|
# else
|
|
|
|
return (unsigned long)n - (unsigned long)end_of_stack(p);
|
|
|
|
# endif
|
|
|
|
}
|
|
|
|
|
2024-07-24 20:33:21 +00:00
|
|
|
/* Count the maximum pages reached in kernel stacks */
|
|
|
|
static inline void kstack_histogram(unsigned long used_stack)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_VM_EVENT_COUNTERS
|
|
|
|
if (used_stack <= 1024)
|
|
|
|
count_vm_event(KSTACK_1K);
|
|
|
|
#if THREAD_SIZE > 1024
|
|
|
|
else if (used_stack <= 2048)
|
|
|
|
count_vm_event(KSTACK_2K);
|
|
|
|
#endif
|
|
|
|
#if THREAD_SIZE > 2048
|
|
|
|
else if (used_stack <= 4096)
|
|
|
|
count_vm_event(KSTACK_4K);
|
|
|
|
#endif
|
|
|
|
#if THREAD_SIZE > 4096
|
|
|
|
else if (used_stack <= 8192)
|
|
|
|
count_vm_event(KSTACK_8K);
|
|
|
|
#endif
|
|
|
|
#if THREAD_SIZE > 8192
|
|
|
|
else if (used_stack <= 16384)
|
|
|
|
count_vm_event(KSTACK_16K);
|
|
|
|
#endif
|
|
|
|
#if THREAD_SIZE > 16384
|
|
|
|
else if (used_stack <= 32768)
|
|
|
|
count_vm_event(KSTACK_32K);
|
|
|
|
#endif
|
|
|
|
#if THREAD_SIZE > 32768
|
|
|
|
else if (used_stack <= 65536)
|
|
|
|
count_vm_event(KSTACK_64K);
|
|
|
|
#endif
|
|
|
|
#if THREAD_SIZE > 65536
|
|
|
|
else
|
|
|
|
count_vm_event(KSTACK_REST);
|
|
|
|
#endif
|
|
|
|
#endif /* CONFIG_VM_EVENT_COUNTERS */
|
|
|
|
}
|
|
|
|
|
2007-07-16 06:38:48 +00:00
|
|
|
static void check_stack_usage(void)
|
|
|
|
{
|
|
|
|
static DEFINE_SPINLOCK(low_water_lock);
|
|
|
|
static int lowest_to_date = THREAD_SIZE;
|
|
|
|
unsigned long free;
|
|
|
|
|
2008-04-22 21:38:23 +00:00
|
|
|
free = stack_not_used(current);
|
2024-07-24 20:33:21 +00:00
|
|
|
kstack_histogram(THREAD_SIZE - free);
|
2007-07-16 06:38:48 +00:00
|
|
|
|
|
|
|
if (free >= lowest_to_date)
|
|
|
|
return;
|
|
|
|
|
|
|
|
spin_lock(&low_water_lock);
|
|
|
|
if (free < lowest_to_date) {
|
2016-08-02 21:05:40 +00:00
|
|
|
pr_info("%s (%d) used greatest stack depth: %lu bytes left\n",
|
2014-08-08 21:21:18 +00:00
|
|
|
current->comm, task_pid_nr(current), free);
|
2007-07-16 06:38:48 +00:00
|
|
|
lowest_to_date = free;
|
|
|
|
}
|
|
|
|
spin_unlock(&low_water_lock);
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
static inline void check_stack_usage(void) {}
|
|
|
|
#endif
|
|
|
|
|
2022-06-21 19:38:52 +00:00
|
|
|
static void synchronize_group_exit(struct task_struct *tsk, long code)
|
|
|
|
{
|
|
|
|
struct sighand_struct *sighand = tsk->sighand;
|
|
|
|
struct signal_struct *signal = tsk->signal;
|
|
|
|
|
|
|
|
spin_lock_irq(&sighand->siglock);
|
|
|
|
signal->quick_threads--;
|
|
|
|
if ((signal->quick_threads == 0) &&
|
|
|
|
!(signal->flags & SIGNAL_GROUP_EXIT)) {
|
|
|
|
signal->flags = SIGNAL_GROUP_EXIT;
|
|
|
|
signal->group_exit_code = code;
|
|
|
|
signal->group_stop_count = 0;
|
|
|
|
}
|
|
|
|
spin_unlock_irq(&sighand->siglock);
|
|
|
|
}
|
|
|
|
|
2016-09-13 16:37:29 +00:00
|
|
|
void __noreturn do_exit(long code)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
struct task_struct *tsk = current;
|
|
|
|
int group_dead;
|
|
|
|
|
2023-01-20 01:18:20 +00:00
|
|
|
WARN_ON(irqs_disabled());
|
|
|
|
|
2022-06-21 19:38:52 +00:00
|
|
|
synchronize_group_exit(tsk, code);
|
|
|
|
|
2022-01-27 07:05:48 +00:00
|
|
|
WARN_ON(tsk->plug);
|
2005-06-27 08:55:12 +00:00
|
|
|
|
2020-03-05 22:06:57 +00:00
|
|
|
kcov_task_exit(tsk);
|
2022-09-15 15:03:50 +00:00
|
|
|
kmsan_task_exit(tsk);
|
2020-03-05 22:06:57 +00:00
|
|
|
|
2021-09-01 16:33:50 +00:00
|
|
|
coredump_task_exit(tsk);
|
2011-06-17 14:50:37 +00:00
|
|
|
ptrace_event(PTRACE_EVENT_EXIT, code);
|
2023-03-28 23:52:09 +00:00
|
|
|
user_events_exit(tsk);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2021-08-12 04:14:35 +00:00
|
|
|
io_uring_files_cancel();
|
2008-02-08 12:19:12 +00:00
|
|
|
exit_signals(tsk); /* sets PF_EXITING */
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2024-06-28 02:10:12 +00:00
|
|
|
seccomp_filter_release(tsk);
|
|
|
|
|
2015-06-25 22:03:56 +00:00
|
|
|
acct_update_integrals(tsk);
|
2005-04-16 22:20:36 +00:00
|
|
|
group_dead = atomic_dec_and_test(&tsk->signal->live);
|
2005-08-04 23:49:32 +00:00
|
|
|
if (group_dead) {
|
2019-12-19 06:29:53 +00:00
|
|
|
/*
|
|
|
|
* If the last thread of global init has exited, panic
|
|
|
|
* immediately to get a useable coredump.
|
|
|
|
*/
|
|
|
|
if (unlikely(is_global_init(tsk)))
|
|
|
|
panic("Attempted to kill init! exitcode=0x%08x\n",
|
|
|
|
tsk->signal->group_exit_code ?: (int)code);
|
|
|
|
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 05:10:10 +00:00
|
|
|
#ifdef CONFIG_POSIX_TIMERS
|
2007-06-08 20:47:00 +00:00
|
|
|
hrtimer_cancel(&tsk->signal->real_timer);
|
2022-07-11 16:16:25 +00:00
|
|
|
exit_itimers(tsk);
|
posix-timers: Make them configurable
Some embedded systems have no use for them. This removes about
25KB from the kernel binary size when configured out.
Corresponding syscalls are routed to a stub logging the attempt to
use those syscalls which should be enough of a clue if they were
disabled without proper consideration. They are: timer_create,
timer_gettime: timer_getoverrun, timer_settime, timer_delete,
clock_adjtime, setitimer, getitimer, alarm.
The clock_settime, clock_gettime, clock_getres and clock_nanosleep
syscalls are replaced by simple wrappers compatible with CLOCK_REALTIME,
CLOCK_MONOTONIC and CLOCK_BOOTTIME only which should cover the vast
majority of use cases with very little code.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: John Stultz <john.stultz@linaro.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Cc: Paul Bolle <pebolle@tiscali.nl>
Cc: linux-kbuild@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: Michal Marek <mmarek@suse.com>
Cc: Edward Cree <ecree@solarflare.com>
Link: http://lkml.kernel.org/r/1478841010-28605-7-git-send-email-nicolas.pitre@linaro.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
2016-11-11 05:10:10 +00:00
|
|
|
#endif
|
getrusage: fill ru_maxrss value
Make ->ru_maxrss value in struct rusage filled accordingly to rss hiwater
mark. This struct is filled as a parameter to getrusage syscall.
->ru_maxrss value is set to KBs which is the way it is done in BSD
systems. /usr/bin/time (gnu time) application converts ->ru_maxrss to KBs
which seems to be incorrect behavior. Maintainer of this util was
notified by me with the patch which corrects it and cc'ed.
To make this happen we extend struct signal_struct by two fields. The
first one is ->maxrss which we use to store rss hiwater of the task. The
second one is ->cmaxrss which we use to store highest rss hiwater of all
task childs. These values are used in k_getrusage() to actually fill
->ru_maxrss. k_getrusage() uses current rss hiwater value directly if mm
struct exists.
Note:
exec() clear mm->hiwater_rss, but doesn't clear sig->maxrss.
it is intetionally behavior. *BSD getrusage have exec() inheriting.
test programs
========================================================
getrusage.c
===========
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <signal.h>
#include <sys/mman.h>
#include "common.h"
#define err(str) perror(str), exit(1)
int main(int argc, char** argv)
{
int status;
printf("allocate 100MB\n");
consume(100);
printf("testcase1: fork inherit? \n");
printf(" expect: initial.self ~= child.self\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
} else {
show_rusage("fork child");
_exit(0);
}
printf("\n");
printf("testcase2: fork inherit? (cont.) \n");
printf(" expect: initial.children ~= 100MB, but child.children = 0\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
} else {
show_rusage("child");
_exit(0);
}
printf("\n");
printf("testcase3: fork + malloc \n");
printf(" expect: child.self ~= initial.self + 50MB\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
} else {
printf("allocate +50MB\n");
consume(50);
show_rusage("fork child");
_exit(0);
}
printf("\n");
printf("testcase4: grandchild maxrss\n");
printf(" expect: post_wait.children ~= 300MB\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
show_rusage("post_wait");
} else {
system("./child -n 0 -g 300");
_exit(0);
}
printf("\n");
printf("testcase5: zombie\n");
printf(" expect: pre_wait ~= initial, IOW the zombie process is not accounted.\n");
printf(" post_wait ~= 400MB, IOW wait() collect child's max_rss. \n");
show_rusage("initial");
if (__fork()) {
sleep(1); /* children become zombie */
show_rusage("pre_wait");
wait(&status);
show_rusage("post_wait");
} else {
system("./child -n 400");
_exit(0);
}
printf("\n");
printf("testcase6: SIG_IGN\n");
printf(" expect: initial ~= after_zombie (child's 500MB alloc should be ignored).\n");
show_rusage("initial");
signal(SIGCHLD, SIG_IGN);
if (__fork()) {
sleep(1); /* children become zombie */
show_rusage("after_zombie");
} else {
system("./child -n 500");
_exit(0);
}
printf("\n");
signal(SIGCHLD, SIG_DFL);
printf("testcase7: exec (without fork) \n");
printf(" expect: initial ~= exec \n");
show_rusage("initial");
execl("./child", "child", "-v", NULL);
return 0;
}
child.c
=======
#include <sys/types.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include "common.h"
int main(int argc, char** argv)
{
int status;
int c;
long consume_size = 0;
long grandchild_consume_size = 0;
int show = 0;
while ((c = getopt(argc, argv, "n:g:v")) != -1) {
switch (c) {
case 'n':
consume_size = atol(optarg);
break;
case 'v':
show = 1;
break;
case 'g':
grandchild_consume_size = atol(optarg);
break;
default:
break;
}
}
if (show)
show_rusage("exec");
if (consume_size) {
printf("child alloc %ldMB\n", consume_size);
consume(consume_size);
}
if (grandchild_consume_size) {
if (fork()) {
wait(&status);
} else {
printf("grandchild alloc %ldMB\n", grandchild_consume_size);
consume(grandchild_consume_size);
exit(0);
}
}
return 0;
}
common.c
========
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <signal.h>
#include <sys/mman.h>
#include "common.h"
#define err(str) perror(str), exit(1)
void show_rusage(char *prefix)
{
int err, err2;
struct rusage rusage_self;
struct rusage rusage_children;
printf("%s: ", prefix);
err = getrusage(RUSAGE_SELF, &rusage_self);
if (!err)
printf("self %ld ", rusage_self.ru_maxrss);
err2 = getrusage(RUSAGE_CHILDREN, &rusage_children);
if (!err2)
printf("children %ld ", rusage_children.ru_maxrss);
printf("\n");
}
/* Some buggy OS need this worthless CPU waste. */
void make_pagefault(void)
{
void *addr;
int size = getpagesize();
int i;
for (i=0; i<1000; i++) {
addr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
if (addr == MAP_FAILED)
err("make_pagefault");
memset(addr, 0, size);
munmap(addr, size);
}
}
void consume(int mega)
{
size_t sz = mega * 1024 * 1024;
void *ptr;
ptr = malloc(sz);
memset(ptr, 0, sz);
make_pagefault();
}
pid_t __fork(void)
{
pid_t pid;
pid = fork();
make_pagefault();
return pid;
}
common.h
========
void show_rusage(char *prefix);
void make_pagefault(void);
void consume(int mega);
pid_t __fork(void);
FreeBSD result (expected result)
========================================================
allocate 100MB
testcase1: fork inherit?
expect: initial.self ~= child.self
initial: self 103492 children 0
fork child: self 103540 children 0
testcase2: fork inherit? (cont.)
expect: initial.children ~= 100MB, but child.children = 0
initial: self 103540 children 103540
child: self 103564 children 0
testcase3: fork + malloc
expect: child.self ~= initial.self + 50MB
initial: self 103564 children 103564
allocate +50MB
fork child: self 154860 children 0
testcase4: grandchild maxrss
expect: post_wait.children ~= 300MB
initial: self 103564 children 154860
grandchild alloc 300MB
post_wait: self 103564 children 308720
testcase5: zombie
expect: pre_wait ~= initial, IOW the zombie process is not accounted.
post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 103564 children 308720
child alloc 400MB
pre_wait: self 103564 children 308720
post_wait: self 103564 children 411312
testcase6: SIG_IGN
expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 103564 children 411312
child alloc 500MB
after_zombie: self 103624 children 411312
testcase7: exec (without fork)
expect: initial ~= exec
initial: self 103624 children 411312
exec: self 103624 children 411312
Linux result (actual test result)
========================================================
allocate 100MB
testcase1: fork inherit?
expect: initial.self ~= child.self
initial: self 102848 children 0
fork child: self 102572 children 0
testcase2: fork inherit? (cont.)
expect: initial.children ~= 100MB, but child.children = 0
initial: self 102876 children 102644
child: self 102572 children 0
testcase3: fork + malloc
expect: child.self ~= initial.self + 50MB
initial: self 102876 children 102644
allocate +50MB
fork child: self 153804 children 0
testcase4: grandchild maxrss
expect: post_wait.children ~= 300MB
initial: self 102876 children 153864
grandchild alloc 300MB
post_wait: self 102876 children 307536
testcase5: zombie
expect: pre_wait ~= initial, IOW the zombie process is not accounted.
post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 102876 children 307536
child alloc 400MB
pre_wait: self 102876 children 307536
post_wait: self 102876 children 410076
testcase6: SIG_IGN
expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 102876 children 410076
child alloc 500MB
after_zombie: self 102880 children 410076
testcase7: exec (without fork)
expect: initial ~= exec
initial: self 102880 children 410076
exec: self 102880 children 410076
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 23:44:10 +00:00
|
|
|
if (tsk->mm)
|
|
|
|
setmax_mm_hiwater_rss(&tsk->signal->maxrss, tsk->mm);
|
2005-08-04 23:49:32 +00:00
|
|
|
}
|
2006-06-25 12:49:25 +00:00
|
|
|
acct_collect(code, group_dead);
|
Audit: add TTY input auditing
Add TTY input auditing, used to audit system administrator's actions. This is
required by various security standards such as DCID 6/3 and PCI to provide
non-repudiation of administrator's actions and to allow a review of past
actions if the administrator seems to overstep their duties or if the system
becomes misconfigured for unknown reasons. These requirements do not make it
necessary to audit TTY output as well.
Compared to an user-space keylogger, this approach records TTY input using the
audit subsystem, correlated with other audit events, and it is completely
transparent to the user-space application (e.g. the console ioctls still
work).
TTY input auditing works on a higher level than auditing all system calls
within the session, which would produce an overwhelming amount of mostly
useless audit events.
Add an "audit_tty" attribute, inherited across fork (). Data read from TTYs
by process with the attribute is sent to the audit subsystem by the kernel.
The audit netlink interface is extended to allow modifying the audit_tty
attribute, and to allow sending explanatory audit events from user-space (for
example, a shell might send an event containing the final command, after the
interactive command-line editing and history expansion is performed, which
might be difficult to decipher from the TTY input alone).
Because the "audit_tty" attribute is inherited across fork (), it would be set
e.g. for sshd restarted within an audited session. To prevent this, the
audit_tty attribute is cleared when a process with no open TTY file
descriptors (e.g. after daemon startup) opens a TTY.
See https://www.redhat.com/archives/linux-audit/2007-June/msg00000.html for a
more detailed rationale document for an older version of this patch.
[akpm@linux-foundation.org: build fix]
Signed-off-by: Miloslav Trmac <mitr@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Paul Fulghum <paulkf@microgate.com>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-07-16 06:40:56 +00:00
|
|
|
if (group_dead)
|
|
|
|
tty_audit_exit();
|
2012-01-03 19:23:07 +00:00
|
|
|
audit_free(tsk);
|
2006-12-07 04:36:51 +00:00
|
|
|
|
2012-06-08 00:54:07 +00:00
|
|
|
tsk->exit_code = code;
|
2006-12-07 04:36:51 +00:00
|
|
|
taskstats_exit(tsk, group_dead);
|
2006-07-14 07:24:40 +00:00
|
|
|
|
2017-01-03 21:43:11 +00:00
|
|
|
exit_mm();
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-06-25 12:49:24 +00:00
|
|
|
if (group_dead)
|
2006-06-25 12:49:25 +00:00
|
|
|
acct_process();
|
tracing, sched: LTTng instrumentation - scheduler
Instrument the scheduler activity (sched_switch, migration, wakeups,
wait for a task, signal delivery) and process/thread
creation/destruction (fork, exit, kthread stop). Actually, kthread
creation is not instrumented in this patch because it is architecture
dependent. It allows to connect tracers such as ftrace which detects
scheduling latencies, good/bad scheduler decisions. Tools like LTTng can
export this scheduler information along with instrumentation of the rest
of the kernel activity to perform post-mortem analysis on the scheduler
activity.
About the performance impact of tracepoints (which is comparable to
markers), even without immediate values optimizations, tests done by
Hideo Aoki on ia64 show no regression. His test case was using hackbench
on a kernel where scheduler instrumentation (about 5 events in code
scheduler code) was added. See the "Tracepoints" patch header for
performance result detail.
Changelog :
- Change instrumentation location and parameter to match ftrace
instrumentation, previously done with kernel markers.
[ mingo@elte.hu: conflict resolutions ]
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
Acked-by: 'Peter Zijlstra' <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-07-18 16:16:17 +00:00
|
|
|
trace_sched_process_exit(tsk);
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
exit_sem(tsk);
|
2011-07-26 23:08:48 +00:00
|
|
|
exit_shm(tsk);
|
2008-04-22 09:35:42 +00:00
|
|
|
exit_files(tsk);
|
|
|
|
exit_fs(tsk);
|
2014-04-07 22:38:29 +00:00
|
|
|
if (group_dead)
|
|
|
|
disassociate_ctty(1);
|
2013-06-14 19:09:49 +00:00
|
|
|
exit_task_namespaces(tsk);
|
2012-06-27 07:31:24 +00:00
|
|
|
exit_task_work(tsk);
|
2016-05-21 00:00:20 +00:00
|
|
|
exit_thread(tsk);
|
2011-01-03 16:20:01 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Flush inherited counters to the parent - before the parent
|
|
|
|
* gets woken up by child-exit notifications.
|
|
|
|
*
|
|
|
|
* because of cgroup mode, must be called before cgroup_exit()
|
|
|
|
*/
|
|
|
|
perf_event_exit_task(tsk);
|
|
|
|
|
2016-11-14 18:46:12 +00:00
|
|
|
sched_autogroup_exit_task(tsk);
|
2014-03-28 07:22:19 +00:00
|
|
|
cgroup_exit(tsk);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-09-09 17:22:48 +00:00
|
|
|
/*
|
|
|
|
* FIXME: do that only when needed, using sched_exit tracepoint
|
|
|
|
*/
|
2013-07-08 23:00:54 +00:00
|
|
|
flush_ptrace_hw_breakpoint(tsk);
|
2009-05-17 09:08:41 +00:00
|
|
|
|
2017-05-25 15:51:48 +00:00
|
|
|
exit_tasks_rcu_start();
|
2008-03-02 18:44:44 +00:00
|
|
|
exit_notify(tsk, group_dead);
|
2014-04-07 22:38:31 +00:00
|
|
|
proc_exit_connector(tsk);
|
2016-09-01 23:15:07 +00:00
|
|
|
mpol_put_task_policy(tsk);
|
2007-10-17 06:27:30 +00:00
|
|
|
#ifdef CONFIG_FUTEX
|
2006-06-27 09:54:58 +00:00
|
|
|
if (unlikely(current->pi_state_cache))
|
|
|
|
kfree(current->pi_state_cache);
|
2007-10-17 06:27:30 +00:00
|
|
|
#endif
|
2006-01-09 23:59:21 +00:00
|
|
|
/*
|
2006-07-03 07:24:33 +00:00
|
|
|
* Make sure we are holding no locks:
|
2006-01-09 23:59:21 +00:00
|
|
|
*/
|
2013-05-06 23:50:08 +00:00
|
|
|
debug_check_no_locks_held();
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2006-02-28 17:51:55 +00:00
|
|
|
if (tsk->io_context)
|
2009-12-04 13:52:42 +00:00
|
|
|
exit_io_context(tsk);
|
2006-02-28 17:51:55 +00:00
|
|
|
|
2006-04-11 11:52:07 +00:00
|
|
|
if (tsk->splice_pipe)
|
2013-03-21 15:06:46 +00:00
|
|
|
free_pipe_info(tsk->splice_pipe);
|
2006-04-11 11:52:07 +00:00
|
|
|
|
net: use a per task frag allocator
We currently use a per socket order-0 page cache for tcp_sendmsg()
operations.
This page is used to build fragments for skbs.
Its done to increase probability of coalescing small write() into
single segments in skbs still in write queue (not yet sent)
But it wastes a lot of memory for applications handling many mostly
idle sockets, since each socket holds one page in sk->sk_sndmsg_page
Its also quite inefficient to build TSO 64KB packets, because we need
about 16 pages per skb on arches where PAGE_SIZE = 4096, so we hit
page allocator more than wanted.
This patch adds a per task frag allocator and uses bigger pages,
if available. An automatic fallback is done in case of memory pressure.
(up to 32768 bytes per frag, thats order-3 pages on x86)
This increases TCP stream performance by 20% on loopback device,
but also benefits on other network devices, since 8x less frags are
mapped on transmit and unmapped on tx completion. Alexander Duyck
mentioned a probable performance win on systems with IOMMU enabled.
Its possible some SG enabled hardware cant cope with bigger fragments,
but their ndo_start_xmit() should already handle this, splitting a
fragment in sub fragments, since some arches have PAGE_SIZE=65536
Successfully tested on various ethernet devices.
(ixgbe, igb, bnx2x, tg3, mellanox mlx4)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Vijay Subramanian <subramanian.vijay@gmail.com>
Cc: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Vijay Subramanian <subramanian.vijay@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-09-23 23:04:42 +00:00
|
|
|
if (tsk->task_frag.page)
|
|
|
|
put_page(tsk->task_frag.page);
|
|
|
|
|
2022-02-17 10:24:04 +00:00
|
|
|
exit_task_stack_account(tsk);
|
2009-09-02 08:13:40 +00:00
|
|
|
|
2014-04-07 22:38:30 +00:00
|
|
|
check_stack_usage();
|
2005-10-30 23:02:47 +00:00
|
|
|
preempt_disable();
|
2011-04-05 19:21:19 +00:00
|
|
|
if (tsk->nr_dirtied)
|
|
|
|
__this_cpu_add(dirty_throttle_leaks, tsk->nr_dirtied);
|
rcu: Merge preemptable-RCU functionality into hierarchical RCU
Create a kernel/rcutree_plugin.h file that contains definitions
for preemptable RCU (or, under the #else branch of the #ifdef,
empty definitions for the classic non-preemptable semantics).
These definitions fit into plugins defined in kernel/rcutree.c
for this purpose.
This variant of preemptable RCU uses a new algorithm whose
read-side expense is roughly that of classic hierarchical RCU
under CONFIG_PREEMPT. This new algorithm's update-side expense
is similar to that of classic hierarchical RCU, and, in absence
of read-side preemption or blocking, is exactly that of classic
hierarchical RCU. Perhaps more important, this new algorithm
has a much simpler implementation, saving well over 1,000 lines
of code compared to mainline's implementation of preemptable
RCU, which will hopefully be retired in favor of this new
algorithm.
The simplifications are obtained by maintaining per-task
nesting state for running tasks, and using a simple
lock-protected algorithm to handle accounting when tasks block
within RCU read-side critical sections, making use of lessons
learned while creating numerous user-level RCU implementations
over the past 18 months.
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: laijs@cn.fujitsu.com
Cc: dipankar@in.ibm.com
Cc: akpm@linux-foundation.org
Cc: mathieu.desnoyers@polymtl.ca
Cc: josht@linux.vnet.ibm.com
Cc: dvhltc@us.ibm.com
Cc: niv@us.ibm.com
Cc: peterz@infradead.org
Cc: rostedt@goodmis.org
LKML-Reference: <12509746134003-git-send-email->
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-08-22 20:56:52 +00:00
|
|
|
exit_rcu();
|
2017-05-25 15:51:48 +00:00
|
|
|
exit_tasks_rcu_finish();
|
sched: Fix ancient race in do_exit()
try_to_wake_up() has a problem which may change status from TASK_DEAD to
TASK_RUNNING in race condition with SMI or guest environment of virtual
machine. As a result, exited task is scheduled() again and panic occurs.
Here is the sequence how it occurs:
----------------------------------+-----------------------------
|
CPU A | CPU B
----------------------------------+-----------------------------
TASK A calls exit()....
do_exit()
exit_mm()
down_read(mm->mmap_sem);
rwsem_down_failed_common()
set TASK_UNINTERRUPTIBLE
set waiter.task <= task A
list_add to sem->wait_list
:
raw_spin_unlock_irq()
(I/O interruption occured)
__rwsem_do_wake(mmap_sem)
list_del(&waiter->list);
waiter->task = NULL
wake_up_process(task A)
try_to_wake_up()
(task is still
TASK_UNINTERRUPTIBLE)
p->on_rq is still 1.)
ttwu_do_wakeup()
(*A)
:
(I/O interruption handler finished)
if (!waiter.task)
schedule() is not called
due to waiter.task is NULL.
tsk->state = TASK_RUNNING
:
check_preempt_curr();
:
task->state = TASK_DEAD
(*B)
<--- set TASK_RUNNING (*C)
schedule()
(exit task is running again)
BUG_ON() is called!
--------------------------------------------------------
The execution time between (*A) and (*B) is usually very short,
because the interruption is disabled, and setting TASK_RUNNING at (*C)
must be executed before setting TASK_DEAD.
HOWEVER, if SMI is interrupted between (*A) and (*B),
(*C) is able to execute AFTER setting TASK_DEAD!
Then, exited task is scheduled again, and BUG_ON() is called....
If the system works on guest system of virtual machine, the time
between (*A) and (*B) may be also long due to scheduling of hypervisor,
and same phenomenon can occur.
By this patch, do_exit() waits for releasing task->pi_lock which is used
in try_to_wake_up(). It guarantees the task becomes TASK_DEAD after
waking up.
Signed-off-by: Yasunori Goto <y-goto@jp.fujitsu.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Link: http://lkml.kernel.org/r/20120117174031.3118.E1E9C6FF@jp.fujitsu.com
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2012-01-17 08:40:31 +00:00
|
|
|
|
2017-08-07 07:12:52 +00:00
|
|
|
lockdep_free_task(tsk);
|
2016-09-13 16:37:29 +00:00
|
|
|
do_task_dead();
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2005-04-23 07:08:00 +00:00
|
|
|
|
2021-06-28 19:52:01 +00:00
|
|
|
void __noreturn make_task_dead(int signr)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Take the task off the cpu after something catastrophic has
|
|
|
|
* happened.
|
2021-11-22 15:33:00 +00:00
|
|
|
*
|
|
|
|
* We can get here from a kernel oops, sometimes with preemption off.
|
|
|
|
* Start by checking for critical errors.
|
|
|
|
* Then fix up important state like USER_DS and preemption.
|
|
|
|
* Then do everything else.
|
2021-06-28 19:52:01 +00:00
|
|
|
*/
|
2021-11-22 15:33:00 +00:00
|
|
|
struct task_struct *tsk = current;
|
2022-12-16 20:26:57 +00:00
|
|
|
unsigned int limit;
|
2021-11-22 15:33:00 +00:00
|
|
|
|
|
|
|
if (unlikely(in_interrupt()))
|
|
|
|
panic("Aiee, killing interrupt handler!");
|
|
|
|
if (unlikely(!tsk->pid))
|
|
|
|
panic("Attempted to kill the idle task!");
|
|
|
|
|
2023-01-20 01:18:20 +00:00
|
|
|
if (unlikely(irqs_disabled())) {
|
|
|
|
pr_info("note: %s[%d] exited with irqs disabled\n",
|
|
|
|
current->comm, task_pid_nr(current));
|
|
|
|
local_irq_enable();
|
|
|
|
}
|
2021-11-22 15:33:00 +00:00
|
|
|
if (unlikely(in_atomic())) {
|
|
|
|
pr_info("note: %s[%d] exited with preempt_count %d\n",
|
|
|
|
current->comm, task_pid_nr(current),
|
|
|
|
preempt_count());
|
|
|
|
preempt_count_set(PREEMPT_ENABLED);
|
|
|
|
}
|
|
|
|
|
exit: Put an upper limit on how often we can oops
Many Linux systems are configured to not panic on oops; but allowing an
attacker to oops the system **really** often can make even bugs that look
completely unexploitable exploitable (like NULL dereferences and such) if
each crash elevates a refcount by one or a lock is taken in read mode, and
this causes a counter to eventually overflow.
The most interesting counters for this are 32 bits wide (like open-coded
refcounts that don't use refcount_t). (The ldsem reader count on 32-bit
platforms is just 16 bits, but probably nobody cares about 32-bit platforms
that much nowadays.)
So let's panic the system if the kernel is constantly oopsing.
The speed of oopsing 2^32 times probably depends on several factors, like
how long the stack trace is and which unwinder you're using; an empirically
important one is whether your console is showing a graphical environment or
a text console that oopses will be printed to.
In a quick single-threaded benchmark, it looks like oopsing in a vfork()
child with a very short stack trace only takes ~510 microseconds per run
when a graphical console is active; but switching to a text console that
oopses are printed to slows it down around 87x, to ~45 milliseconds per
run.
(Adding more threads makes this faster, but the actual oops printing
happens under &die_lock on x86, so you can maybe speed this up by a factor
of around 2 and then any further improvement gets eaten up by lock
contention.)
It looks like it would take around 8-12 days to overflow a 32-bit counter
with repeated oopsing on a multi-core X86 system running a graphical
environment; both me (in an X86 VM) and Seth (with a distro kernel on
normal hardware in a standard configuration) got numbers in that ballpark.
12 days aren't *that* short on a desktop system, and you'd likely need much
longer on a typical server system (assuming that people don't run graphical
desktop environments on their servers), and this is a *very* noisy and
violent approach to exploiting the kernel; and it also seems to take orders
of magnitude longer on some machines, probably because stuff like EFI
pstore will slow it down a ton if that's active.
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20221107201317.324457-1-jannh@google.com
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221117234328.594699-2-keescook@chromium.org
2022-11-17 23:43:22 +00:00
|
|
|
/*
|
|
|
|
* Every time the system oopses, if the oops happens while a reference
|
|
|
|
* to an object was held, the reference leaks.
|
|
|
|
* If the oops doesn't also leak memory, repeated oopsing can cause
|
|
|
|
* reference counters to wrap around (if they're not using refcount_t).
|
|
|
|
* This means that repeated oopsing can make unexploitable-looking bugs
|
|
|
|
* exploitable through repeated oopsing.
|
|
|
|
* To make sure this can't happen, place an upper bound on how often the
|
|
|
|
* kernel may oops without panic().
|
|
|
|
*/
|
2022-12-16 20:26:57 +00:00
|
|
|
limit = READ_ONCE(oops_limit);
|
|
|
|
if (atomic_inc_return(&oops_count) >= limit && limit)
|
|
|
|
panic("Oopsed too often (kernel.oops_limit is %d)", limit);
|
exit: Put an upper limit on how often we can oops
Many Linux systems are configured to not panic on oops; but allowing an
attacker to oops the system **really** often can make even bugs that look
completely unexploitable exploitable (like NULL dereferences and such) if
each crash elevates a refcount by one or a lock is taken in read mode, and
this causes a counter to eventually overflow.
The most interesting counters for this are 32 bits wide (like open-coded
refcounts that don't use refcount_t). (The ldsem reader count on 32-bit
platforms is just 16 bits, but probably nobody cares about 32-bit platforms
that much nowadays.)
So let's panic the system if the kernel is constantly oopsing.
The speed of oopsing 2^32 times probably depends on several factors, like
how long the stack trace is and which unwinder you're using; an empirically
important one is whether your console is showing a graphical environment or
a text console that oopses will be printed to.
In a quick single-threaded benchmark, it looks like oopsing in a vfork()
child with a very short stack trace only takes ~510 microseconds per run
when a graphical console is active; but switching to a text console that
oopses are printed to slows it down around 87x, to ~45 milliseconds per
run.
(Adding more threads makes this faster, but the actual oops printing
happens under &die_lock on x86, so you can maybe speed this up by a factor
of around 2 and then any further improvement gets eaten up by lock
contention.)
It looks like it would take around 8-12 days to overflow a 32-bit counter
with repeated oopsing on a multi-core X86 system running a graphical
environment; both me (in an X86 VM) and Seth (with a distro kernel on
normal hardware in a standard configuration) got numbers in that ballpark.
12 days aren't *that* short on a desktop system, and you'd likely need much
longer on a typical server system (assuming that people don't run graphical
desktop environments on their servers), and this is a *very* noisy and
violent approach to exploiting the kernel; and it also seems to take orders
of magnitude longer on some machines, probably because stuff like EFI
pstore will slow it down a ton if that's active.
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20221107201317.324457-1-jannh@google.com
Reviewed-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20221117234328.594699-2-keescook@chromium.org
2022-11-17 23:43:22 +00:00
|
|
|
|
2021-11-22 15:33:00 +00:00
|
|
|
/*
|
|
|
|
* We're taking recursive faults here in make_task_dead. Safest is to just
|
|
|
|
* leave this task alone and wait for reboot.
|
|
|
|
*/
|
|
|
|
if (unlikely(tsk->flags & PF_EXITING)) {
|
|
|
|
pr_alert("Fixing recursive fault but reboot is needed!\n");
|
|
|
|
futex_exit_recursive(tsk);
|
2022-01-05 22:30:21 +00:00
|
|
|
tsk->exit_state = EXIT_DEAD;
|
|
|
|
refcount_inc(&tsk->rcu_users);
|
2021-11-22 15:51:03 +00:00
|
|
|
do_task_dead();
|
2021-11-22 15:33:00 +00:00
|
|
|
}
|
|
|
|
|
2021-06-28 19:52:01 +00:00
|
|
|
do_exit(signr);
|
|
|
|
}
|
|
|
|
|
2009-01-14 13:14:09 +00:00
|
|
|
SYSCALL_DEFINE1(exit, int, error_code)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
do_exit((error_code&0xff)<<8);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Take down every thread in the group. This is called by fatal signals
|
|
|
|
* as well as by sys_exit_group (below).
|
|
|
|
*/
|
2022-03-08 15:30:48 +00:00
|
|
|
void __noreturn
|
2005-04-16 22:20:36 +00:00
|
|
|
do_group_exit(int exit_code)
|
|
|
|
{
|
2008-04-30 07:52:36 +00:00
|
|
|
struct signal_struct *sig = current->signal;
|
|
|
|
|
2021-06-24 07:14:30 +00:00
|
|
|
if (sig->flags & SIGNAL_GROUP_EXIT)
|
2008-04-30 07:52:36 +00:00
|
|
|
exit_code = sig->group_exit_code;
|
2021-06-24 07:14:30 +00:00
|
|
|
else if (sig->group_exec_task)
|
|
|
|
exit_code = 0;
|
2022-06-21 17:39:51 +00:00
|
|
|
else {
|
2005-04-16 22:20:36 +00:00
|
|
|
struct sighand_struct *const sighand = current->sighand;
|
2014-08-08 21:21:18 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
spin_lock_irq(&sighand->siglock);
|
2021-06-24 07:14:30 +00:00
|
|
|
if (sig->flags & SIGNAL_GROUP_EXIT)
|
2005-04-16 22:20:36 +00:00
|
|
|
/* Another thread got here before we took the lock. */
|
|
|
|
exit_code = sig->group_exit_code;
|
2021-06-24 07:14:30 +00:00
|
|
|
else if (sig->group_exec_task)
|
|
|
|
exit_code = 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
else {
|
|
|
|
sig->group_exit_code = exit_code;
|
2008-02-05 06:27:24 +00:00
|
|
|
sig->flags = SIGNAL_GROUP_EXIT;
|
2005-04-16 22:20:36 +00:00
|
|
|
zap_other_threads(current);
|
|
|
|
}
|
|
|
|
spin_unlock_irq(&sighand->siglock);
|
|
|
|
}
|
|
|
|
|
|
|
|
do_exit(exit_code);
|
|
|
|
/* NOTREACHED */
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* this kills every thread in the thread group. Note that any externally
|
|
|
|
* wait4()-ing process will get the correct exit code - even if this
|
|
|
|
* thread is not the thread group leader.
|
|
|
|
*/
|
2009-01-14 13:14:09 +00:00
|
|
|
SYSCALL_DEFINE1(exit_group, int, error_code)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
|
|
|
do_group_exit((error_code & 0xff) << 8);
|
2009-01-14 13:13:54 +00:00
|
|
|
/* NOTREACHED */
|
|
|
|
return 0;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2009-09-23 22:56:49 +00:00
|
|
|
static int eligible_pid(struct wait_opts *wo, struct task_struct *p)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2009-09-23 22:56:48 +00:00
|
|
|
return wo->wo_type == PIDTYPE_MAX ||
|
|
|
|
task_pid_type(p, wo->wo_type) == wo->wo_pid;
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
|
wait/ptrace: assume __WALL if the child is traced
The following program (simplified version of generated by syzkaller)
#include <pthread.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <stdio.h>
#include <signal.h>
void *thread_func(void *arg)
{
ptrace(PTRACE_TRACEME, 0,0,0);
return 0;
}
int main(void)
{
pthread_t thread;
if (fork())
return 0;
while (getppid() != 1)
;
pthread_create(&thread, NULL, thread_func, NULL);
pthread_join(thread, NULL);
return 0;
}
creates an unreapable zombie if /sbin/init doesn't use __WALL.
This is not a kernel bug, at least in a sense that everything works as
expected: debugger should reap a traced sub-thread before it can reap the
leader, but without __WALL/__WCLONE do_wait() ignores sub-threads.
Unfortunately, it seems that /sbin/init in most (all?) distributions
doesn't use it and we have to change the kernel to avoid the problem.
Note also that most init's use sys_waitid() which doesn't allow __WALL, so
the necessary user-space fix is not that trivial.
This patch just adds the "ptrace" check into eligible_child(). To some
degree this matches the "tsk->ptrace" in exit_notify(), ->exit_signal is
mostly ignored when the tracee reports to debugger. Or WSTOPPED, the
tracer doesn't need to set this flag to wait for the stopped tracee.
This obviously means the user-visible change: __WCLONE and __WALL no
longer have any meaning for debugger. And I can only hope that this won't
break something, but at least strace/gdb won't suffer.
We could make a more conservative change. Say, we can take __WCLONE into
account, or !thread_group_leader(). But it would be nice to not
complicate these historical/confusing checks.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: Pedro Alves <palves@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-05-23 23:23:50 +00:00
|
|
|
static int
|
|
|
|
eligible_child(struct wait_opts *wo, bool ptrace, struct task_struct *p)
|
2009-09-23 22:56:48 +00:00
|
|
|
{
|
|
|
|
if (!eligible_pid(wo, p))
|
|
|
|
return 0;
|
wait/ptrace: assume __WALL if the child is traced
The following program (simplified version of generated by syzkaller)
#include <pthread.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <stdio.h>
#include <signal.h>
void *thread_func(void *arg)
{
ptrace(PTRACE_TRACEME, 0,0,0);
return 0;
}
int main(void)
{
pthread_t thread;
if (fork())
return 0;
while (getppid() != 1)
;
pthread_create(&thread, NULL, thread_func, NULL);
pthread_join(thread, NULL);
return 0;
}
creates an unreapable zombie if /sbin/init doesn't use __WALL.
This is not a kernel bug, at least in a sense that everything works as
expected: debugger should reap a traced sub-thread before it can reap the
leader, but without __WALL/__WCLONE do_wait() ignores sub-threads.
Unfortunately, it seems that /sbin/init in most (all?) distributions
doesn't use it and we have to change the kernel to avoid the problem.
Note also that most init's use sys_waitid() which doesn't allow __WALL, so
the necessary user-space fix is not that trivial.
This patch just adds the "ptrace" check into eligible_child(). To some
degree this matches the "tsk->ptrace" in exit_notify(), ->exit_signal is
mostly ignored when the tracee reports to debugger. Or WSTOPPED, the
tracer doesn't need to set this flag to wait for the stopped tracee.
This obviously means the user-visible change: __WCLONE and __WALL no
longer have any meaning for debugger. And I can only hope that this won't
break something, but at least strace/gdb won't suffer.
We could make a more conservative change. Say, we can take __WCLONE into
account, or !thread_group_leader(). But it would be nice to not
complicate these historical/confusing checks.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: Pedro Alves <palves@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-05-23 23:23:50 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Wait for all children (clone and not) if __WALL is set or
|
|
|
|
* if it is traced by us.
|
|
|
|
*/
|
|
|
|
if (ptrace || (wo->wo_flags & __WALL))
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Otherwise, wait for clone children *only* if __WCLONE is set;
|
|
|
|
* otherwise, wait for non-clone children *only*.
|
|
|
|
*
|
|
|
|
* Note: a "clone" child here is one that reports to its parent
|
|
|
|
* using a signal other than SIGCHLD, or a non-leader thread which
|
|
|
|
* we can only see if it is traced by us.
|
|
|
|
*/
|
|
|
|
if ((p->exit_signal != SIGCHLD) ^ !!(wo->wo_flags & __WCLONE))
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
|
2008-03-31 01:41:25 +00:00
|
|
|
return 1;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Handle sys_wait4 work for one task in state EXIT_ZOMBIE. We hold
|
|
|
|
* read_lock(&tasklist_lock) on entry. If we return zero, we still hold
|
|
|
|
* the lock and this task is uninteresting. If we return nonzero, we have
|
|
|
|
* released the lock and the system call should return.
|
|
|
|
*/
|
2009-06-17 23:27:39 +00:00
|
|
|
static int wait_task_zombie(struct wait_opts *wo, struct task_struct *p)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-05-15 00:53:13 +00:00
|
|
|
int state, status;
|
2008-02-08 12:19:20 +00:00
|
|
|
pid_t pid = task_pid_vnr(p);
|
2012-05-31 23:26:16 +00:00
|
|
|
uid_t uid = from_kuid_munged(current_user_ns(), task_uid(p));
|
2017-05-15 00:53:13 +00:00
|
|
|
struct waitid_info *infop;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-06-17 23:27:39 +00:00
|
|
|
if (!likely(wo->wo_flags & WEXITED))
|
2008-03-20 02:24:59 +00:00
|
|
|
return 0;
|
|
|
|
|
2009-06-17 23:27:39 +00:00
|
|
|
if (unlikely(wo->wo_flags & WNOWAIT)) {
|
2021-12-21 16:11:01 +00:00
|
|
|
status = (p->signal->flags & SIGNAL_GROUP_EXIT)
|
|
|
|
? p->signal->group_exit_code : p->exit_code;
|
2005-04-16 22:20:36 +00:00
|
|
|
get_task_struct(p);
|
|
|
|
read_unlock(&tasklist_lock);
|
2014-09-24 08:18:49 +00:00
|
|
|
sched_annotate_sleep();
|
2017-05-15 01:25:03 +00:00
|
|
|
if (wo->wo_rusage)
|
|
|
|
getrusage(p, RUSAGE_BOTH, wo->wo_rusage);
|
2017-05-15 01:33:21 +00:00
|
|
|
put_task_struct(p);
|
2017-05-15 01:38:26 +00:00
|
|
|
goto out_info;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
/*
|
wait: introduce EXIT_TRACE to avoid the racy EXIT_DEAD->EXIT_ZOMBIE transition
wait_task_zombie() first does EXIT_ZOMBIE->EXIT_DEAD transition and
drops tasklist_lock. If this task is not the natural child and it is
traced, we change its state back to EXIT_ZOMBIE for ->real_parent.
The last transition is racy, this is even documented in 50b8d257486a
"ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE
race". wait_consider_task() tries to detect this transition and clear
->notask_error but we can't rely on ptrace_reparented(), debugger can
exit and do ptrace_unlink() before its sub-thread sets EXIT_ZOMBIE.
And there is another problem which were missed before: this transition
can also race with reparent_leader() which doesn't reset >exit_signal if
EXIT_DEAD, assuming that this task must be reaped by someone else. So
the tracee can be re-parented with ->exit_signal != SIGCHLD, and if
/sbin/init doesn't use __WALL it becomes unreapable. This was fixed by
the previous commit, but it was the temporary hack.
1. Add the new exit_state, EXIT_TRACE. It means that the task is the
traced zombie, debugger is going to detach and notify its natural
parent.
This new state is actually EXIT_ZOMBIE | EXIT_DEAD. This way we
can avoid the changes in proc/kgdb code, get_task_state() still
reports "X (dead)" in this case.
Note: with or without this change userspace can see Z -> X -> Z
transition. Not really bad, but probably makes sense to fix.
2. Change wait_task_zombie() to use EXIT_TRACE instead of EXIT_DEAD
if we need to notify the ->real_parent.
3. Revert the previous hack in reparent_leader(), now that EXIT_DEAD
is always the final state we can safely ignore such a task.
4. Change wait_consider_task() to check EXIT_TRACE separately and kill
the racy and no longer needed ptrace_reparented() case.
If ptrace == T an EXIT_TRACE thread should be simply ignored, the
owner of this state is going to ptrace_unlink() this task. We can
pretend that it was already removed from ->ptraced list.
Otherwise we should skip this thread too but clear ->notask_error,
we must be the natural parent and debugger is going to untrace and
notify us. IOW, this doesn't differ from "EXIT_ZOMBIE && p->ptrace"
even if the task was already untraced.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Jan Kratochvil <jan.kratochvil@redhat.com>
Reported-by: Michal Schmidt <mschmidt@redhat.com>
Tested-by: Michal Schmidt <mschmidt@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Lennart Poettering <lpoetter@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-07 22:38:42 +00:00
|
|
|
* Move the task's state to DEAD/TRACE, only one thread can do this.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2014-12-10 23:54:45 +00:00
|
|
|
state = (ptrace_reparented(p) && thread_group_leader(p)) ?
|
|
|
|
EXIT_TRACE : EXIT_DEAD;
|
wait: introduce EXIT_TRACE to avoid the racy EXIT_DEAD->EXIT_ZOMBIE transition
wait_task_zombie() first does EXIT_ZOMBIE->EXIT_DEAD transition and
drops tasklist_lock. If this task is not the natural child and it is
traced, we change its state back to EXIT_ZOMBIE for ->real_parent.
The last transition is racy, this is even documented in 50b8d257486a
"ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE
race". wait_consider_task() tries to detect this transition and clear
->notask_error but we can't rely on ptrace_reparented(), debugger can
exit and do ptrace_unlink() before its sub-thread sets EXIT_ZOMBIE.
And there is another problem which were missed before: this transition
can also race with reparent_leader() which doesn't reset >exit_signal if
EXIT_DEAD, assuming that this task must be reaped by someone else. So
the tracee can be re-parented with ->exit_signal != SIGCHLD, and if
/sbin/init doesn't use __WALL it becomes unreapable. This was fixed by
the previous commit, but it was the temporary hack.
1. Add the new exit_state, EXIT_TRACE. It means that the task is the
traced zombie, debugger is going to detach and notify its natural
parent.
This new state is actually EXIT_ZOMBIE | EXIT_DEAD. This way we
can avoid the changes in proc/kgdb code, get_task_state() still
reports "X (dead)" in this case.
Note: with or without this change userspace can see Z -> X -> Z
transition. Not really bad, but probably makes sense to fix.
2. Change wait_task_zombie() to use EXIT_TRACE instead of EXIT_DEAD
if we need to notify the ->real_parent.
3. Revert the previous hack in reparent_leader(), now that EXIT_DEAD
is always the final state we can safely ignore such a task.
4. Change wait_consider_task() to check EXIT_TRACE separately and kill
the racy and no longer needed ptrace_reparented() case.
If ptrace == T an EXIT_TRACE thread should be simply ignored, the
owner of this state is going to ptrace_unlink() this task. We can
pretend that it was already removed from ->ptraced list.
Otherwise we should skip this thread too but clear ->notask_error,
we must be the natural parent and debugger is going to untrace and
notify us. IOW, this doesn't differ from "EXIT_ZOMBIE && p->ptrace"
even if the task was already untraced.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Jan Kratochvil <jan.kratochvil@redhat.com>
Reported-by: Michal Schmidt <mschmidt@redhat.com>
Tested-by: Michal Schmidt <mschmidt@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Lennart Poettering <lpoetter@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-07 22:38:42 +00:00
|
|
|
if (cmpxchg(&p->exit_state, EXIT_ZOMBIE, state) != EXIT_ZOMBIE)
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
2014-12-10 23:54:51 +00:00
|
|
|
/*
|
|
|
|
* We own this thread, nobody else can reap it.
|
|
|
|
*/
|
|
|
|
read_unlock(&tasklist_lock);
|
|
|
|
sched_annotate_sleep();
|
2014-12-10 23:54:45 +00:00
|
|
|
|
2009-06-18 23:49:11 +00:00
|
|
|
/*
|
2014-12-10 23:54:45 +00:00
|
|
|
* Check thread_group_leader() to exclude the traced sub-threads.
|
2009-06-18 23:49:11 +00:00
|
|
|
*/
|
2014-12-10 23:54:45 +00:00
|
|
|
if (state == EXIT_DEAD && thread_group_leader(p)) {
|
2014-12-10 23:54:48 +00:00
|
|
|
struct signal_struct *sig = p->signal;
|
|
|
|
struct signal_struct *psig = current->signal;
|
getrusage: fill ru_maxrss value
Make ->ru_maxrss value in struct rusage filled accordingly to rss hiwater
mark. This struct is filled as a parameter to getrusage syscall.
->ru_maxrss value is set to KBs which is the way it is done in BSD
systems. /usr/bin/time (gnu time) application converts ->ru_maxrss to KBs
which seems to be incorrect behavior. Maintainer of this util was
notified by me with the patch which corrects it and cc'ed.
To make this happen we extend struct signal_struct by two fields. The
first one is ->maxrss which we use to store rss hiwater of the task. The
second one is ->cmaxrss which we use to store highest rss hiwater of all
task childs. These values are used in k_getrusage() to actually fill
->ru_maxrss. k_getrusage() uses current rss hiwater value directly if mm
struct exists.
Note:
exec() clear mm->hiwater_rss, but doesn't clear sig->maxrss.
it is intetionally behavior. *BSD getrusage have exec() inheriting.
test programs
========================================================
getrusage.c
===========
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <signal.h>
#include <sys/mman.h>
#include "common.h"
#define err(str) perror(str), exit(1)
int main(int argc, char** argv)
{
int status;
printf("allocate 100MB\n");
consume(100);
printf("testcase1: fork inherit? \n");
printf(" expect: initial.self ~= child.self\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
} else {
show_rusage("fork child");
_exit(0);
}
printf("\n");
printf("testcase2: fork inherit? (cont.) \n");
printf(" expect: initial.children ~= 100MB, but child.children = 0\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
} else {
show_rusage("child");
_exit(0);
}
printf("\n");
printf("testcase3: fork + malloc \n");
printf(" expect: child.self ~= initial.self + 50MB\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
} else {
printf("allocate +50MB\n");
consume(50);
show_rusage("fork child");
_exit(0);
}
printf("\n");
printf("testcase4: grandchild maxrss\n");
printf(" expect: post_wait.children ~= 300MB\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
show_rusage("post_wait");
} else {
system("./child -n 0 -g 300");
_exit(0);
}
printf("\n");
printf("testcase5: zombie\n");
printf(" expect: pre_wait ~= initial, IOW the zombie process is not accounted.\n");
printf(" post_wait ~= 400MB, IOW wait() collect child's max_rss. \n");
show_rusage("initial");
if (__fork()) {
sleep(1); /* children become zombie */
show_rusage("pre_wait");
wait(&status);
show_rusage("post_wait");
} else {
system("./child -n 400");
_exit(0);
}
printf("\n");
printf("testcase6: SIG_IGN\n");
printf(" expect: initial ~= after_zombie (child's 500MB alloc should be ignored).\n");
show_rusage("initial");
signal(SIGCHLD, SIG_IGN);
if (__fork()) {
sleep(1); /* children become zombie */
show_rusage("after_zombie");
} else {
system("./child -n 500");
_exit(0);
}
printf("\n");
signal(SIGCHLD, SIG_DFL);
printf("testcase7: exec (without fork) \n");
printf(" expect: initial ~= exec \n");
show_rusage("initial");
execl("./child", "child", "-v", NULL);
return 0;
}
child.c
=======
#include <sys/types.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include "common.h"
int main(int argc, char** argv)
{
int status;
int c;
long consume_size = 0;
long grandchild_consume_size = 0;
int show = 0;
while ((c = getopt(argc, argv, "n:g:v")) != -1) {
switch (c) {
case 'n':
consume_size = atol(optarg);
break;
case 'v':
show = 1;
break;
case 'g':
grandchild_consume_size = atol(optarg);
break;
default:
break;
}
}
if (show)
show_rusage("exec");
if (consume_size) {
printf("child alloc %ldMB\n", consume_size);
consume(consume_size);
}
if (grandchild_consume_size) {
if (fork()) {
wait(&status);
} else {
printf("grandchild alloc %ldMB\n", grandchild_consume_size);
consume(grandchild_consume_size);
exit(0);
}
}
return 0;
}
common.c
========
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <signal.h>
#include <sys/mman.h>
#include "common.h"
#define err(str) perror(str), exit(1)
void show_rusage(char *prefix)
{
int err, err2;
struct rusage rusage_self;
struct rusage rusage_children;
printf("%s: ", prefix);
err = getrusage(RUSAGE_SELF, &rusage_self);
if (!err)
printf("self %ld ", rusage_self.ru_maxrss);
err2 = getrusage(RUSAGE_CHILDREN, &rusage_children);
if (!err2)
printf("children %ld ", rusage_children.ru_maxrss);
printf("\n");
}
/* Some buggy OS need this worthless CPU waste. */
void make_pagefault(void)
{
void *addr;
int size = getpagesize();
int i;
for (i=0; i<1000; i++) {
addr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
if (addr == MAP_FAILED)
err("make_pagefault");
memset(addr, 0, size);
munmap(addr, size);
}
}
void consume(int mega)
{
size_t sz = mega * 1024 * 1024;
void *ptr;
ptr = malloc(sz);
memset(ptr, 0, sz);
make_pagefault();
}
pid_t __fork(void)
{
pid_t pid;
pid = fork();
make_pagefault();
return pid;
}
common.h
========
void show_rusage(char *prefix);
void make_pagefault(void);
void consume(int mega);
pid_t __fork(void);
FreeBSD result (expected result)
========================================================
allocate 100MB
testcase1: fork inherit?
expect: initial.self ~= child.self
initial: self 103492 children 0
fork child: self 103540 children 0
testcase2: fork inherit? (cont.)
expect: initial.children ~= 100MB, but child.children = 0
initial: self 103540 children 103540
child: self 103564 children 0
testcase3: fork + malloc
expect: child.self ~= initial.self + 50MB
initial: self 103564 children 103564
allocate +50MB
fork child: self 154860 children 0
testcase4: grandchild maxrss
expect: post_wait.children ~= 300MB
initial: self 103564 children 154860
grandchild alloc 300MB
post_wait: self 103564 children 308720
testcase5: zombie
expect: pre_wait ~= initial, IOW the zombie process is not accounted.
post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 103564 children 308720
child alloc 400MB
pre_wait: self 103564 children 308720
post_wait: self 103564 children 411312
testcase6: SIG_IGN
expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 103564 children 411312
child alloc 500MB
after_zombie: self 103624 children 411312
testcase7: exec (without fork)
expect: initial ~= exec
initial: self 103624 children 411312
exec: self 103624 children 411312
Linux result (actual test result)
========================================================
allocate 100MB
testcase1: fork inherit?
expect: initial.self ~= child.self
initial: self 102848 children 0
fork child: self 102572 children 0
testcase2: fork inherit? (cont.)
expect: initial.children ~= 100MB, but child.children = 0
initial: self 102876 children 102644
child: self 102572 children 0
testcase3: fork + malloc
expect: child.self ~= initial.self + 50MB
initial: self 102876 children 102644
allocate +50MB
fork child: self 153804 children 0
testcase4: grandchild maxrss
expect: post_wait.children ~= 300MB
initial: self 102876 children 153864
grandchild alloc 300MB
post_wait: self 102876 children 307536
testcase5: zombie
expect: pre_wait ~= initial, IOW the zombie process is not accounted.
post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 102876 children 307536
child alloc 400MB
pre_wait: self 102876 children 307536
post_wait: self 102876 children 410076
testcase6: SIG_IGN
expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 102876 children 410076
child alloc 500MB
after_zombie: self 102880 children 410076
testcase7: exec (without fork)
expect: initial ~= exec
initial: self 102880 children 410076
exec: self 102880 children 410076
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 23:44:10 +00:00
|
|
|
unsigned long maxrss;
|
2017-01-31 03:09:23 +00:00
|
|
|
u64 tgutime, tgstime;
|
2006-01-10 04:54:39 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
/*
|
|
|
|
* The resource counters for the group leader are in its
|
|
|
|
* own task_struct. Those for dead threads in the group
|
|
|
|
* are in its signal_struct, as are those for the child
|
|
|
|
* processes it has previously reaped. All these
|
|
|
|
* accumulate in the parent's signal_struct c* fields.
|
|
|
|
*
|
|
|
|
* We don't bother to take a lock here to protect these
|
2014-12-10 23:54:48 +00:00
|
|
|
* p->signal fields because the whole thread group is dead
|
|
|
|
* and nobody can change them.
|
|
|
|
*
|
2022-08-03 08:43:42 +00:00
|
|
|
* psig->stats_lock also protects us from our sub-threads
|
2024-01-23 15:34:00 +00:00
|
|
|
* which can reap other children at the same time.
|
sched, cputime: Introduce thread_group_times()
This is a real fix for problem of utime/stime values decreasing
described in the thread:
http://lkml.org/lkml/2009/11/3/522
Now cputime is accounted in the following way:
- {u,s}time in task_struct are increased every time when the thread
is interrupted by a tick (timer interrupt).
- When a thread exits, its {u,s}time are added to signal->{u,s}time,
after adjusted by task_times().
- When all threads in a thread_group exits, accumulated {u,s}time
(and also c{u,s}time) in signal struct are added to c{u,s}time
in signal struct of the group's parent.
So {u,s}time in task struct are "raw" tick count, while
{u,s}time and c{u,s}time in signal struct are "adjusted" values.
And accounted values are used by:
- task_times(), to get cputime of a thread:
This function returns adjusted values that originates from raw
{u,s}time and scaled by sum_exec_runtime that accounted by CFS.
- thread_group_cputime(), to get cputime of a thread group:
This function returns sum of all {u,s}time of living threads in
the group, plus {u,s}time in the signal struct that is sum of
adjusted cputimes of all exited threads belonged to the group.
The problem is the return value of thread_group_cputime(),
because it is mixed sum of "raw" value and "adjusted" value:
group's {u,s}time = foreach(thread){{u,s}time} + exited({u,s}time)
This misbehavior can break {u,s}time monotonicity.
Assume that if there is a thread that have raw values greater
than adjusted values (e.g. interrupted by 1000Hz ticks 50 times
but only runs 45ms) and if it exits, cputime will decrease (e.g.
-5ms).
To fix this, we could do:
group's {u,s}time = foreach(t){task_times(t)} + exited({u,s}time)
But task_times() contains hard divisions, so applying it for
every thread should be avoided.
This patch fixes the above problem in the following way:
- Modify thread's exit (= __exit_signal()) not to use task_times().
It means {u,s}time in signal struct accumulates raw values instead
of adjusted values. As the result it makes thread_group_cputime()
to return pure sum of "raw" values.
- Introduce a new function thread_group_times(*task, *utime, *stime)
that converts "raw" values of thread_group_cputime() to "adjusted"
values, in same calculation procedure as task_times().
- Modify group's exit (= wait_task_zombie()) to use this introduced
thread_group_times(). It make c{u,s}time in signal struct to
have adjusted values like before this patch.
- Replace some thread_group_cputime() by thread_group_times().
This replacements are only applied where conveys the "adjusted"
cputime to users, and where already uses task_times() near by it.
(i.e. sys_times(), getrusage(), and /proc/<PID>/stat.)
This patch have a positive side effect:
- Before this patch, if a group contains many short-life threads
(e.g. runs 0.9ms and not interrupted by ticks), the group's
cputime could be invisible since thread's cputime was accumulated
after adjusted: imagine adjustment function as adj(ticks, runtime),
{adj(0, 0.9) + adj(0, 0.9) + ....} = {0 + 0 + ....} = 0.
After this patch it will not happen because the adjustment is
applied after accumulated.
v2:
- remove if()s, put new variables into signal_struct.
Signed-off-by: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Spencer Candland <spencer@bluehost.com>
Cc: Americo Wang <xiyou.wangcong@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Cc: Stanislaw Gruszka <sgruszka@redhat.com>
LKML-Reference: <4B162517.8040909@jp.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2009-12-02 08:28:07 +00:00
|
|
|
*
|
2014-08-08 21:21:18 +00:00
|
|
|
* We use thread_group_cputime_adjusted() to get times for
|
|
|
|
* the thread group, which consolidates times for all threads
|
|
|
|
* in the group including the group leader.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2012-11-21 15:26:44 +00:00
|
|
|
thread_group_cputime_adjusted(p, &tgutime, &tgstime);
|
2024-01-23 15:34:00 +00:00
|
|
|
write_seqlock_irq(&psig->stats_lock);
|
2011-12-15 13:56:09 +00:00
|
|
|
psig->cutime += tgutime + sig->cutime;
|
|
|
|
psig->cstime += tgstime + sig->cstime;
|
2012-11-13 13:20:55 +00:00
|
|
|
psig->cgtime += task_gtime(p) + sig->gtime + sig->cgtime;
|
2006-01-10 04:54:39 +00:00
|
|
|
psig->cmin_flt +=
|
|
|
|
p->min_flt + sig->min_flt + sig->cmin_flt;
|
|
|
|
psig->cmaj_flt +=
|
|
|
|
p->maj_flt + sig->maj_flt + sig->cmaj_flt;
|
|
|
|
psig->cnvcsw +=
|
|
|
|
p->nvcsw + sig->nvcsw + sig->cnvcsw;
|
|
|
|
psig->cnivcsw +=
|
|
|
|
p->nivcsw + sig->nivcsw + sig->cnivcsw;
|
2007-05-11 05:22:37 +00:00
|
|
|
psig->cinblock +=
|
|
|
|
task_io_get_inblock(p) +
|
|
|
|
sig->inblock + sig->cinblock;
|
|
|
|
psig->coublock +=
|
|
|
|
task_io_get_oublock(p) +
|
|
|
|
sig->oublock + sig->coublock;
|
getrusage: fill ru_maxrss value
Make ->ru_maxrss value in struct rusage filled accordingly to rss hiwater
mark. This struct is filled as a parameter to getrusage syscall.
->ru_maxrss value is set to KBs which is the way it is done in BSD
systems. /usr/bin/time (gnu time) application converts ->ru_maxrss to KBs
which seems to be incorrect behavior. Maintainer of this util was
notified by me with the patch which corrects it and cc'ed.
To make this happen we extend struct signal_struct by two fields. The
first one is ->maxrss which we use to store rss hiwater of the task. The
second one is ->cmaxrss which we use to store highest rss hiwater of all
task childs. These values are used in k_getrusage() to actually fill
->ru_maxrss. k_getrusage() uses current rss hiwater value directly if mm
struct exists.
Note:
exec() clear mm->hiwater_rss, but doesn't clear sig->maxrss.
it is intetionally behavior. *BSD getrusage have exec() inheriting.
test programs
========================================================
getrusage.c
===========
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <signal.h>
#include <sys/mman.h>
#include "common.h"
#define err(str) perror(str), exit(1)
int main(int argc, char** argv)
{
int status;
printf("allocate 100MB\n");
consume(100);
printf("testcase1: fork inherit? \n");
printf(" expect: initial.self ~= child.self\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
} else {
show_rusage("fork child");
_exit(0);
}
printf("\n");
printf("testcase2: fork inherit? (cont.) \n");
printf(" expect: initial.children ~= 100MB, but child.children = 0\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
} else {
show_rusage("child");
_exit(0);
}
printf("\n");
printf("testcase3: fork + malloc \n");
printf(" expect: child.self ~= initial.self + 50MB\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
} else {
printf("allocate +50MB\n");
consume(50);
show_rusage("fork child");
_exit(0);
}
printf("\n");
printf("testcase4: grandchild maxrss\n");
printf(" expect: post_wait.children ~= 300MB\n");
show_rusage("initial");
if (__fork()) {
wait(&status);
show_rusage("post_wait");
} else {
system("./child -n 0 -g 300");
_exit(0);
}
printf("\n");
printf("testcase5: zombie\n");
printf(" expect: pre_wait ~= initial, IOW the zombie process is not accounted.\n");
printf(" post_wait ~= 400MB, IOW wait() collect child's max_rss. \n");
show_rusage("initial");
if (__fork()) {
sleep(1); /* children become zombie */
show_rusage("pre_wait");
wait(&status);
show_rusage("post_wait");
} else {
system("./child -n 400");
_exit(0);
}
printf("\n");
printf("testcase6: SIG_IGN\n");
printf(" expect: initial ~= after_zombie (child's 500MB alloc should be ignored).\n");
show_rusage("initial");
signal(SIGCHLD, SIG_IGN);
if (__fork()) {
sleep(1); /* children become zombie */
show_rusage("after_zombie");
} else {
system("./child -n 500");
_exit(0);
}
printf("\n");
signal(SIGCHLD, SIG_DFL);
printf("testcase7: exec (without fork) \n");
printf(" expect: initial ~= exec \n");
show_rusage("initial");
execl("./child", "child", "-v", NULL);
return 0;
}
child.c
=======
#include <sys/types.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include "common.h"
int main(int argc, char** argv)
{
int status;
int c;
long consume_size = 0;
long grandchild_consume_size = 0;
int show = 0;
while ((c = getopt(argc, argv, "n:g:v")) != -1) {
switch (c) {
case 'n':
consume_size = atol(optarg);
break;
case 'v':
show = 1;
break;
case 'g':
grandchild_consume_size = atol(optarg);
break;
default:
break;
}
}
if (show)
show_rusage("exec");
if (consume_size) {
printf("child alloc %ldMB\n", consume_size);
consume(consume_size);
}
if (grandchild_consume_size) {
if (fork()) {
wait(&status);
} else {
printf("grandchild alloc %ldMB\n", grandchild_consume_size);
consume(grandchild_consume_size);
exit(0);
}
}
return 0;
}
common.c
========
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <signal.h>
#include <sys/mman.h>
#include "common.h"
#define err(str) perror(str), exit(1)
void show_rusage(char *prefix)
{
int err, err2;
struct rusage rusage_self;
struct rusage rusage_children;
printf("%s: ", prefix);
err = getrusage(RUSAGE_SELF, &rusage_self);
if (!err)
printf("self %ld ", rusage_self.ru_maxrss);
err2 = getrusage(RUSAGE_CHILDREN, &rusage_children);
if (!err2)
printf("children %ld ", rusage_children.ru_maxrss);
printf("\n");
}
/* Some buggy OS need this worthless CPU waste. */
void make_pagefault(void)
{
void *addr;
int size = getpagesize();
int i;
for (i=0; i<1000; i++) {
addr = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, -1, 0);
if (addr == MAP_FAILED)
err("make_pagefault");
memset(addr, 0, size);
munmap(addr, size);
}
}
void consume(int mega)
{
size_t sz = mega * 1024 * 1024;
void *ptr;
ptr = malloc(sz);
memset(ptr, 0, sz);
make_pagefault();
}
pid_t __fork(void)
{
pid_t pid;
pid = fork();
make_pagefault();
return pid;
}
common.h
========
void show_rusage(char *prefix);
void make_pagefault(void);
void consume(int mega);
pid_t __fork(void);
FreeBSD result (expected result)
========================================================
allocate 100MB
testcase1: fork inherit?
expect: initial.self ~= child.self
initial: self 103492 children 0
fork child: self 103540 children 0
testcase2: fork inherit? (cont.)
expect: initial.children ~= 100MB, but child.children = 0
initial: self 103540 children 103540
child: self 103564 children 0
testcase3: fork + malloc
expect: child.self ~= initial.self + 50MB
initial: self 103564 children 103564
allocate +50MB
fork child: self 154860 children 0
testcase4: grandchild maxrss
expect: post_wait.children ~= 300MB
initial: self 103564 children 154860
grandchild alloc 300MB
post_wait: self 103564 children 308720
testcase5: zombie
expect: pre_wait ~= initial, IOW the zombie process is not accounted.
post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 103564 children 308720
child alloc 400MB
pre_wait: self 103564 children 308720
post_wait: self 103564 children 411312
testcase6: SIG_IGN
expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 103564 children 411312
child alloc 500MB
after_zombie: self 103624 children 411312
testcase7: exec (without fork)
expect: initial ~= exec
initial: self 103624 children 411312
exec: self 103624 children 411312
Linux result (actual test result)
========================================================
allocate 100MB
testcase1: fork inherit?
expect: initial.self ~= child.self
initial: self 102848 children 0
fork child: self 102572 children 0
testcase2: fork inherit? (cont.)
expect: initial.children ~= 100MB, but child.children = 0
initial: self 102876 children 102644
child: self 102572 children 0
testcase3: fork + malloc
expect: child.self ~= initial.self + 50MB
initial: self 102876 children 102644
allocate +50MB
fork child: self 153804 children 0
testcase4: grandchild maxrss
expect: post_wait.children ~= 300MB
initial: self 102876 children 153864
grandchild alloc 300MB
post_wait: self 102876 children 307536
testcase5: zombie
expect: pre_wait ~= initial, IOW the zombie process is not accounted.
post_wait ~= 400MB, IOW wait() collect child's max_rss.
initial: self 102876 children 307536
child alloc 400MB
pre_wait: self 102876 children 307536
post_wait: self 102876 children 410076
testcase6: SIG_IGN
expect: initial ~= after_zombie (child's 500MB alloc should be ignored).
initial: self 102876 children 410076
child alloc 500MB
after_zombie: self 102880 children 410076
testcase7: exec (without fork)
expect: initial ~= exec
initial: self 102880 children 410076
exec: self 102880 children 410076
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 23:44:10 +00:00
|
|
|
maxrss = max(sig->maxrss, sig->cmaxrss);
|
|
|
|
if (psig->cmaxrss < maxrss)
|
|
|
|
psig->cmaxrss = maxrss;
|
2008-07-27 15:29:15 +00:00
|
|
|
task_io_accounting_add(&psig->ioac, &p->ioac);
|
|
|
|
task_io_accounting_add(&psig->ioac, &sig->ioac);
|
2024-01-23 15:34:00 +00:00
|
|
|
write_sequnlock_irq(&psig->stats_lock);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2017-05-15 00:25:02 +00:00
|
|
|
if (wo->wo_rusage)
|
|
|
|
getrusage(p, RUSAGE_BOTH, wo->wo_rusage);
|
2005-04-16 22:20:36 +00:00
|
|
|
status = (p->signal->flags & SIGNAL_GROUP_EXIT)
|
|
|
|
? p->signal->group_exit_code : p->exit_code;
|
2017-05-15 00:39:39 +00:00
|
|
|
wo->wo_stat = status;
|
wait_task_zombie: fix 2/3 races vs forget_original_parent()
Two threads, T1 and T2. T2 ptraces P, and P is not a child of ptracer's
thread group. P exits and goes to TASK_ZOMBIE.
T1 does wait_task_zombie(P):
P->exit_state = TASK_DEAD;
...
read_unlock(&tasklist_lock);
T2 does exit(), takes tasklist,
forget_original_parent() does
__ptrace_unlink(P) but doesn't
call do_notify_parent(P) because
p->exit_state == EXIT_DEAD.
Now, P is not visible to our process: __ptrace_unlink() removed it from
->children. We should send notification to P->parent and release P if and
only if SIGCHLD is ignored.
And we have 3 bugs:
1. P->parent does do_wait() and gets -ECHILD (P is on ->parent->children,
but its state is TASK_DEAD).
2. // wait_task_zombie() continues
if (put_user(...)) {
// TODO: is this safe?
p->exit_state = EXIT_ZOMBIE;
return;
}
we return without notification/release, task_struct leaked.
Solution: ignore -EFAULT and proceed. It is an application's bug if
we can't fill infop/stat_addr (in case of VM_FAULT_OOM we have much
more problems).
3. // wait_task_zombie() continues
if (p->real_parent != p->parent) {
// Not taken, it was untraced'ed
...
}
release_task(p);
we released the task which we shouldn't.
Solution: check ->real_parent != ->parent before, under tasklist_lock,
but use ptrace_unlink() instead of __ptrace_unlink() to check ->ptrace.
This patch hopefully solves 2 and 3, the 1st bug will be fixed later, we need
some cleanups in forget_original_parent/reparent_thread.
However, the first race is very unlikely and not critical, so I hope it makes
sense to fix 1 and 2 for now.
4. Small cleanup: don't "restore" EXIT_ZOMBIE unless we know we are not going
to realease the child.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-17 06:26:58 +00:00
|
|
|
|
2014-04-07 22:38:43 +00:00
|
|
|
if (state == EXIT_TRACE) {
|
2005-04-16 22:20:36 +00:00
|
|
|
write_lock_irq(&tasklist_lock);
|
wait_task_zombie: fix 2/3 races vs forget_original_parent()
Two threads, T1 and T2. T2 ptraces P, and P is not a child of ptracer's
thread group. P exits and goes to TASK_ZOMBIE.
T1 does wait_task_zombie(P):
P->exit_state = TASK_DEAD;
...
read_unlock(&tasklist_lock);
T2 does exit(), takes tasklist,
forget_original_parent() does
__ptrace_unlink(P) but doesn't
call do_notify_parent(P) because
p->exit_state == EXIT_DEAD.
Now, P is not visible to our process: __ptrace_unlink() removed it from
->children. We should send notification to P->parent and release P if and
only if SIGCHLD is ignored.
And we have 3 bugs:
1. P->parent does do_wait() and gets -ECHILD (P is on ->parent->children,
but its state is TASK_DEAD).
2. // wait_task_zombie() continues
if (put_user(...)) {
// TODO: is this safe?
p->exit_state = EXIT_ZOMBIE;
return;
}
we return without notification/release, task_struct leaked.
Solution: ignore -EFAULT and proceed. It is an application's bug if
we can't fill infop/stat_addr (in case of VM_FAULT_OOM we have much
more problems).
3. // wait_task_zombie() continues
if (p->real_parent != p->parent) {
// Not taken, it was untraced'ed
...
}
release_task(p);
we released the task which we shouldn't.
Solution: check ->real_parent != ->parent before, under tasklist_lock,
but use ptrace_unlink() instead of __ptrace_unlink() to check ->ptrace.
This patch hopefully solves 2 and 3, the 1st bug will be fixed later, we need
some cleanups in forget_original_parent/reparent_thread.
However, the first race is very unlikely and not critical, so I hope it makes
sense to fix 1 and 2 for now.
4. Small cleanup: don't "restore" EXIT_ZOMBIE unless we know we are not going
to realease the child.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-17 06:26:58 +00:00
|
|
|
/* We dropped tasklist, ptracer could die and untrace */
|
|
|
|
ptrace_unlink(p);
|
2014-04-07 22:38:43 +00:00
|
|
|
|
|
|
|
/* If parent wants a zombie, don't release it now */
|
|
|
|
state = EXIT_ZOMBIE;
|
|
|
|
if (do_notify_parent(p, p->exit_signal))
|
|
|
|
state = EXIT_DEAD;
|
wait: introduce EXIT_TRACE to avoid the racy EXIT_DEAD->EXIT_ZOMBIE transition
wait_task_zombie() first does EXIT_ZOMBIE->EXIT_DEAD transition and
drops tasklist_lock. If this task is not the natural child and it is
traced, we change its state back to EXIT_ZOMBIE for ->real_parent.
The last transition is racy, this is even documented in 50b8d257486a
"ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE
race". wait_consider_task() tries to detect this transition and clear
->notask_error but we can't rely on ptrace_reparented(), debugger can
exit and do ptrace_unlink() before its sub-thread sets EXIT_ZOMBIE.
And there is another problem which were missed before: this transition
can also race with reparent_leader() which doesn't reset >exit_signal if
EXIT_DEAD, assuming that this task must be reaped by someone else. So
the tracee can be re-parented with ->exit_signal != SIGCHLD, and if
/sbin/init doesn't use __WALL it becomes unreapable. This was fixed by
the previous commit, but it was the temporary hack.
1. Add the new exit_state, EXIT_TRACE. It means that the task is the
traced zombie, debugger is going to detach and notify its natural
parent.
This new state is actually EXIT_ZOMBIE | EXIT_DEAD. This way we
can avoid the changes in proc/kgdb code, get_task_state() still
reports "X (dead)" in this case.
Note: with or without this change userspace can see Z -> X -> Z
transition. Not really bad, but probably makes sense to fix.
2. Change wait_task_zombie() to use EXIT_TRACE instead of EXIT_DEAD
if we need to notify the ->real_parent.
3. Revert the previous hack in reparent_leader(), now that EXIT_DEAD
is always the final state we can safely ignore such a task.
4. Change wait_consider_task() to check EXIT_TRACE separately and kill
the racy and no longer needed ptrace_reparented() case.
If ptrace == T an EXIT_TRACE thread should be simply ignored, the
owner of this state is going to ptrace_unlink() this task. We can
pretend that it was already removed from ->ptraced list.
Otherwise we should skip this thread too but clear ->notask_error,
we must be the natural parent and debugger is going to untrace and
notify us. IOW, this doesn't differ from "EXIT_ZOMBIE && p->ptrace"
even if the task was already untraced.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Jan Kratochvil <jan.kratochvil@redhat.com>
Reported-by: Michal Schmidt <mschmidt@redhat.com>
Tested-by: Michal Schmidt <mschmidt@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Lennart Poettering <lpoetter@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-07 22:38:42 +00:00
|
|
|
p->exit_state = state;
|
2005-04-16 22:20:36 +00:00
|
|
|
write_unlock_irq(&tasklist_lock);
|
|
|
|
}
|
wait: introduce EXIT_TRACE to avoid the racy EXIT_DEAD->EXIT_ZOMBIE transition
wait_task_zombie() first does EXIT_ZOMBIE->EXIT_DEAD transition and
drops tasklist_lock. If this task is not the natural child and it is
traced, we change its state back to EXIT_ZOMBIE for ->real_parent.
The last transition is racy, this is even documented in 50b8d257486a
"ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE
race". wait_consider_task() tries to detect this transition and clear
->notask_error but we can't rely on ptrace_reparented(), debugger can
exit and do ptrace_unlink() before its sub-thread sets EXIT_ZOMBIE.
And there is another problem which were missed before: this transition
can also race with reparent_leader() which doesn't reset >exit_signal if
EXIT_DEAD, assuming that this task must be reaped by someone else. So
the tracee can be re-parented with ->exit_signal != SIGCHLD, and if
/sbin/init doesn't use __WALL it becomes unreapable. This was fixed by
the previous commit, but it was the temporary hack.
1. Add the new exit_state, EXIT_TRACE. It means that the task is the
traced zombie, debugger is going to detach and notify its natural
parent.
This new state is actually EXIT_ZOMBIE | EXIT_DEAD. This way we
can avoid the changes in proc/kgdb code, get_task_state() still
reports "X (dead)" in this case.
Note: with or without this change userspace can see Z -> X -> Z
transition. Not really bad, but probably makes sense to fix.
2. Change wait_task_zombie() to use EXIT_TRACE instead of EXIT_DEAD
if we need to notify the ->real_parent.
3. Revert the previous hack in reparent_leader(), now that EXIT_DEAD
is always the final state we can safely ignore such a task.
4. Change wait_consider_task() to check EXIT_TRACE separately and kill
the racy and no longer needed ptrace_reparented() case.
If ptrace == T an EXIT_TRACE thread should be simply ignored, the
owner of this state is going to ptrace_unlink() this task. We can
pretend that it was already removed from ->ptraced list.
Otherwise we should skip this thread too but clear ->notask_error,
we must be the natural parent and debugger is going to untrace and
notify us. IOW, this doesn't differ from "EXIT_ZOMBIE && p->ptrace"
even if the task was already untraced.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Jan Kratochvil <jan.kratochvil@redhat.com>
Reported-by: Michal Schmidt <mschmidt@redhat.com>
Tested-by: Michal Schmidt <mschmidt@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Lennart Poettering <lpoetter@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-07 22:38:42 +00:00
|
|
|
if (state == EXIT_DEAD)
|
2005-04-16 22:20:36 +00:00
|
|
|
release_task(p);
|
wait_task_zombie: fix 2/3 races vs forget_original_parent()
Two threads, T1 and T2. T2 ptraces P, and P is not a child of ptracer's
thread group. P exits and goes to TASK_ZOMBIE.
T1 does wait_task_zombie(P):
P->exit_state = TASK_DEAD;
...
read_unlock(&tasklist_lock);
T2 does exit(), takes tasklist,
forget_original_parent() does
__ptrace_unlink(P) but doesn't
call do_notify_parent(P) because
p->exit_state == EXIT_DEAD.
Now, P is not visible to our process: __ptrace_unlink() removed it from
->children. We should send notification to P->parent and release P if and
only if SIGCHLD is ignored.
And we have 3 bugs:
1. P->parent does do_wait() and gets -ECHILD (P is on ->parent->children,
but its state is TASK_DEAD).
2. // wait_task_zombie() continues
if (put_user(...)) {
// TODO: is this safe?
p->exit_state = EXIT_ZOMBIE;
return;
}
we return without notification/release, task_struct leaked.
Solution: ignore -EFAULT and proceed. It is an application's bug if
we can't fill infop/stat_addr (in case of VM_FAULT_OOM we have much
more problems).
3. // wait_task_zombie() continues
if (p->real_parent != p->parent) {
// Not taken, it was untraced'ed
...
}
release_task(p);
we released the task which we shouldn't.
Solution: check ->real_parent != ->parent before, under tasklist_lock,
but use ptrace_unlink() instead of __ptrace_unlink() to check ->ptrace.
This patch hopefully solves 2 and 3, the 1st bug will be fixed later, we need
some cleanups in forget_original_parent/reparent_thread.
However, the first race is very unlikely and not critical, so I hope it makes
sense to fix 1 and 2 for now.
4. Small cleanup: don't "restore" EXIT_ZOMBIE unless we know we are not going
to realease the child.
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-17 06:26:58 +00:00
|
|
|
|
2017-05-15 01:38:26 +00:00
|
|
|
out_info:
|
|
|
|
infop = wo->wo_info;
|
|
|
|
if (infop) {
|
|
|
|
if ((status & 0x7f) == 0) {
|
|
|
|
infop->cause = CLD_EXITED;
|
|
|
|
infop->status = status >> 8;
|
|
|
|
} else {
|
|
|
|
infop->cause = (status & 0x80) ? CLD_DUMPED : CLD_KILLED;
|
|
|
|
infop->status = status & 0x7f;
|
|
|
|
}
|
|
|
|
infop->pid = pid;
|
|
|
|
infop->uid = uid;
|
|
|
|
}
|
|
|
|
|
2017-05-15 00:53:13 +00:00
|
|
|
return pid;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
do_wait: fix waiting for the group stop with the dead leader
do_wait(WSTOPPED) assumes that p->state must be == TASK_STOPPED, this is
not true if the leader is already dead. Check SIGNAL_STOP_STOPPED instead
and use signal->group_exit_code.
Trivial test-case:
void *tfunc(void *arg)
{
pause();
return NULL;
}
int main(void)
{
pthread_t thr;
pthread_create(&thr, NULL, tfunc, NULL);
pthread_exit(NULL);
return 0;
}
It doesn't react to ^Z (and then to ^C or ^\). The task is stopped, but
bash can't see this.
The bug is very old, and it was reported multiple times. This patch was sent
more than a year ago (http://marc.info/?t=119713920000003) but it was ignored.
This change also fixes other oddities (but not all) in this area. For
example, before this patch:
$ sleep 100
^Z
[1]+ Stopped sleep 100
$ strace -p `pidof sleep`
Process 11442 attached - interrupt to quit
strace hangs in do_wait(), because ->exit_code was already consumed by
bash. After this patch, strace happily proceeds:
--- SIGTSTP (Stopped) @ 0 (0) ---
restart_syscall(<... resuming interrupted call ...>
To me, this looks much more "natural" and correct.
Another example. Let's suppose we have the main thread M and sub-thread
T, the process is stopped, and its parent did wait(WSTOPPED). Now we can
ptrace T but not M. This looks at least strange to me.
Imho, do_wait() should not confuse the per-thread ptrace stops with the
per-process job control stops.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Kaz Kylheku <kkylheku@gmail.com>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Ulrich Drepper <drepper@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-04-02 23:57:58 +00:00
|
|
|
static int *task_stopped_code(struct task_struct *p, bool ptrace)
|
|
|
|
{
|
|
|
|
if (ptrace) {
|
2016-01-20 22:59:58 +00:00
|
|
|
if (task_is_traced(p) && !(p->jobctl & JOBCTL_LISTENING))
|
do_wait: fix waiting for the group stop with the dead leader
do_wait(WSTOPPED) assumes that p->state must be == TASK_STOPPED, this is
not true if the leader is already dead. Check SIGNAL_STOP_STOPPED instead
and use signal->group_exit_code.
Trivial test-case:
void *tfunc(void *arg)
{
pause();
return NULL;
}
int main(void)
{
pthread_t thr;
pthread_create(&thr, NULL, tfunc, NULL);
pthread_exit(NULL);
return 0;
}
It doesn't react to ^Z (and then to ^C or ^\). The task is stopped, but
bash can't see this.
The bug is very old, and it was reported multiple times. This patch was sent
more than a year ago (http://marc.info/?t=119713920000003) but it was ignored.
This change also fixes other oddities (but not all) in this area. For
example, before this patch:
$ sleep 100
^Z
[1]+ Stopped sleep 100
$ strace -p `pidof sleep`
Process 11442 attached - interrupt to quit
strace hangs in do_wait(), because ->exit_code was already consumed by
bash. After this patch, strace happily proceeds:
--- SIGTSTP (Stopped) @ 0 (0) ---
restart_syscall(<... resuming interrupted call ...>
To me, this looks much more "natural" and correct.
Another example. Let's suppose we have the main thread M and sub-thread
T, the process is stopped, and its parent did wait(WSTOPPED). Now we can
ptrace T but not M. This looks at least strange to me.
Imho, do_wait() should not confuse the per-thread ptrace stops with the
per-process job control stops.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Kaz Kylheku <kkylheku@gmail.com>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Ulrich Drepper <drepper@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-04-02 23:57:58 +00:00
|
|
|
return &p->exit_code;
|
|
|
|
} else {
|
|
|
|
if (p->signal->flags & SIGNAL_STOP_STOPPED)
|
|
|
|
return &p->signal->group_exit_code;
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2011-05-12 08:47:23 +00:00
|
|
|
/**
|
|
|
|
* wait_task_stopped - Wait for %TASK_STOPPED or %TASK_TRACED
|
|
|
|
* @wo: wait options
|
|
|
|
* @ptrace: is the wait for ptrace
|
|
|
|
* @p: task to wait for
|
|
|
|
*
|
|
|
|
* Handle sys_wait4() work for %p in state %TASK_STOPPED or %TASK_TRACED.
|
|
|
|
*
|
|
|
|
* CONTEXT:
|
|
|
|
* read_lock(&tasklist_lock), which is released if return value is
|
|
|
|
* non-zero. Also, grabs and releases @p->sighand->siglock.
|
|
|
|
*
|
|
|
|
* RETURNS:
|
|
|
|
* 0 if wait condition didn't exist and search for other wait conditions
|
|
|
|
* should continue. Non-zero return, -errno on failure and @p's pid on
|
|
|
|
* success, implies that tasklist_lock is released and wait condition
|
|
|
|
* search should terminate.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2009-06-17 23:27:39 +00:00
|
|
|
static int wait_task_stopped(struct wait_opts *wo,
|
|
|
|
int ptrace, struct task_struct *p)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-05-15 00:53:13 +00:00
|
|
|
struct waitid_info *infop;
|
|
|
|
int exit_code, *p_code, why;
|
2008-02-08 12:19:01 +00:00
|
|
|
uid_t uid = 0; /* unneeded, required by compiler */
|
2007-11-29 00:21:24 +00:00
|
|
|
pid_t pid;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-06-17 23:27:39 +00:00
|
|
|
/*
|
|
|
|
* Traditionally we see ptrace'd stopped tasks regardless of options.
|
|
|
|
*/
|
2009-06-17 23:27:39 +00:00
|
|
|
if (!ptrace && !(wo->wo_flags & WUNTRACED))
|
2008-03-20 02:24:59 +00:00
|
|
|
return 0;
|
|
|
|
|
2011-05-12 08:47:23 +00:00
|
|
|
if (!task_stopped_code(p, ptrace))
|
|
|
|
return 0;
|
|
|
|
|
2008-02-08 12:19:01 +00:00
|
|
|
exit_code = 0;
|
|
|
|
spin_lock_irq(&p->sighand->siglock);
|
|
|
|
|
do_wait: fix waiting for the group stop with the dead leader
do_wait(WSTOPPED) assumes that p->state must be == TASK_STOPPED, this is
not true if the leader is already dead. Check SIGNAL_STOP_STOPPED instead
and use signal->group_exit_code.
Trivial test-case:
void *tfunc(void *arg)
{
pause();
return NULL;
}
int main(void)
{
pthread_t thr;
pthread_create(&thr, NULL, tfunc, NULL);
pthread_exit(NULL);
return 0;
}
It doesn't react to ^Z (and then to ^C or ^\). The task is stopped, but
bash can't see this.
The bug is very old, and it was reported multiple times. This patch was sent
more than a year ago (http://marc.info/?t=119713920000003) but it was ignored.
This change also fixes other oddities (but not all) in this area. For
example, before this patch:
$ sleep 100
^Z
[1]+ Stopped sleep 100
$ strace -p `pidof sleep`
Process 11442 attached - interrupt to quit
strace hangs in do_wait(), because ->exit_code was already consumed by
bash. After this patch, strace happily proceeds:
--- SIGTSTP (Stopped) @ 0 (0) ---
restart_syscall(<... resuming interrupted call ...>
To me, this looks much more "natural" and correct.
Another example. Let's suppose we have the main thread M and sub-thread
T, the process is stopped, and its parent did wait(WSTOPPED). Now we can
ptrace T but not M. This looks at least strange to me.
Imho, do_wait() should not confuse the per-thread ptrace stops with the
per-process job control stops.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Kaz Kylheku <kkylheku@gmail.com>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Ulrich Drepper <drepper@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-04-02 23:57:58 +00:00
|
|
|
p_code = task_stopped_code(p, ptrace);
|
|
|
|
if (unlikely(!p_code))
|
2008-02-08 12:19:01 +00:00
|
|
|
goto unlock_sig;
|
|
|
|
|
do_wait: fix waiting for the group stop with the dead leader
do_wait(WSTOPPED) assumes that p->state must be == TASK_STOPPED, this is
not true if the leader is already dead. Check SIGNAL_STOP_STOPPED instead
and use signal->group_exit_code.
Trivial test-case:
void *tfunc(void *arg)
{
pause();
return NULL;
}
int main(void)
{
pthread_t thr;
pthread_create(&thr, NULL, tfunc, NULL);
pthread_exit(NULL);
return 0;
}
It doesn't react to ^Z (and then to ^C or ^\). The task is stopped, but
bash can't see this.
The bug is very old, and it was reported multiple times. This patch was sent
more than a year ago (http://marc.info/?t=119713920000003) but it was ignored.
This change also fixes other oddities (but not all) in this area. For
example, before this patch:
$ sleep 100
^Z
[1]+ Stopped sleep 100
$ strace -p `pidof sleep`
Process 11442 attached - interrupt to quit
strace hangs in do_wait(), because ->exit_code was already consumed by
bash. After this patch, strace happily proceeds:
--- SIGTSTP (Stopped) @ 0 (0) ---
restart_syscall(<... resuming interrupted call ...>
To me, this looks much more "natural" and correct.
Another example. Let's suppose we have the main thread M and sub-thread
T, the process is stopped, and its parent did wait(WSTOPPED). Now we can
ptrace T but not M. This looks at least strange to me.
Imho, do_wait() should not confuse the per-thread ptrace stops with the
per-process job control stops.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Kaz Kylheku <kkylheku@gmail.com>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Ulrich Drepper <drepper@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-04-02 23:57:58 +00:00
|
|
|
exit_code = *p_code;
|
2008-02-08 12:19:01 +00:00
|
|
|
if (!exit_code)
|
|
|
|
goto unlock_sig;
|
|
|
|
|
2009-06-17 23:27:39 +00:00
|
|
|
if (!unlikely(wo->wo_flags & WNOWAIT))
|
do_wait: fix waiting for the group stop with the dead leader
do_wait(WSTOPPED) assumes that p->state must be == TASK_STOPPED, this is
not true if the leader is already dead. Check SIGNAL_STOP_STOPPED instead
and use signal->group_exit_code.
Trivial test-case:
void *tfunc(void *arg)
{
pause();
return NULL;
}
int main(void)
{
pthread_t thr;
pthread_create(&thr, NULL, tfunc, NULL);
pthread_exit(NULL);
return 0;
}
It doesn't react to ^Z (and then to ^C or ^\). The task is stopped, but
bash can't see this.
The bug is very old, and it was reported multiple times. This patch was sent
more than a year ago (http://marc.info/?t=119713920000003) but it was ignored.
This change also fixes other oddities (but not all) in this area. For
example, before this patch:
$ sleep 100
^Z
[1]+ Stopped sleep 100
$ strace -p `pidof sleep`
Process 11442 attached - interrupt to quit
strace hangs in do_wait(), because ->exit_code was already consumed by
bash. After this patch, strace happily proceeds:
--- SIGTSTP (Stopped) @ 0 (0) ---
restart_syscall(<... resuming interrupted call ...>
To me, this looks much more "natural" and correct.
Another example. Let's suppose we have the main thread M and sub-thread
T, the process is stopped, and its parent did wait(WSTOPPED). Now we can
ptrace T but not M. This looks at least strange to me.
Imho, do_wait() should not confuse the per-thread ptrace stops with the
per-process job control stops.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Kaz Kylheku <kkylheku@gmail.com>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Ulrich Drepper <drepper@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-04-02 23:57:58 +00:00
|
|
|
*p_code = 0;
|
2008-02-08 12:19:01 +00:00
|
|
|
|
2012-05-17 21:31:39 +00:00
|
|
|
uid = from_kuid_munged(current_user_ns(), task_uid(p));
|
2008-02-08 12:19:01 +00:00
|
|
|
unlock_sig:
|
|
|
|
spin_unlock_irq(&p->sighand->siglock);
|
|
|
|
if (!exit_code)
|
2005-04-16 22:20:36 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now we are pretty sure this task is interesting.
|
|
|
|
* Make sure it doesn't get reaped out from under us while we
|
|
|
|
* give up the lock and then examine it below. We don't want to
|
|
|
|
* keep holding onto the tasklist_lock while we call getrusage and
|
|
|
|
* possibly take page faults for user memory.
|
|
|
|
*/
|
|
|
|
get_task_struct(p);
|
2008-02-08 12:19:20 +00:00
|
|
|
pid = task_pid_vnr(p);
|
2008-03-25 01:36:23 +00:00
|
|
|
why = ptrace ? CLD_TRAPPED : CLD_STOPPED;
|
2005-04-16 22:20:36 +00:00
|
|
|
read_unlock(&tasklist_lock);
|
2014-09-24 08:18:49 +00:00
|
|
|
sched_annotate_sleep();
|
2017-05-15 01:25:03 +00:00
|
|
|
if (wo->wo_rusage)
|
|
|
|
getrusage(p, RUSAGE_BOTH, wo->wo_rusage);
|
2017-05-15 01:33:21 +00:00
|
|
|
put_task_struct(p);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2017-05-15 01:33:21 +00:00
|
|
|
if (likely(!(wo->wo_flags & WNOWAIT)))
|
|
|
|
wo->wo_stat = (exit_code << 8) | 0x7f;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-06-17 23:27:39 +00:00
|
|
|
infop = wo->wo_info;
|
2017-05-15 00:53:13 +00:00
|
|
|
if (infop) {
|
|
|
|
infop->cause = why;
|
|
|
|
infop->status = exit_code;
|
|
|
|
infop->pid = pid;
|
|
|
|
infop->uid = uid;
|
|
|
|
}
|
|
|
|
return pid;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Handle do_wait work for one task in a live, non-stopped state.
|
|
|
|
* read_lock(&tasklist_lock) on entry. If we return zero, we still hold
|
|
|
|
* the lock and this task is uninteresting. If we return nonzero, we have
|
|
|
|
* released the lock and the system call should return.
|
|
|
|
*/
|
2009-06-17 23:27:39 +00:00
|
|
|
static int wait_task_continued(struct wait_opts *wo, struct task_struct *p)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2017-05-15 01:33:21 +00:00
|
|
|
struct waitid_info *infop;
|
2005-04-16 22:20:36 +00:00
|
|
|
pid_t pid;
|
|
|
|
uid_t uid;
|
|
|
|
|
2009-06-17 23:27:39 +00:00
|
|
|
if (!unlikely(wo->wo_flags & WCONTINUED))
|
2008-03-20 02:24:59 +00:00
|
|
|
return 0;
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
if (!(p->signal->flags & SIGNAL_STOP_CONTINUED))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
spin_lock_irq(&p->sighand->siglock);
|
|
|
|
/* Re-check with the lock held. */
|
|
|
|
if (!(p->signal->flags & SIGNAL_STOP_CONTINUED)) {
|
|
|
|
spin_unlock_irq(&p->sighand->siglock);
|
|
|
|
return 0;
|
|
|
|
}
|
2009-06-17 23:27:39 +00:00
|
|
|
if (!unlikely(wo->wo_flags & WNOWAIT))
|
2005-04-16 22:20:36 +00:00
|
|
|
p->signal->flags &= ~SIGNAL_STOP_CONTINUED;
|
2012-05-17 21:31:39 +00:00
|
|
|
uid = from_kuid_munged(current_user_ns(), task_uid(p));
|
2005-04-16 22:20:36 +00:00
|
|
|
spin_unlock_irq(&p->sighand->siglock);
|
|
|
|
|
2008-02-08 12:19:20 +00:00
|
|
|
pid = task_pid_vnr(p);
|
2005-04-16 22:20:36 +00:00
|
|
|
get_task_struct(p);
|
|
|
|
read_unlock(&tasklist_lock);
|
2014-09-24 08:18:49 +00:00
|
|
|
sched_annotate_sleep();
|
2017-05-15 01:25:03 +00:00
|
|
|
if (wo->wo_rusage)
|
|
|
|
getrusage(p, RUSAGE_BOTH, wo->wo_rusage);
|
2017-05-15 01:33:21 +00:00
|
|
|
put_task_struct(p);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2017-05-15 01:33:21 +00:00
|
|
|
infop = wo->wo_info;
|
|
|
|
if (!infop) {
|
2017-05-15 00:39:39 +00:00
|
|
|
wo->wo_stat = 0xffff;
|
2005-04-16 22:20:36 +00:00
|
|
|
} else {
|
2017-05-15 01:33:21 +00:00
|
|
|
infop->cause = CLD_CONTINUED;
|
|
|
|
infop->pid = pid;
|
|
|
|
infop->uid = uid;
|
|
|
|
infop->status = SIGCONT;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
2017-05-15 01:33:21 +00:00
|
|
|
return pid;
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2008-03-20 02:24:59 +00:00
|
|
|
/*
|
|
|
|
* Consider @p for a wait by @parent.
|
|
|
|
*
|
2009-06-17 23:27:39 +00:00
|
|
|
* -ECHILD should be in ->notask_error before the first call.
|
2008-03-20 02:24:59 +00:00
|
|
|
* Returns nonzero for a final return, when we have unlocked tasklist_lock.
|
|
|
|
* Returns zero if the search for a child should continue;
|
2009-06-17 23:27:39 +00:00
|
|
|
* then ->notask_error is 0 if @p is an eligible child,
|
2017-01-10 17:28:32 +00:00
|
|
|
* or still -ECHILD.
|
2008-03-20 02:24:59 +00:00
|
|
|
*/
|
2009-09-23 22:56:50 +00:00
|
|
|
static int wait_consider_task(struct wait_opts *wo, int ptrace,
|
|
|
|
struct task_struct *p)
|
2008-03-20 02:24:59 +00:00
|
|
|
{
|
2015-01-08 22:32:12 +00:00
|
|
|
/*
|
|
|
|
* We can race with wait_task_zombie() from another thread.
|
|
|
|
* Ensure that EXIT_ZOMBIE -> EXIT_DEAD/EXIT_TRACE transition
|
|
|
|
* can't confuse the checks below.
|
|
|
|
*/
|
locking/atomics: COCCINELLE/treewide: Convert trivial ACCESS_ONCE() patterns to READ_ONCE()/WRITE_ONCE()
Please do not apply this to mainline directly, instead please re-run the
coccinelle script shown below and apply its output.
For several reasons, it is desirable to use {READ,WRITE}_ONCE() in
preference to ACCESS_ONCE(), and new code is expected to use one of the
former. So far, there's been no reason to change most existing uses of
ACCESS_ONCE(), as these aren't harmful, and changing them results in
churn.
However, for some features, the read/write distinction is critical to
correct operation. To distinguish these cases, separate read/write
accessors must be used. This patch migrates (most) remaining
ACCESS_ONCE() instances to {READ,WRITE}_ONCE(), using the following
coccinelle script:
----
// Convert trivial ACCESS_ONCE() uses to equivalent READ_ONCE() and
// WRITE_ONCE()
// $ make coccicheck COCCI=/home/mark/once.cocci SPFLAGS="--include-headers" MODE=patch
virtual patch
@ depends on patch @
expression E1, E2;
@@
- ACCESS_ONCE(E1) = E2
+ WRITE_ONCE(E1, E2)
@ depends on patch @
expression E;
@@
- ACCESS_ONCE(E)
+ READ_ONCE(E)
----
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: davem@davemloft.net
Cc: linux-arch@vger.kernel.org
Cc: mpe@ellerman.id.au
Cc: shuah@kernel.org
Cc: snitzer@redhat.com
Cc: thor.thayer@linux.intel.com
Cc: tj@kernel.org
Cc: viro@zeniv.linux.org.uk
Cc: will.deacon@arm.com
Link: http://lkml.kernel.org/r/1508792849-3115-19-git-send-email-paulmck@linux.vnet.ibm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-10-23 21:07:29 +00:00
|
|
|
int exit_state = READ_ONCE(p->exit_state);
|
2014-04-07 22:38:45 +00:00
|
|
|
int ret;
|
|
|
|
|
2015-01-08 22:32:12 +00:00
|
|
|
if (unlikely(exit_state == EXIT_DEAD))
|
2014-04-07 22:38:45 +00:00
|
|
|
return 0;
|
|
|
|
|
wait/ptrace: assume __WALL if the child is traced
The following program (simplified version of generated by syzkaller)
#include <pthread.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <stdio.h>
#include <signal.h>
void *thread_func(void *arg)
{
ptrace(PTRACE_TRACEME, 0,0,0);
return 0;
}
int main(void)
{
pthread_t thread;
if (fork())
return 0;
while (getppid() != 1)
;
pthread_create(&thread, NULL, thread_func, NULL);
pthread_join(thread, NULL);
return 0;
}
creates an unreapable zombie if /sbin/init doesn't use __WALL.
This is not a kernel bug, at least in a sense that everything works as
expected: debugger should reap a traced sub-thread before it can reap the
leader, but without __WALL/__WCLONE do_wait() ignores sub-threads.
Unfortunately, it seems that /sbin/init in most (all?) distributions
doesn't use it and we have to change the kernel to avoid the problem.
Note also that most init's use sys_waitid() which doesn't allow __WALL, so
the necessary user-space fix is not that trivial.
This patch just adds the "ptrace" check into eligible_child(). To some
degree this matches the "tsk->ptrace" in exit_notify(), ->exit_signal is
mostly ignored when the tracee reports to debugger. Or WSTOPPED, the
tracer doesn't need to set this flag to wait for the stopped tracee.
This obviously means the user-visible change: __WCLONE and __WALL no
longer have any meaning for debugger. And I can only hope that this won't
break something, but at least strace/gdb won't suffer.
We could make a more conservative change. Say, we can take __WCLONE into
account, or !thread_group_leader(). But it would be nice to not
complicate these historical/confusing checks.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: Pedro Alves <palves@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-05-23 23:23:50 +00:00
|
|
|
ret = eligible_child(wo, ptrace, p);
|
2008-03-31 01:41:25 +00:00
|
|
|
if (!ret)
|
2008-03-20 02:24:59 +00:00
|
|
|
return ret;
|
|
|
|
|
2015-01-08 22:32:12 +00:00
|
|
|
if (unlikely(exit_state == EXIT_TRACE)) {
|
ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE race
Test-case:
int main(void)
{
int pid, status;
pid = fork();
if (!pid) {
for (;;) {
if (!fork())
return 0;
if (waitpid(-1, &status, 0) < 0) {
printf("ERR!! wait: %m\n");
return 0;
}
}
}
assert(ptrace(PTRACE_ATTACH, pid, 0,0) == 0);
assert(waitpid(-1, NULL, 0) == pid);
assert(ptrace(PTRACE_SETOPTIONS, pid, 0,
PTRACE_O_TRACEFORK) == 0);
do {
ptrace(PTRACE_CONT, pid, 0, 0);
pid = waitpid(-1, NULL, 0);
} while (pid > 0);
return 1;
}
It fails because ->real_parent sees its child in EXIT_DEAD state
while the tracer is going to change the state back to EXIT_ZOMBIE
in wait_task_zombie().
The offending commit is 823b018e which moved the EXIT_DEAD check,
but in fact we should not blame it. The original code was not
correct as well because it didn't take ptrace_reparented() into
account and because we can't really trust ->ptrace.
This patch adds the additional check to close this particular
race but it doesn't solve the whole problem. We simply can't
rely on ->ptrace in this case, it can be cleared if the tracer
is multithreaded by the exiting ->parent.
I think we should kill EXIT_DEAD altogether, we should always
remove the soon-to-be-reaped child from ->children or at least
we should never do the DEAD->ZOMBIE transition. But this is too
complex for 3.2.
Reported-and-tested-by: Denys Vlasenko <vda.linux@googlemail.com>
Tested-by: Lukasz Michalik <lmi@ift.uni.wroc.pl>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: <stable@kernel.org> [3.0+]
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-04 16:29:02 +00:00
|
|
|
/*
|
wait: introduce EXIT_TRACE to avoid the racy EXIT_DEAD->EXIT_ZOMBIE transition
wait_task_zombie() first does EXIT_ZOMBIE->EXIT_DEAD transition and
drops tasklist_lock. If this task is not the natural child and it is
traced, we change its state back to EXIT_ZOMBIE for ->real_parent.
The last transition is racy, this is even documented in 50b8d257486a
"ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE
race". wait_consider_task() tries to detect this transition and clear
->notask_error but we can't rely on ptrace_reparented(), debugger can
exit and do ptrace_unlink() before its sub-thread sets EXIT_ZOMBIE.
And there is another problem which were missed before: this transition
can also race with reparent_leader() which doesn't reset >exit_signal if
EXIT_DEAD, assuming that this task must be reaped by someone else. So
the tracee can be re-parented with ->exit_signal != SIGCHLD, and if
/sbin/init doesn't use __WALL it becomes unreapable. This was fixed by
the previous commit, but it was the temporary hack.
1. Add the new exit_state, EXIT_TRACE. It means that the task is the
traced zombie, debugger is going to detach and notify its natural
parent.
This new state is actually EXIT_ZOMBIE | EXIT_DEAD. This way we
can avoid the changes in proc/kgdb code, get_task_state() still
reports "X (dead)" in this case.
Note: with or without this change userspace can see Z -> X -> Z
transition. Not really bad, but probably makes sense to fix.
2. Change wait_task_zombie() to use EXIT_TRACE instead of EXIT_DEAD
if we need to notify the ->real_parent.
3. Revert the previous hack in reparent_leader(), now that EXIT_DEAD
is always the final state we can safely ignore such a task.
4. Change wait_consider_task() to check EXIT_TRACE separately and kill
the racy and no longer needed ptrace_reparented() case.
If ptrace == T an EXIT_TRACE thread should be simply ignored, the
owner of this state is going to ptrace_unlink() this task. We can
pretend that it was already removed from ->ptraced list.
Otherwise we should skip this thread too but clear ->notask_error,
we must be the natural parent and debugger is going to untrace and
notify us. IOW, this doesn't differ from "EXIT_ZOMBIE && p->ptrace"
even if the task was already untraced.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Jan Kratochvil <jan.kratochvil@redhat.com>
Reported-by: Michal Schmidt <mschmidt@redhat.com>
Tested-by: Michal Schmidt <mschmidt@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Lennart Poettering <lpoetter@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-07 22:38:42 +00:00
|
|
|
* ptrace == 0 means we are the natural parent. In this case
|
|
|
|
* we should clear notask_error, debugger will notify us.
|
ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE race
Test-case:
int main(void)
{
int pid, status;
pid = fork();
if (!pid) {
for (;;) {
if (!fork())
return 0;
if (waitpid(-1, &status, 0) < 0) {
printf("ERR!! wait: %m\n");
return 0;
}
}
}
assert(ptrace(PTRACE_ATTACH, pid, 0,0) == 0);
assert(waitpid(-1, NULL, 0) == pid);
assert(ptrace(PTRACE_SETOPTIONS, pid, 0,
PTRACE_O_TRACEFORK) == 0);
do {
ptrace(PTRACE_CONT, pid, 0, 0);
pid = waitpid(-1, NULL, 0);
} while (pid > 0);
return 1;
}
It fails because ->real_parent sees its child in EXIT_DEAD state
while the tracer is going to change the state back to EXIT_ZOMBIE
in wait_task_zombie().
The offending commit is 823b018e which moved the EXIT_DEAD check,
but in fact we should not blame it. The original code was not
correct as well because it didn't take ptrace_reparented() into
account and because we can't really trust ->ptrace.
This patch adds the additional check to close this particular
race but it doesn't solve the whole problem. We simply can't
rely on ->ptrace in this case, it can be cleared if the tracer
is multithreaded by the exiting ->parent.
I think we should kill EXIT_DEAD altogether, we should always
remove the soon-to-be-reaped child from ->children or at least
we should never do the DEAD->ZOMBIE transition. But this is too
complex for 3.2.
Reported-and-tested-by: Denys Vlasenko <vda.linux@googlemail.com>
Tested-by: Lukasz Michalik <lmi@ift.uni.wroc.pl>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: <stable@kernel.org> [3.0+]
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-04 16:29:02 +00:00
|
|
|
*/
|
wait: introduce EXIT_TRACE to avoid the racy EXIT_DEAD->EXIT_ZOMBIE transition
wait_task_zombie() first does EXIT_ZOMBIE->EXIT_DEAD transition and
drops tasklist_lock. If this task is not the natural child and it is
traced, we change its state back to EXIT_ZOMBIE for ->real_parent.
The last transition is racy, this is even documented in 50b8d257486a
"ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE
race". wait_consider_task() tries to detect this transition and clear
->notask_error but we can't rely on ptrace_reparented(), debugger can
exit and do ptrace_unlink() before its sub-thread sets EXIT_ZOMBIE.
And there is another problem which were missed before: this transition
can also race with reparent_leader() which doesn't reset >exit_signal if
EXIT_DEAD, assuming that this task must be reaped by someone else. So
the tracee can be re-parented with ->exit_signal != SIGCHLD, and if
/sbin/init doesn't use __WALL it becomes unreapable. This was fixed by
the previous commit, but it was the temporary hack.
1. Add the new exit_state, EXIT_TRACE. It means that the task is the
traced zombie, debugger is going to detach and notify its natural
parent.
This new state is actually EXIT_ZOMBIE | EXIT_DEAD. This way we
can avoid the changes in proc/kgdb code, get_task_state() still
reports "X (dead)" in this case.
Note: with or without this change userspace can see Z -> X -> Z
transition. Not really bad, but probably makes sense to fix.
2. Change wait_task_zombie() to use EXIT_TRACE instead of EXIT_DEAD
if we need to notify the ->real_parent.
3. Revert the previous hack in reparent_leader(), now that EXIT_DEAD
is always the final state we can safely ignore such a task.
4. Change wait_consider_task() to check EXIT_TRACE separately and kill
the racy and no longer needed ptrace_reparented() case.
If ptrace == T an EXIT_TRACE thread should be simply ignored, the
owner of this state is going to ptrace_unlink() this task. We can
pretend that it was already removed from ->ptraced list.
Otherwise we should skip this thread too but clear ->notask_error,
we must be the natural parent and debugger is going to untrace and
notify us. IOW, this doesn't differ from "EXIT_ZOMBIE && p->ptrace"
even if the task was already untraced.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Jan Kratochvil <jan.kratochvil@redhat.com>
Reported-by: Michal Schmidt <mschmidt@redhat.com>
Tested-by: Michal Schmidt <mschmidt@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Lennart Poettering <lpoetter@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-07 22:38:42 +00:00
|
|
|
if (likely(!ptrace))
|
ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE race
Test-case:
int main(void)
{
int pid, status;
pid = fork();
if (!pid) {
for (;;) {
if (!fork())
return 0;
if (waitpid(-1, &status, 0) < 0) {
printf("ERR!! wait: %m\n");
return 0;
}
}
}
assert(ptrace(PTRACE_ATTACH, pid, 0,0) == 0);
assert(waitpid(-1, NULL, 0) == pid);
assert(ptrace(PTRACE_SETOPTIONS, pid, 0,
PTRACE_O_TRACEFORK) == 0);
do {
ptrace(PTRACE_CONT, pid, 0, 0);
pid = waitpid(-1, NULL, 0);
} while (pid > 0);
return 1;
}
It fails because ->real_parent sees its child in EXIT_DEAD state
while the tracer is going to change the state back to EXIT_ZOMBIE
in wait_task_zombie().
The offending commit is 823b018e which moved the EXIT_DEAD check,
but in fact we should not blame it. The original code was not
correct as well because it didn't take ptrace_reparented() into
account and because we can't really trust ->ptrace.
This patch adds the additional check to close this particular
race but it doesn't solve the whole problem. We simply can't
rely on ->ptrace in this case, it can be cleared if the tracer
is multithreaded by the exiting ->parent.
I think we should kill EXIT_DEAD altogether, we should always
remove the soon-to-be-reaped child from ->children or at least
we should never do the DEAD->ZOMBIE transition. But this is too
complex for 3.2.
Reported-and-tested-by: Denys Vlasenko <vda.linux@googlemail.com>
Tested-by: Lukasz Michalik <lmi@ift.uni.wroc.pl>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: <stable@kernel.org> [3.0+]
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-04 16:29:02 +00:00
|
|
|
wo->notask_error = 0;
|
2011-03-23 09:37:01 +00:00
|
|
|
return 0;
|
ptrace: partially fix the do_wait(WEXITED) vs EXIT_DEAD->EXIT_ZOMBIE race
Test-case:
int main(void)
{
int pid, status;
pid = fork();
if (!pid) {
for (;;) {
if (!fork())
return 0;
if (waitpid(-1, &status, 0) < 0) {
printf("ERR!! wait: %m\n");
return 0;
}
}
}
assert(ptrace(PTRACE_ATTACH, pid, 0,0) == 0);
assert(waitpid(-1, NULL, 0) == pid);
assert(ptrace(PTRACE_SETOPTIONS, pid, 0,
PTRACE_O_TRACEFORK) == 0);
do {
ptrace(PTRACE_CONT, pid, 0, 0);
pid = waitpid(-1, NULL, 0);
} while (pid > 0);
return 1;
}
It fails because ->real_parent sees its child in EXIT_DEAD state
while the tracer is going to change the state back to EXIT_ZOMBIE
in wait_task_zombie().
The offending commit is 823b018e which moved the EXIT_DEAD check,
but in fact we should not blame it. The original code was not
correct as well because it didn't take ptrace_reparented() into
account and because we can't really trust ->ptrace.
This patch adds the additional check to close this particular
race but it doesn't solve the whole problem. We simply can't
rely on ->ptrace in this case, it can be cleared if the tracer
is multithreaded by the exiting ->parent.
I think we should kill EXIT_DEAD altogether, we should always
remove the soon-to-be-reaped child from ->children or at least
we should never do the DEAD->ZOMBIE transition. But this is too
complex for 3.2.
Reported-and-tested-by: Denys Vlasenko <vda.linux@googlemail.com>
Tested-by: Lukasz Michalik <lmi@ift.uni.wroc.pl>
Acked-by: Tejun Heo <tj@kernel.org>
Cc: <stable@kernel.org> [3.0+]
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-04 16:29:02 +00:00
|
|
|
}
|
2011-03-23 09:37:01 +00:00
|
|
|
|
wait: WSTOPPED|WCONTINUED hangs if a zombie child is traced by real_parent
"A zombie is only visible to its ptracer" logic in wait_consider_task()
is very wrong. Trivial test-case:
#include <unistd.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <assert.h>
int main(void)
{
int child = fork();
if (!child) {
assert(ptrace(PTRACE_TRACEME, 0,0,0) == 0);
return 0x23;
}
assert(waitid(P_ALL, child, NULL, WEXITED | WNOWAIT) == 0);
assert(waitid(P_ALL, 0, NULL, WSTOPPED) == -1);
return 0;
}
it hangs in waitpid(WSTOPPED) despite the fact it has a single zombie
child. This is because wait_consider_task(ptrace => 0) sees p->ptrace and
cleares ->notask_error assuming that the debugger should detach and notify
us.
Change wait_consider_task(ptrace => 0) to pretend that ptrace == T if the
child is traced by us. This really simplifies the logic and allows us to
do more fixes, see the next changes. This also hides the unwanted group
stop state automatically, we can remove another ptrace_reparented() check.
Unfortunately, this adds the following behavioural changes:
1. Before this patch wait(WEXITED | __WNOTHREAD) does not reap
a natural child if it is traced by the caller's sub-thread.
Hopefully nobody will ever notice this change, and I think
that nobody should rely on this behaviour anyway.
2. SIGNAL_STOP_CONTINUED is no longer hidden from debugger if
it is real parent.
While this change comes as a side effect, I think it is good
by itself. The group continued state can not be consumed by
another process in this case, it doesn't depend on ptrace,
it doesn't make sense to hide it from real parent.
Perhaps we should add the thread_group_leader() check before
wait_task_continued()? May be, but this shouldn't depend on
ptrace_reparented().
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Lennart Poettering <lpoetter@redhat.com>
Cc: Michal Schmidt <mschmidt@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-07 22:38:47 +00:00
|
|
|
if (likely(!ptrace) && unlikely(p->ptrace)) {
|
|
|
|
/*
|
|
|
|
* If it is traced by its real parent's group, just pretend
|
|
|
|
* the caller is ptrace_do_wait() and reap this child if it
|
|
|
|
* is zombie.
|
|
|
|
*
|
|
|
|
* This also hides group stop state from real parent; otherwise
|
|
|
|
* a single stop can be reported twice as group and ptrace stop.
|
|
|
|
* If a ptracer wants to distinguish these two events for its
|
|
|
|
* own children it should create a separate process which takes
|
|
|
|
* the role of real parent.
|
|
|
|
*/
|
|
|
|
if (!ptrace_reparented(p))
|
|
|
|
ptrace = 1;
|
|
|
|
}
|
|
|
|
|
job control: Allow access to job control events through ptracees
Currently a real parent can't access job control stopped/continued
events through a ptraced child. This utterly breaks job control when
the children are ptraced.
For example, if a program is run from an interactive shell and then
strace(1) attaches to it, pressing ^Z would send SIGTSTP and strace(1)
would notice it but the shell has no way to tell whether the child
entered job control stop and thus can't tell when to take over the
terminal - leading to awkward lone ^Z on the terminal.
Because the job control and ptrace stopped states are independent,
there is no reason to prevent real parents from accessing the stopped
state regardless of ptrace. The continued state isn't separate but
ptracers don't have any use for them as ptracees can never resume
without explicit command from their ptracers, so as long as ptracers
don't consume it, it should be fine.
Although this is a behavior change, because the previous behavior is
utterly broken when viewed from real parents and the change is only
visible to real parents, I don't think it's necessary to make this
behavior optional.
One situation to be careful about is when a task from the real
parent's group is ptracing. The parent group is the recipient of both
ptrace and job control stop events and one stop can be reported as
both job control and ptrace stops. As this can break the current
ptrace users, suppress job control stopped events for these cases.
If a real parent ptracer wants to know about both job control and
ptrace stops, it can create a separate process to serve the role of
real parent.
Note that this only updates wait(2) side of things. The real parent
can access the states via wait(2) but still is not properly notified
(woken up and delivered signal). Test case polls wait(2) with WNOHANG
to work around. Notification will be updated by future patches.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
const struct timespec ts100ms = { .tv_nsec = 100000000 };
pid_t tracee, tracer;
siginfo_t si;
int i;
tracee = fork();
if (tracee == 0) {
while (1) {
printf("tracee: SIGSTOP\n");
raise(SIGSTOP);
nanosleep(&ts100ms, NULL);
printf("tracee: SIGCONT\n");
raise(SIGCONT);
nanosleep(&ts100ms, NULL);
}
}
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG | WNOWAIT);
tracer = fork();
if (tracer == 0) {
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
for (i = 0; i < 11; i++) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED);
if (si.si_pid && si.si_code == CLD_TRAPPED)
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
printf("tracer: EXITING\n");
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si,
WSTOPPED | WCONTINUED | WEXITED | WNOHANG);
if (si.si_pid)
printf("mommy : WAIT status=%02d code=%02d\n",
si.si_status, si.si_code);
nanosleep(&ts100ms, NULL);
}
return 0;
}
Before the patch, while ptraced, the parent can't see any job control
events.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
After the patch,
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
-v2: Oleg pointed out that wait(2) should be suppressed for the real
parent's group instead of only the real parent task itself.
Updated accordingly.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 09:37:01 +00:00
|
|
|
/* slay zombie? */
|
2015-01-08 22:32:12 +00:00
|
|
|
if (exit_state == EXIT_ZOMBIE) {
|
job control: Fix ptracer wait(2) hang and explain notask_error clearing
wait(2) and friends allow access to stopped/continued states through
zombies, which is required as the states are process-wide and should
be accessible whether the leader task is alive or undead.
wait_consider_task() implements this by always clearing notask_error
and going through wait_task_stopped/continued() for unreaped zombies.
However, while ptraced, the stopped state is per-task and as such if
the ptracee became a zombie, there's no further stopped event to
listen to and wait(2) and friends should return -ECHILD on the tracee.
Fix it by clearing notask_error only if WCONTINUED | WEXITED is set
for ptraced zombies. While at it, document why clearing notask_error
is safe for each case.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <pthread.h>
#include <time.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
static void *nooper(void *arg)
{
pause();
return NULL;
}
int main(void)
{
const struct timespec ts1s = { .tv_sec = 1 };
pid_t tracee, tracer;
siginfo_t si;
tracee = fork();
if (tracee == 0) {
pthread_t thr;
pthread_create(&thr, NULL, nooper, NULL);
nanosleep(&ts1s, NULL);
printf("tracee exiting\n");
pthread_exit(NULL); /* let subthread run */
}
tracer = fork();
if (tracer == 0) {
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
while (1) {
if (waitid(P_PID, tracee, &si, WSTOPPED) < 0) {
perror("waitid");
break;
}
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
return 0;
}
waitid(P_PID, tracer, &si, WEXITED);
kill(tracee, SIGKILL);
return 0;
}
Before the patch, after the tracee becomes a zombie, the tracer's
waitid(WSTOPPED) never returns and the program doesn't terminate.
tracee exiting
^C
After the patch, tracee exiting triggers waitid() to fail.
tracee exiting
waitid: No child processes
-v2: Oleg pointed out that exited in addition to continued can happen
for ptraced dead group leader. Clear notask_error for ptraced
child on WEXITED too.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 09:37:01 +00:00
|
|
|
/* we don't reap group leaders with subthreads */
|
wait: WSTOPPED|WCONTINUED doesn't work if a zombie leader is traced by another process
Even if the main thread is dead the process still can stop/continue.
However, if the leader is ptraced wait_consider_task(ptrace => false)
always skips wait_task_stopped/wait_task_continued, so WSTOPPED or
WCONTINUED can never work for the natural parent in this case.
Move the "A zombie ptracee is only visible to its ptracer" check into the
"if (!delay_group_leader(p))" block. ->notask_error is cleared by the
"fall through" code below.
This depends on the previous change, wait_task_stopped/continued must be
avoided if !delay_group_leader() and the tracer is ->real_parent.
Otherwise WSTOPPED|WEXITED could wrongly report "stopped" when the child
is already dead (single-threaded or not). If it is traced by another task
then the "stopped" state is fine until the debugger detaches and reveals a
zombie state.
Stupid test-case:
void *tfunc(void *arg)
{
sleep(1); // wait for zombie leader
raise(SIGSTOP);
exit(0x13);
return NULL;
}
int run_child(void)
{
pthread_t thread;
if (!fork()) {
int tracee = getppid();
assert(ptrace(PTRACE_ATTACH, tracee, 0,0) == 0);
do
ptrace(PTRACE_CONT, tracee, 0,0);
while (wait(NULL) > 0);
return 0;
}
sleep(1); // wait for PTRACE_ATTACH
assert(pthread_create(&thread, NULL, tfunc, NULL) == 0);
pthread_exit(NULL);
}
int main(void)
{
int child, stat;
child = fork();
if (!child)
return run_child();
assert(child == waitpid(-1, &stat, WSTOPPED));
assert(stat == 0x137f);
kill(child, SIGCONT);
assert(child == waitpid(-1, &stat, WCONTINUED));
assert(stat == 0xffff);
assert(child == waitpid(-1, &stat, 0));
assert(stat == 0x1300);
return 0;
}
Without this patch it hangs in waitpid(WSTOPPED), wait_task_stopped() is
never called.
Note: this doesn't fix all problems with a zombie delay_group_leader(),
WCONTINUED | WEXITED check is not exactly right. debugger can't assume it
will be notified if another thread reaps the whole thread group.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Lennart Poettering <lpoetter@redhat.com>
Cc: Michal Schmidt <mschmidt@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-04-07 22:38:49 +00:00
|
|
|
if (!delay_group_leader(p)) {
|
|
|
|
/*
|
|
|
|
* A zombie ptracee is only visible to its ptracer.
|
|
|
|
* Notification and reaping will be cascaded to the
|
|
|
|
* real parent when the ptracer detaches.
|
|
|
|
*/
|
|
|
|
if (unlikely(ptrace) || likely(!p->ptrace))
|
|
|
|
return wait_task_zombie(wo, p);
|
|
|
|
}
|
2008-03-20 02:24:59 +00:00
|
|
|
|
2008-03-25 01:36:23 +00:00
|
|
|
/*
|
job control: Fix ptracer wait(2) hang and explain notask_error clearing
wait(2) and friends allow access to stopped/continued states through
zombies, which is required as the states are process-wide and should
be accessible whether the leader task is alive or undead.
wait_consider_task() implements this by always clearing notask_error
and going through wait_task_stopped/continued() for unreaped zombies.
However, while ptraced, the stopped state is per-task and as such if
the ptracee became a zombie, there's no further stopped event to
listen to and wait(2) and friends should return -ECHILD on the tracee.
Fix it by clearing notask_error only if WCONTINUED | WEXITED is set
for ptraced zombies. While at it, document why clearing notask_error
is safe for each case.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <pthread.h>
#include <time.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
static void *nooper(void *arg)
{
pause();
return NULL;
}
int main(void)
{
const struct timespec ts1s = { .tv_sec = 1 };
pid_t tracee, tracer;
siginfo_t si;
tracee = fork();
if (tracee == 0) {
pthread_t thr;
pthread_create(&thr, NULL, nooper, NULL);
nanosleep(&ts1s, NULL);
printf("tracee exiting\n");
pthread_exit(NULL); /* let subthread run */
}
tracer = fork();
if (tracer == 0) {
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
while (1) {
if (waitid(P_PID, tracee, &si, WSTOPPED) < 0) {
perror("waitid");
break;
}
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
return 0;
}
waitid(P_PID, tracer, &si, WEXITED);
kill(tracee, SIGKILL);
return 0;
}
Before the patch, after the tracee becomes a zombie, the tracer's
waitid(WSTOPPED) never returns and the program doesn't terminate.
tracee exiting
^C
After the patch, tracee exiting triggers waitid() to fail.
tracee exiting
waitid: No child processes
-v2: Oleg pointed out that exited in addition to continued can happen
for ptraced dead group leader. Clear notask_error for ptraced
child on WEXITED too.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 09:37:01 +00:00
|
|
|
* Allow access to stopped/continued state via zombie by
|
|
|
|
* falling through. Clearing of notask_error is complex.
|
|
|
|
*
|
|
|
|
* When !@ptrace:
|
|
|
|
*
|
|
|
|
* If WEXITED is set, notask_error should naturally be
|
|
|
|
* cleared. If not, subset of WSTOPPED|WCONTINUED is set,
|
|
|
|
* so, if there are live subthreads, there are events to
|
|
|
|
* wait for. If all subthreads are dead, it's still safe
|
|
|
|
* to clear - this function will be called again in finite
|
|
|
|
* amount time once all the subthreads are released and
|
|
|
|
* will then return without clearing.
|
|
|
|
*
|
|
|
|
* When @ptrace:
|
|
|
|
*
|
|
|
|
* Stopped state is per-task and thus can't change once the
|
|
|
|
* target task dies. Only continued and exited can happen.
|
|
|
|
* Clear notask_error if WCONTINUED | WEXITED.
|
|
|
|
*/
|
|
|
|
if (likely(!ptrace) || (wo->wo_flags & (WCONTINUED | WEXITED)))
|
|
|
|
wo->notask_error = 0;
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* @p is alive and it's gonna stop, continue or exit, so
|
|
|
|
* there always is something to wait for.
|
2008-03-25 01:36:23 +00:00
|
|
|
*/
|
2009-06-17 23:27:39 +00:00
|
|
|
wo->notask_error = 0;
|
2008-03-25 01:36:23 +00:00
|
|
|
}
|
|
|
|
|
2008-03-20 02:24:59 +00:00
|
|
|
/*
|
job control: Allow access to job control events through ptracees
Currently a real parent can't access job control stopped/continued
events through a ptraced child. This utterly breaks job control when
the children are ptraced.
For example, if a program is run from an interactive shell and then
strace(1) attaches to it, pressing ^Z would send SIGTSTP and strace(1)
would notice it but the shell has no way to tell whether the child
entered job control stop and thus can't tell when to take over the
terminal - leading to awkward lone ^Z on the terminal.
Because the job control and ptrace stopped states are independent,
there is no reason to prevent real parents from accessing the stopped
state regardless of ptrace. The continued state isn't separate but
ptracers don't have any use for them as ptracees can never resume
without explicit command from their ptracers, so as long as ptracers
don't consume it, it should be fine.
Although this is a behavior change, because the previous behavior is
utterly broken when viewed from real parents and the change is only
visible to real parents, I don't think it's necessary to make this
behavior optional.
One situation to be careful about is when a task from the real
parent's group is ptracing. The parent group is the recipient of both
ptrace and job control stop events and one stop can be reported as
both job control and ptrace stops. As this can break the current
ptrace users, suppress job control stopped events for these cases.
If a real parent ptracer wants to know about both job control and
ptrace stops, it can create a separate process to serve the role of
real parent.
Note that this only updates wait(2) side of things. The real parent
can access the states via wait(2) but still is not properly notified
(woken up and delivered signal). Test case polls wait(2) with WNOHANG
to work around. Notification will be updated by future patches.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
const struct timespec ts100ms = { .tv_nsec = 100000000 };
pid_t tracee, tracer;
siginfo_t si;
int i;
tracee = fork();
if (tracee == 0) {
while (1) {
printf("tracee: SIGSTOP\n");
raise(SIGSTOP);
nanosleep(&ts100ms, NULL);
printf("tracee: SIGCONT\n");
raise(SIGCONT);
nanosleep(&ts100ms, NULL);
}
}
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG | WNOWAIT);
tracer = fork();
if (tracer == 0) {
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
for (i = 0; i < 11; i++) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED);
if (si.si_pid && si.si_code == CLD_TRAPPED)
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
printf("tracer: EXITING\n");
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si,
WSTOPPED | WCONTINUED | WEXITED | WNOHANG);
if (si.si_pid)
printf("mommy : WAIT status=%02d code=%02d\n",
si.si_status, si.si_code);
nanosleep(&ts100ms, NULL);
}
return 0;
}
Before the patch, while ptraced, the parent can't see any job control
events.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
After the patch,
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
-v2: Oleg pointed out that wait(2) should be suppressed for the real
parent's group instead of only the real parent task itself.
Updated accordingly.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 09:37:01 +00:00
|
|
|
* Wait for stopped. Depending on @ptrace, different stopped state
|
|
|
|
* is used and the two don't interact with each other.
|
2008-03-20 02:24:59 +00:00
|
|
|
*/
|
2011-05-12 08:47:23 +00:00
|
|
|
ret = wait_task_stopped(wo, ptrace, p);
|
|
|
|
if (ret)
|
|
|
|
return ret;
|
2008-03-20 02:24:59 +00:00
|
|
|
|
|
|
|
/*
|
job control: Allow access to job control events through ptracees
Currently a real parent can't access job control stopped/continued
events through a ptraced child. This utterly breaks job control when
the children are ptraced.
For example, if a program is run from an interactive shell and then
strace(1) attaches to it, pressing ^Z would send SIGTSTP and strace(1)
would notice it but the shell has no way to tell whether the child
entered job control stop and thus can't tell when to take over the
terminal - leading to awkward lone ^Z on the terminal.
Because the job control and ptrace stopped states are independent,
there is no reason to prevent real parents from accessing the stopped
state regardless of ptrace. The continued state isn't separate but
ptracers don't have any use for them as ptracees can never resume
without explicit command from their ptracers, so as long as ptracers
don't consume it, it should be fine.
Although this is a behavior change, because the previous behavior is
utterly broken when viewed from real parents and the change is only
visible to real parents, I don't think it's necessary to make this
behavior optional.
One situation to be careful about is when a task from the real
parent's group is ptracing. The parent group is the recipient of both
ptrace and job control stop events and one stop can be reported as
both job control and ptrace stops. As this can break the current
ptrace users, suppress job control stopped events for these cases.
If a real parent ptracer wants to know about both job control and
ptrace stops, it can create a separate process to serve the role of
real parent.
Note that this only updates wait(2) side of things. The real parent
can access the states via wait(2) but still is not properly notified
(woken up and delivered signal). Test case polls wait(2) with WNOHANG
to work around. Notification will be updated by future patches.
Test case follows.
#include <stdio.h>
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
int main(void)
{
const struct timespec ts100ms = { .tv_nsec = 100000000 };
pid_t tracee, tracer;
siginfo_t si;
int i;
tracee = fork();
if (tracee == 0) {
while (1) {
printf("tracee: SIGSTOP\n");
raise(SIGSTOP);
nanosleep(&ts100ms, NULL);
printf("tracee: SIGCONT\n");
raise(SIGCONT);
nanosleep(&ts100ms, NULL);
}
}
waitid(P_PID, tracee, &si, WSTOPPED | WNOHANG | WNOWAIT);
tracer = fork();
if (tracer == 0) {
nanosleep(&ts100ms, NULL);
ptrace(PTRACE_ATTACH, tracee, NULL, NULL);
for (i = 0; i < 11; i++) {
si.si_pid = 0;
waitid(P_PID, tracee, &si, WSTOPPED);
if (si.si_pid && si.si_code == CLD_TRAPPED)
ptrace(PTRACE_CONT, tracee, NULL,
(void *)(long)si.si_status);
}
printf("tracer: EXITING\n");
return 0;
}
while (1) {
si.si_pid = 0;
waitid(P_PID, tracee, &si,
WSTOPPED | WCONTINUED | WEXITED | WNOHANG);
if (si.si_pid)
printf("mommy : WAIT status=%02d code=%02d\n",
si.si_status, si.si_code);
nanosleep(&ts100ms, NULL);
}
return 0;
}
Before the patch, while ptraced, the parent can't see any job control
events.
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracee: SIGCONT
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
After the patch,
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
mommy : WAIT status=19 code=05
tracee: SIGCONT
mommy : WAIT status=18 code=06
tracee: SIGSTOP
tracer: EXITING
mommy : WAIT status=19 code=05
^C
-v2: Oleg pointed out that wait(2) should be suppressed for the real
parent's group instead of only the real parent task itself.
Updated accordingly.
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Oleg Nesterov <oleg@redhat.com>
2011-03-23 09:37:01 +00:00
|
|
|
* Wait for continued. There's only one continued state and the
|
|
|
|
* ptracer can consume it which can confuse the real parent. Don't
|
|
|
|
* use WCONTINUED from ptracer. You don't need or want it.
|
2008-03-20 02:24:59 +00:00
|
|
|
*/
|
2009-06-17 23:27:39 +00:00
|
|
|
return wait_task_continued(wo, p);
|
2008-03-20 02:24:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Do the work of do_wait() for one thread in the group, @tsk.
|
|
|
|
*
|
2009-06-17 23:27:39 +00:00
|
|
|
* -ECHILD should be in ->notask_error before the first call.
|
2008-03-20 02:24:59 +00:00
|
|
|
* Returns nonzero for a final return, when we have unlocked tasklist_lock.
|
|
|
|
* Returns zero if the search for a child should continue; then
|
2009-06-17 23:27:39 +00:00
|
|
|
* ->notask_error is 0 if there were any eligible children,
|
2017-01-10 17:28:32 +00:00
|
|
|
* or still -ECHILD.
|
2008-03-20 02:24:59 +00:00
|
|
|
*/
|
2009-06-17 23:27:39 +00:00
|
|
|
static int do_wait_thread(struct wait_opts *wo, struct task_struct *tsk)
|
2008-03-20 02:24:59 +00:00
|
|
|
{
|
|
|
|
struct task_struct *p;
|
|
|
|
|
|
|
|
list_for_each_entry(p, &tsk->children, sibling) {
|
2009-12-17 23:27:15 +00:00
|
|
|
int ret = wait_consider_task(wo, 0, p);
|
2014-08-08 21:21:18 +00:00
|
|
|
|
2009-12-17 23:27:15 +00:00
|
|
|
if (ret)
|
|
|
|
return ret;
|
2008-03-20 02:24:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2009-06-17 23:27:39 +00:00
|
|
|
static int ptrace_do_wait(struct wait_opts *wo, struct task_struct *tsk)
|
2008-03-20 02:24:59 +00:00
|
|
|
{
|
|
|
|
struct task_struct *p;
|
|
|
|
|
2008-03-25 01:36:23 +00:00
|
|
|
list_for_each_entry(p, &tsk->ptraced, ptrace_entry) {
|
2009-09-23 22:56:50 +00:00
|
|
|
int ret = wait_consider_task(wo, 1, p);
|
2014-08-08 21:21:18 +00:00
|
|
|
|
2008-03-25 01:36:23 +00:00
|
|
|
if (ret)
|
2008-03-20 02:24:59 +00:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2023-07-11 16:40:31 +00:00
|
|
|
bool pid_child_should_wake(struct wait_opts *wo, struct task_struct *p)
|
2023-07-11 16:31:10 +00:00
|
|
|
{
|
|
|
|
if (!eligible_pid(wo, p))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if ((wo->wo_flags & __WNOTHREAD) && wo->child_wait.private != p->parent)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-06-20 10:06:13 +00:00
|
|
|
static int child_wait_callback(wait_queue_entry_t *wait, unsigned mode,
|
2009-09-23 22:56:46 +00:00
|
|
|
int sync, void *key)
|
|
|
|
{
|
|
|
|
struct wait_opts *wo = container_of(wait, struct wait_opts,
|
|
|
|
child_wait);
|
|
|
|
struct task_struct *p = key;
|
|
|
|
|
2023-07-11 16:31:10 +00:00
|
|
|
if (pid_child_should_wake(wo, p))
|
|
|
|
return default_wake_function(wait, mode, sync, key);
|
2009-09-23 22:56:46 +00:00
|
|
|
|
2023-07-11 16:31:10 +00:00
|
|
|
return 0;
|
2009-09-23 22:56:46 +00:00
|
|
|
}
|
|
|
|
|
ptrace: __ptrace_detach: do __wake_up_parent() if we reap the tracee
The bug is old, it wasn't cause by recent changes.
Test case:
static void *tfunc(void *arg)
{
int pid = (long)arg;
assert(ptrace(PTRACE_ATTACH, pid, NULL, NULL) == 0);
kill(pid, SIGKILL);
sleep(1);
return NULL;
}
int main(void)
{
pthread_t th;
long pid = fork();
if (!pid)
pause();
signal(SIGCHLD, SIG_IGN);
assert(pthread_create(&th, NULL, tfunc, (void*)pid) == 0);
int r = waitpid(-1, NULL, __WNOTHREAD);
printf("waitpid: %d %m\n", r);
return 0;
}
Before the patch this program hangs, after this patch waitpid() correctly
fails with errno == -ECHILD.
The problem is, __ptrace_detach() reaps the EXIT_ZOMBIE tracee if its
->real_parent is our sub-thread and we ignore SIGCHLD. But in this case
we should wake up other threads which can sleep in do_wait().
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Vitaly Mayatskikh <vmayatsk@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-23 22:56:44 +00:00
|
|
|
void __wake_up_parent(struct task_struct *p, struct task_struct *parent)
|
|
|
|
{
|
2009-09-23 22:56:46 +00:00
|
|
|
__wake_up_sync_key(&parent->signal->wait_chldexit,
|
2019-10-16 14:13:41 +00:00
|
|
|
TASK_INTERRUPTIBLE, p);
|
ptrace: __ptrace_detach: do __wake_up_parent() if we reap the tracee
The bug is old, it wasn't cause by recent changes.
Test case:
static void *tfunc(void *arg)
{
int pid = (long)arg;
assert(ptrace(PTRACE_ATTACH, pid, NULL, NULL) == 0);
kill(pid, SIGKILL);
sleep(1);
return NULL;
}
int main(void)
{
pthread_t th;
long pid = fork();
if (!pid)
pause();
signal(SIGCHLD, SIG_IGN);
assert(pthread_create(&th, NULL, tfunc, (void*)pid) == 0);
int r = waitpid(-1, NULL, __WNOTHREAD);
printf("waitpid: %d %m\n", r);
return 0;
}
Before the patch this program hangs, after this patch waitpid() correctly
fails with errno == -ECHILD.
The problem is, __ptrace_detach() reaps the EXIT_ZOMBIE tracee if its
->real_parent is our sub-thread and we ignore SIGCHLD. But in this case
we should wake up other threads which can sleep in do_wait().
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
Cc: Vitaly Mayatskikh <vmayatsk@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-23 22:56:44 +00:00
|
|
|
}
|
|
|
|
|
2021-05-07 01:04:22 +00:00
|
|
|
static bool is_effectively_child(struct wait_opts *wo, bool ptrace,
|
|
|
|
struct task_struct *target)
|
|
|
|
{
|
|
|
|
struct task_struct *parent =
|
|
|
|
!ptrace ? target->real_parent : target->parent;
|
|
|
|
|
|
|
|
return current == parent || (!(wo->wo_flags & __WNOTHREAD) &&
|
|
|
|
same_thread_group(current, parent));
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Optimization for waiting on PIDTYPE_PID. No need to iterate through child
|
|
|
|
* and tracee lists to find the target task.
|
|
|
|
*/
|
|
|
|
static int do_wait_pid(struct wait_opts *wo)
|
|
|
|
{
|
|
|
|
bool ptrace;
|
|
|
|
struct task_struct *target;
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
ptrace = false;
|
|
|
|
target = pid_task(wo->wo_pid, PIDTYPE_TGID);
|
|
|
|
if (target && is_effectively_child(wo, ptrace, target)) {
|
|
|
|
retval = wait_consider_task(wo, ptrace, target);
|
|
|
|
if (retval)
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
ptrace = true;
|
|
|
|
target = pid_task(wo->wo_pid, PIDTYPE_PID);
|
|
|
|
if (target && target->ptrace &&
|
|
|
|
is_effectively_child(wo, ptrace, target)) {
|
|
|
|
retval = wait_consider_task(wo, ptrace, target);
|
|
|
|
if (retval)
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2023-07-11 16:40:31 +00:00
|
|
|
long __do_wait(struct wait_opts *wo)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2023-07-11 16:34:37 +00:00
|
|
|
long retval;
|
tracing, sched: LTTng instrumentation - scheduler
Instrument the scheduler activity (sched_switch, migration, wakeups,
wait for a task, signal delivery) and process/thread
creation/destruction (fork, exit, kthread stop). Actually, kthread
creation is not instrumented in this patch because it is architecture
dependent. It allows to connect tracers such as ftrace which detects
scheduling latencies, good/bad scheduler decisions. Tools like LTTng can
export this scheduler information along with instrumentation of the rest
of the kernel activity to perform post-mortem analysis on the scheduler
activity.
About the performance impact of tracepoints (which is comparable to
markers), even without immediate values optimizations, tests done by
Hideo Aoki on ia64 show no regression. His test case was using hackbench
on a kernel where scheduler instrumentation (about 5 events in code
scheduler code) was added. See the "Tracepoints" patch header for
performance result detail.
Changelog :
- Change instrumentation location and parameter to match ftrace
instrumentation, previously done with kernel markers.
[ mingo@elte.hu: conflict resolutions ]
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
Acked-by: 'Peter Zijlstra' <peterz@infradead.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2008-07-18 16:16:17 +00:00
|
|
|
|
2008-03-20 02:24:59 +00:00
|
|
|
/*
|
2015-05-21 20:35:57 +00:00
|
|
|
* If there is nothing that can match our criteria, just get out.
|
2009-06-17 23:27:39 +00:00
|
|
|
* We will clear ->notask_error to zero if we see any child that
|
|
|
|
* might later match our criteria, even if we are not able to reap
|
|
|
|
* it yet.
|
2008-03-20 02:24:59 +00:00
|
|
|
*/
|
2009-06-17 23:27:40 +00:00
|
|
|
wo->notask_error = -ECHILD;
|
2009-06-17 23:27:39 +00:00
|
|
|
if ((wo->wo_type < PIDTYPE_MAX) &&
|
2019-10-17 10:18:31 +00:00
|
|
|
(!wo->wo_pid || !pid_has_task(wo->wo_pid, wo->wo_type)))
|
2009-06-17 23:27:40 +00:00
|
|
|
goto notask;
|
2008-02-08 12:19:14 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
read_lock(&tasklist_lock);
|
2009-06-17 23:27:39 +00:00
|
|
|
|
2021-05-07 01:04:22 +00:00
|
|
|
if (wo->wo_type == PIDTYPE_PID) {
|
|
|
|
retval = do_wait_pid(wo);
|
2009-06-17 23:27:40 +00:00
|
|
|
if (retval)
|
2023-07-11 16:34:37 +00:00
|
|
|
return retval;
|
2021-05-07 01:04:22 +00:00
|
|
|
} else {
|
|
|
|
struct task_struct *tsk = current;
|
|
|
|
|
|
|
|
do {
|
|
|
|
retval = do_wait_thread(wo, tsk);
|
|
|
|
if (retval)
|
2023-07-11 16:34:37 +00:00
|
|
|
return retval;
|
2008-03-20 02:24:59 +00:00
|
|
|
|
2021-05-07 01:04:22 +00:00
|
|
|
retval = ptrace_do_wait(wo, tsk);
|
|
|
|
if (retval)
|
2023-07-11 16:34:37 +00:00
|
|
|
return retval;
|
2021-05-07 01:04:22 +00:00
|
|
|
|
|
|
|
if (wo->wo_flags & __WNOTHREAD)
|
|
|
|
break;
|
|
|
|
} while_each_thread(current, tsk);
|
|
|
|
}
|
2005-04-16 22:20:36 +00:00
|
|
|
read_unlock(&tasklist_lock);
|
2008-02-08 12:19:06 +00:00
|
|
|
|
2009-06-17 23:27:40 +00:00
|
|
|
notask:
|
2009-06-17 23:27:39 +00:00
|
|
|
retval = wo->notask_error;
|
2023-07-11 16:34:37 +00:00
|
|
|
if (!retval && !(wo->wo_flags & WNOHANG))
|
|
|
|
return -ERESTARTSYS;
|
|
|
|
|
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
|
|
|
static long do_wait(struct wait_opts *wo)
|
|
|
|
{
|
|
|
|
int retval;
|
|
|
|
|
|
|
|
trace_sched_process_wait(wo->wo_pid);
|
|
|
|
|
|
|
|
init_waitqueue_func_entry(&wo->child_wait, child_wait_callback);
|
|
|
|
wo->child_wait.private = current;
|
|
|
|
add_wait_queue(¤t->signal->wait_chldexit, &wo->child_wait);
|
|
|
|
|
|
|
|
do {
|
|
|
|
set_current_state(TASK_INTERRUPTIBLE);
|
|
|
|
retval = __do_wait(wo);
|
|
|
|
if (retval != -ERESTARTSYS)
|
|
|
|
break;
|
|
|
|
if (signal_pending(current))
|
|
|
|
break;
|
|
|
|
schedule();
|
|
|
|
} while (1);
|
|
|
|
|
2009-06-17 23:27:42 +00:00
|
|
|
__set_current_state(TASK_RUNNING);
|
2009-09-23 22:56:46 +00:00
|
|
|
remove_wait_queue(¤t->signal->wait_chldexit, &wo->child_wait);
|
2005-04-16 22:20:36 +00:00
|
|
|
return retval;
|
|
|
|
}
|
|
|
|
|
2023-07-11 16:40:31 +00:00
|
|
|
int kernel_waitid_prepare(struct wait_opts *wo, int which, pid_t upid,
|
|
|
|
struct waitid_info *infop, int options,
|
|
|
|
struct rusage *ru)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2023-07-11 16:38:23 +00:00
|
|
|
unsigned int f_flags = 0;
|
2008-02-08 12:19:14 +00:00
|
|
|
struct pid *pid = NULL;
|
|
|
|
enum pid_type type;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2016-05-23 23:23:53 +00:00
|
|
|
if (options & ~(WNOHANG|WNOWAIT|WEXITED|WSTOPPED|WCONTINUED|
|
|
|
|
__WNOTHREAD|__WCLONE|__WALL))
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EINVAL;
|
|
|
|
if (!(options & (WEXITED|WSTOPPED|WCONTINUED)))
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
switch (which) {
|
|
|
|
case P_ALL:
|
2008-02-08 12:19:14 +00:00
|
|
|
type = PIDTYPE_MAX;
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
|
|
|
case P_PID:
|
2008-02-08 12:19:14 +00:00
|
|
|
type = PIDTYPE_PID;
|
|
|
|
if (upid <= 0)
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EINVAL;
|
2019-07-27 22:22:29 +00:00
|
|
|
|
|
|
|
pid = find_get_pid(upid);
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
|
|
|
case P_PGID:
|
2008-02-08 12:19:14 +00:00
|
|
|
type = PIDTYPE_PGID;
|
2019-07-23 12:44:46 +00:00
|
|
|
if (upid < 0)
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EINVAL;
|
2019-07-27 22:22:29 +00:00
|
|
|
|
2019-07-23 12:44:46 +00:00
|
|
|
if (upid)
|
|
|
|
pid = find_get_pid(upid);
|
|
|
|
else
|
|
|
|
pid = get_task_pid(current, PIDTYPE_PGID);
|
2019-07-27 22:22:29 +00:00
|
|
|
break;
|
|
|
|
case P_PIDFD:
|
|
|
|
type = PIDTYPE_PID;
|
|
|
|
if (upid < 0)
|
2005-04-16 22:20:36 +00:00
|
|
|
return -EINVAL;
|
2019-07-27 22:22:29 +00:00
|
|
|
|
2020-09-02 10:21:28 +00:00
|
|
|
pid = pidfd_get_pid(upid, &f_flags);
|
2019-07-27 22:22:29 +00:00
|
|
|
if (IS_ERR(pid))
|
|
|
|
return PTR_ERR(pid);
|
2020-09-02 10:21:28 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
2023-07-11 16:38:23 +00:00
|
|
|
wo->wo_type = type;
|
|
|
|
wo->wo_pid = pid;
|
|
|
|
wo->wo_flags = options;
|
|
|
|
wo->wo_info = infop;
|
|
|
|
wo->wo_rusage = ru;
|
2020-09-02 10:21:28 +00:00
|
|
|
if (f_flags & O_NONBLOCK)
|
2023-07-11 16:38:23 +00:00
|
|
|
wo->wo_flags |= WNOHANG;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static long kernel_waitid(int which, pid_t upid, struct waitid_info *infop,
|
|
|
|
int options, struct rusage *ru)
|
|
|
|
{
|
|
|
|
struct wait_opts wo;
|
|
|
|
long ret;
|
|
|
|
|
|
|
|
ret = kernel_waitid_prepare(&wo, which, upid, infop, options, ru);
|
|
|
|
if (ret)
|
|
|
|
return ret;
|
2020-09-02 10:21:28 +00:00
|
|
|
|
2009-06-17 23:27:39 +00:00
|
|
|
ret = do_wait(&wo);
|
2023-07-11 16:38:23 +00:00
|
|
|
if (!ret && !(options & WNOHANG) && (wo.wo_flags & WNOHANG))
|
2020-09-02 10:21:28 +00:00
|
|
|
ret = -EAGAIN;
|
do_wait: fix sys_waitid()-specific behaviour
do_wait() checks ->wo_info to figure out who is the caller. If it's not
NULL the caller should be sys_waitid(), in that case do_wait() fixes up
the retval or zeros ->wo_info, depending on retval from underlying
function.
This is bug: user can pass ->wo_info == NULL and sys_waitid() will return
incorrect value.
man 2 waitid says:
waitid(): returns 0 on success
Test-case:
int main(void)
{
if (fork())
assert(waitid(P_ALL, 0, NULL, WEXITED) == 0);
return 0;
}
Result:
Assertion `waitid(P_ALL, 0, ((void *)0), 4) == 0' failed.
Move that code to sys_waitid().
User-visible change: sys_waitid() will return 0 on success, either
infop is set or not.
Note, there's another bug in wait_noreap_copyout() which affects
return value of sys_waitid(). It will be fixed in next patch.
Signed-off-by: Vitaly Mayatskikh <v.mayatskih@gmail.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-23 22:56:51 +00:00
|
|
|
|
2023-07-11 16:38:23 +00:00
|
|
|
put_pid(wo.wo_pid);
|
2005-04-16 22:20:36 +00:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2017-05-15 00:25:02 +00:00
|
|
|
SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *,
|
|
|
|
infop, int, options, struct rusage __user *, ru)
|
|
|
|
{
|
|
|
|
struct rusage r;
|
2017-05-15 00:53:13 +00:00
|
|
|
struct waitid_info info = {.status = 0};
|
|
|
|
long err = kernel_waitid(which, upid, &info, options, ru ? &r : NULL);
|
2017-07-08 15:26:39 +00:00
|
|
|
int signo = 0;
|
2017-09-29 17:43:15 +00:00
|
|
|
|
2017-07-08 15:26:39 +00:00
|
|
|
if (err > 0) {
|
|
|
|
signo = SIGCHLD;
|
|
|
|
err = 0;
|
2017-05-15 00:25:02 +00:00
|
|
|
if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
2017-05-15 00:53:13 +00:00
|
|
|
if (!infop)
|
|
|
|
return err;
|
|
|
|
|
2020-04-03 07:20:51 +00:00
|
|
|
if (!user_write_access_begin(infop, sizeof(*infop)))
|
2017-10-20 14:36:05 +00:00
|
|
|
return -EFAULT;
|
2017-10-09 18:36:52 +00:00
|
|
|
|
2017-07-08 15:26:39 +00:00
|
|
|
unsafe_put_user(signo, &infop->si_signo, Efault);
|
2017-05-14 23:27:32 +00:00
|
|
|
unsafe_put_user(0, &infop->si_errno, Efault);
|
2017-07-17 03:36:59 +00:00
|
|
|
unsafe_put_user(info.cause, &infop->si_code, Efault);
|
2017-05-14 23:27:32 +00:00
|
|
|
unsafe_put_user(info.pid, &infop->si_pid, Efault);
|
|
|
|
unsafe_put_user(info.uid, &infop->si_uid, Efault);
|
|
|
|
unsafe_put_user(info.status, &infop->si_status, Efault);
|
2020-04-03 07:20:51 +00:00
|
|
|
user_write_access_end();
|
2017-05-15 00:25:02 +00:00
|
|
|
return err;
|
2017-05-14 23:27:32 +00:00
|
|
|
Efault:
|
2020-04-03 07:20:51 +00:00
|
|
|
user_write_access_end();
|
2017-05-14 23:27:32 +00:00
|
|
|
return -EFAULT;
|
2017-05-15 00:25:02 +00:00
|
|
|
}
|
|
|
|
|
2017-05-15 03:54:33 +00:00
|
|
|
long kernel_wait4(pid_t upid, int __user *stat_addr, int options,
|
|
|
|
struct rusage *ru)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2009-06-17 23:27:39 +00:00
|
|
|
struct wait_opts wo;
|
2008-02-08 12:19:14 +00:00
|
|
|
struct pid *pid = NULL;
|
|
|
|
enum pid_type type;
|
2005-04-16 22:20:36 +00:00
|
|
|
long ret;
|
|
|
|
|
|
|
|
if (options & ~(WNOHANG|WUNTRACED|WCONTINUED|
|
|
|
|
__WNOTHREAD|__WCLONE|__WALL))
|
|
|
|
return -EINVAL;
|
2008-02-08 12:19:14 +00:00
|
|
|
|
2017-07-10 22:53:01 +00:00
|
|
|
/* -INT_MIN is not defined */
|
|
|
|
if (upid == INT_MIN)
|
|
|
|
return -ESRCH;
|
|
|
|
|
2008-02-08 12:19:14 +00:00
|
|
|
if (upid == -1)
|
|
|
|
type = PIDTYPE_MAX;
|
|
|
|
else if (upid < 0) {
|
|
|
|
type = PIDTYPE_PGID;
|
|
|
|
pid = find_get_pid(-upid);
|
|
|
|
} else if (upid == 0) {
|
|
|
|
type = PIDTYPE_PGID;
|
2009-04-02 23:58:36 +00:00
|
|
|
pid = get_task_pid(current, PIDTYPE_PGID);
|
2008-02-08 12:19:14 +00:00
|
|
|
} else /* upid > 0 */ {
|
|
|
|
type = PIDTYPE_PID;
|
|
|
|
pid = find_get_pid(upid);
|
|
|
|
}
|
|
|
|
|
2009-06-17 23:27:39 +00:00
|
|
|
wo.wo_type = type;
|
|
|
|
wo.wo_pid = pid;
|
|
|
|
wo.wo_flags = options | WEXITED;
|
|
|
|
wo.wo_info = NULL;
|
2017-05-15 00:39:39 +00:00
|
|
|
wo.wo_stat = 0;
|
2009-06-17 23:27:39 +00:00
|
|
|
wo.wo_rusage = ru;
|
|
|
|
ret = do_wait(&wo);
|
2008-02-08 12:19:14 +00:00
|
|
|
put_pid(pid);
|
2017-05-15 00:39:39 +00:00
|
|
|
if (ret > 0 && stat_addr && put_user(wo.wo_stat, stat_addr))
|
|
|
|
ret = -EFAULT;
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2020-08-12 01:34:10 +00:00
|
|
|
int kernel_wait(pid_t pid, int *stat)
|
|
|
|
{
|
|
|
|
struct wait_opts wo = {
|
|
|
|
.wo_type = PIDTYPE_PID,
|
|
|
|
.wo_pid = find_get_pid(pid),
|
|
|
|
.wo_flags = WEXITED,
|
|
|
|
};
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
ret = do_wait(&wo);
|
|
|
|
if (ret > 0 && wo.wo_stat)
|
|
|
|
*stat = wo.wo_stat;
|
|
|
|
put_pid(wo.wo_pid);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2017-05-15 00:25:02 +00:00
|
|
|
SYSCALL_DEFINE4(wait4, pid_t, upid, int __user *, stat_addr,
|
|
|
|
int, options, struct rusage __user *, ru)
|
|
|
|
{
|
|
|
|
struct rusage r;
|
|
|
|
long err = kernel_wait4(upid, stat_addr, options, ru ? &r : NULL);
|
|
|
|
|
|
|
|
if (err > 0) {
|
|
|
|
if (ru && copy_to_user(ru, &r, sizeof(struct rusage)))
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
#ifdef __ARCH_WANT_SYS_WAITPID
|
|
|
|
|
|
|
|
/*
|
|
|
|
* sys_waitpid() remains for compatibility. waitpid() should be
|
|
|
|
* implemented by calling sys_wait4() from libc.a.
|
|
|
|
*/
|
2009-01-14 13:14:10 +00:00
|
|
|
SYSCALL_DEFINE3(waitpid, pid_t, pid, int __user *, stat_addr, int, options)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2018-03-11 10:34:26 +00:00
|
|
|
return kernel_wait4(pid, stat_addr, options, NULL);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#endif
|
2017-05-14 23:52:01 +00:00
|
|
|
|
|
|
|
#ifdef CONFIG_COMPAT
|
|
|
|
COMPAT_SYSCALL_DEFINE4(wait4,
|
|
|
|
compat_pid_t, pid,
|
|
|
|
compat_uint_t __user *, stat_addr,
|
|
|
|
int, options,
|
|
|
|
struct compat_rusage __user *, ru)
|
|
|
|
{
|
2017-05-15 00:25:02 +00:00
|
|
|
struct rusage r;
|
|
|
|
long err = kernel_wait4(pid, stat_addr, options, ru ? &r : NULL);
|
|
|
|
if (err > 0) {
|
|
|
|
if (ru && put_compat_rusage(&r, ru))
|
|
|
|
return -EFAULT;
|
2017-05-14 23:52:01 +00:00
|
|
|
}
|
2017-05-15 00:25:02 +00:00
|
|
|
return err;
|
2017-05-14 23:52:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
COMPAT_SYSCALL_DEFINE5(waitid,
|
|
|
|
int, which, compat_pid_t, pid,
|
|
|
|
struct compat_siginfo __user *, infop, int, options,
|
|
|
|
struct compat_rusage __user *, uru)
|
|
|
|
{
|
|
|
|
struct rusage ru;
|
2017-05-15 00:53:13 +00:00
|
|
|
struct waitid_info info = {.status = 0};
|
|
|
|
long err = kernel_waitid(which, pid, &info, options, uru ? &ru : NULL);
|
2017-07-08 15:26:39 +00:00
|
|
|
int signo = 0;
|
|
|
|
if (err > 0) {
|
|
|
|
signo = SIGCHLD;
|
|
|
|
err = 0;
|
2017-09-29 17:43:15 +00:00
|
|
|
if (uru) {
|
|
|
|
/* kernel_waitid() overwrites everything in ru */
|
|
|
|
if (COMPAT_USE_64BIT_TIME)
|
|
|
|
err = copy_to_user(uru, &ru, sizeof(ru));
|
|
|
|
else
|
|
|
|
err = put_compat_rusage(&ru, uru);
|
|
|
|
if (err)
|
|
|
|
return -EFAULT;
|
|
|
|
}
|
2017-05-14 23:52:01 +00:00
|
|
|
}
|
|
|
|
|
2017-05-14 23:27:32 +00:00
|
|
|
if (!infop)
|
|
|
|
return err;
|
|
|
|
|
2020-04-03 07:20:51 +00:00
|
|
|
if (!user_write_access_begin(infop, sizeof(*infop)))
|
2017-10-20 14:36:05 +00:00
|
|
|
return -EFAULT;
|
2017-10-09 18:36:52 +00:00
|
|
|
|
2017-07-08 15:26:39 +00:00
|
|
|
unsafe_put_user(signo, &infop->si_signo, Efault);
|
2017-05-14 23:27:32 +00:00
|
|
|
unsafe_put_user(0, &infop->si_errno, Efault);
|
2017-07-17 03:36:59 +00:00
|
|
|
unsafe_put_user(info.cause, &infop->si_code, Efault);
|
2017-05-14 23:27:32 +00:00
|
|
|
unsafe_put_user(info.pid, &infop->si_pid, Efault);
|
|
|
|
unsafe_put_user(info.uid, &infop->si_uid, Efault);
|
|
|
|
unsafe_put_user(info.status, &infop->si_status, Efault);
|
2020-04-03 07:20:51 +00:00
|
|
|
user_write_access_end();
|
2017-05-15 00:53:13 +00:00
|
|
|
return err;
|
2017-05-14 23:27:32 +00:00
|
|
|
Efault:
|
2020-04-03 07:20:51 +00:00
|
|
|
user_write_access_end();
|
2017-05-14 23:27:32 +00:00
|
|
|
return -EFAULT;
|
2017-05-14 23:52:01 +00:00
|
|
|
}
|
|
|
|
#endif
|
2017-12-14 23:33:19 +00:00
|
|
|
|
Compiler attributes: GCC cold function alignment workarounds
Contemporary versions of GCC (e.g. GCC 12.2.0) drop the alignment
specified by '-falign-functions=N' for functions marked with the
__cold__ attribute, and potentially for callees of __cold__ functions as
these may be implicitly marked as __cold__ by the compiler. LLVM appears
to respect '-falign-functions=N' in such cases.
This has been reported to GCC in bug 88345:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88345
... which also covers alignment being dropped when '-Os' is used, which
will be addressed in a separate patch.
Currently, use of '-falign-functions=N' is limited to
CONFIG_FUNCTION_ALIGNMENT, which is largely used for performance and/or
analysis reasons (e.g. with CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B), but
isn't necessary for correct functionality. However, this dropped
alignment isn't great for the performance and/or analysis cases.
Subsequent patches will use CONFIG_FUNCTION_ALIGNMENT as part of arm64's
ftrace implementation, which will require all instrumented functions to
be aligned to at least 8-bytes.
This patch works around the dropped alignment by avoiding the use of the
__cold__ attribute when CONFIG_FUNCTION_ALIGNMENT is non-zero, and by
specifically aligning abort(), which GCC implicitly marks as __cold__.
As the __cold macro is now dependent upon config options (which is
against the policy described at the top of compiler_attributes.h), it is
moved into compiler_types.h.
I've tested this by building and booting a kernel configured with
defconfig + CONFIG_EXPERT=y + CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B=y,
and looking for misaligned text symbols in /proc/kallsyms:
* arm64:
Before:
# uname -rm
6.2.0-rc3 aarch64
# grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l
5009
After:
# uname -rm
6.2.0-rc3-00001-g2a2bedf8bfa9 aarch64
# grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l
919
* x86_64:
Before:
# uname -rm
6.2.0-rc3 x86_64
# grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l
11537
After:
# uname -rm
6.2.0-rc3-00001-g2a2bedf8bfa9 x86_64
# grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l
2805
There's clearly a substantial reduction in the number of misaligned
symbols. From manual inspection, the remaining unaligned text labels are
a combination of ACPICA functions (due to the use of '-Os'), static call
trampolines, and non-function labels in assembly, which will be dealt
with in subsequent patches.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Florent Revest <revest@chromium.org>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Will Deacon <will@kernel.org>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Link: https://lore.kernel.org/r/20230123134603.1064407-3-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2023-01-23 13:45:57 +00:00
|
|
|
/*
|
|
|
|
* This needs to be __function_aligned as GCC implicitly makes any
|
|
|
|
* implementation of abort() cold and drops alignment specified by
|
|
|
|
* -falign-functions=N.
|
|
|
|
*
|
|
|
|
* See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88345#c11
|
|
|
|
*/
|
|
|
|
__weak __function_aligned void abort(void)
|
2017-12-14 23:33:19 +00:00
|
|
|
{
|
|
|
|
BUG();
|
|
|
|
|
|
|
|
/* if that doesn't kill us, halt */
|
|
|
|
panic("Oops failed to kill thread");
|
|
|
|
}
|
2018-01-05 00:17:56 +00:00
|
|
|
EXPORT_SYMBOL(abort);
|