On Mon, Oct 7, 2019 at 3:18 PM Andrea Parri parri.andrea@gmail.com wrote:

On Mon, Oct 07, 2019 at 01:01:17PM +0200, Christian Brauner wrote:

...

When assiging and testing taskstats in taskstats_exit() there's a race when writing and reading sig->stats when a thread-group with more than one thread exits:

cpu0: thread catches fatal signal and whole thread-group gets taken down do_exit() do_group_exit() taskstats_exit() taskstats_tgid_alloc() The tasks reads sig->stats holding sighand lock seeing garbage.

You meant "without holding sighand lock" here, right?

...

cpu1: task calls exit_group() do_exit() do_group_exit() taskstats_exit() taskstats_tgid_alloc() The task takes sighand lock and assigns new stats to sig->stats.

Fix this by using READ_ONCE() and smp_store_release().

Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") Cc: stable@vger.kernel.org Signed-off-by: Christian Brauner christian.brauner@ubuntu.com Reviewed-by: Dmitry Vyukov dvyukov@google.com Link: https://lore.kernel.org/r/20191006235216.7483-1-christian.brauner@ubuntu.com

---

/* v1 */ Link: https://lore.kernel.org/r/20191005112806.13960-1-christian.brauner@ubuntu.co...

/* v2 */

• Dmitry Vyukov dvyukov@google.com, Marco Elver elver@google.com:
  • fix the original double-checked locking using memory barriers

/* v3 */

• Andrea Parri parri.andrea@gmail.com:
  • document memory barriers to make checkpatch happy

---

kernel/taskstats.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/kernel/taskstats.c b/kernel/taskstats.c index 13a0f2e6ebc2..978d7931fb65 100644 --- a/kernel/taskstats.c +++ b/kernel/taskstats.c @@ -554,24 +554,27 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) { struct signal_struct *sig = tsk->signal;

• struct taskstats *stats;
  

• struct taskstats *stats_new, *stats;
  
  

• if (sig->stats || thread_group_empty(tsk))
  

•         goto ret;
  

• /* Pairs with smp_store_release() below. */
  

• stats = READ_ONCE(sig->stats);
  

This pairing suggests that the READ_ONCE() is heading an address dependency, but I fail to identify it: what is the target memory access of such a (putative) dependency?

I would assume callers of this function access *stats. So the dependency is between loading stats and accessing *stats.

...

• if (stats || thread_group_empty(tsk))
  

•         return stats;
  
  /* No problem if kmem_cache_zalloc() fails */
  

• stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
  

• stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
  
  spin_lock_irq(&tsk->sighand->siglock);
  if (!sig->stats) {
  

•         sig->stats = stats;
  

•         stats = NULL;
  

•         /* Pairs with READ_ONCE() above. */
  

•         smp_store_release(&sig->stats, stats_new);
  

This is intended to 'order' the _zalloc() (zero initializazion) before the update of sig->stats, right? what else am I missing?

Thanks, Andrea

...

•         stats_new = NULL;
  }
  spin_unlock_irq(&tsk->sighand->siglock);
  
  

• if (stats)
  

•         kmem_cache_free(taskstats_cache, stats);
  

-ret:

• if (stats_new)
  

•         kmem_cache_free(taskstats_cache, stats_new);
  

• return sig->stats;
  

}

-- 2.23.0

On Mon, Oct 7, 2019 at 3:55 PM Christian Brauner christian.brauner@ubuntu.com wrote:

On Mon, Oct 07, 2019 at 03:50:47PM +0200, Dmitry Vyukov wrote:

...

On Mon, Oct 7, 2019 at 3:18 PM Andrea Parri parri.andrea@gmail.com wrote:

...

On Mon, Oct 07, 2019 at 01:01:17PM +0200, Christian Brauner wrote:

...

When assiging and testing taskstats in taskstats_exit() there's a race when writing and reading sig->stats when a thread-group with more than one thread exits:

cpu0: thread catches fatal signal and whole thread-group gets taken down do_exit() do_group_exit() taskstats_exit() taskstats_tgid_alloc() The tasks reads sig->stats holding sighand lock seeing garbage.

You meant "without holding sighand lock" here, right?

...

cpu1: task calls exit_group() do_exit() do_group_exit() taskstats_exit() taskstats_tgid_alloc() The task takes sighand lock and assigns new stats to sig->stats.

Fix this by using READ_ONCE() and smp_store_release().

Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") Cc: stable@vger.kernel.org Signed-off-by: Christian Brauner christian.brauner@ubuntu.com Reviewed-by: Dmitry Vyukov dvyukov@google.com Link: https://lore.kernel.org/r/20191006235216.7483-1-christian.brauner@ubuntu.com

---

/* v1 */ Link: https://lore.kernel.org/r/20191005112806.13960-1-christian.brauner@ubuntu.co...

/* v2 */

• Dmitry Vyukov dvyukov@google.com, Marco Elver elver@google.com:
  • fix the original double-checked locking using memory barriers

/* v3 */

• Andrea Parri parri.andrea@gmail.com:
  • document memory barriers to make checkpatch happy

---

kernel/taskstats.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/kernel/taskstats.c b/kernel/taskstats.c index 13a0f2e6ebc2..978d7931fb65 100644 --- a/kernel/taskstats.c +++ b/kernel/taskstats.c @@ -554,24 +554,27 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) { struct signal_struct *sig = tsk->signal;

• struct taskstats *stats;
  

• struct taskstats *stats_new, *stats;
  
  

• if (sig->stats || thread_group_empty(tsk))
  

•         goto ret;
  

• /* Pairs with smp_store_release() below. */
  

• stats = READ_ONCE(sig->stats);
  

This pairing suggests that the READ_ONCE() is heading an address dependency, but I fail to identify it: what is the target memory access of such a (putative) dependency?

I would assume callers of this function access *stats. So the dependency is between loading stats and accessing *stats.

Right, but why READ_ONCE() and not smp_load_acquire here?

Because if all memory accesses we need to order have data dependency between them, READ_ONCE is enough and is cheaper on some archs (e.g. ARM). In our case there is a data dependency between loading of stats and accessing *stats (only Alpha could reorder that, other arches can't load via a pointer before loading the pointer itself (sic!)).

On Wed, Oct 09, 2019 at 01:48:09PM +0200, Christian Brauner wrote:

When assiging and testing taskstats in taskstats_exit() there's a race when writing and reading sig->stats when a thread-group with more than one thread exits:

cpu0: thread catches fatal signal and whole thread-group gets taken down do_exit() do_group_exit() taskstats_exit() taskstats_tgid_alloc() The tasks reads sig->stats without holding sighand lock seeing garbage.

cpu1: task calls exit_group() do_exit() do_group_exit() taskstats_exit() taskstats_tgid_alloc() The task takes sighand lock and assigns new stats to sig->stats.

Fix this by using smp_load_acquire() and smp_store_release().

Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") Cc: stable@vger.kernel.org Signed-off-by: Christian Brauner christian.brauner@ubuntu.com Reviewed-by: Dmitry Vyukov dvyukov@google.com

Reviewed-by: Andrea Parri parri.andrea@gmail.com

Thanks, Andrea

---

/* v1 */ Link: https://lore.kernel.org/r/20191005112806.13960-1-christian.brauner@ubuntu.co...

/* v2 */ Link: https://lore.kernel.org/r/20191006235216.7483-1-christian.brauner@ubuntu.com

• Dmitry Vyukov dvyukov@google.com, Marco Elver elver@google.com:
  • fix the original double-checked locking using memory barriers

/* v3 */ Link: https://lore.kernel.org/r/20191007110117.1096-1-christian.brauner@ubuntu.com

• Andrea Parri parri.andrea@gmail.com:
  • document memory barriers to make checkpatch happy

/* v4 */ Link: https://lore.kernel.org/r/20191009113134.5171-1-christian.brauner@ubuntu.com

• Andrea Parri parri.andrea@gmail.com:
  • use smp_load_acquire(), not READ_ONCE()
  • update commit message

/* v5 */

• Andrea Parri parri.andrea@gmail.com:
  • fix typo in smp_load_acquire()

---

kernel/taskstats.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/kernel/taskstats.c b/kernel/taskstats.c index 13a0f2e6ebc2..6e18fdc4f7c8 100644 --- a/kernel/taskstats.c +++ b/kernel/taskstats.c @@ -554,24 +554,30 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) { struct signal_struct *sig = tsk->signal;

• struct taskstats *stats;

• struct taskstats *stats_new, *stats;

• if (sig->stats || thread_group_empty(tsk))

• goto ret;
  

• /* Pairs with smp_store_release() below. */
• stats = smp_load_acquire(&sig->stats);
• if (stats || thread_group_empty(tsk))

• return stats;
  

/* No problem if kmem_cache_zalloc() fails */

• stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);

• stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);

spin_lock_irq(&tsk->sighand->siglock); if (!sig->stats) {

• sig->stats = stats;
  

• stats = NULL;
  

• /*
  

•  * Pairs with smp_store_release() above and order the
  

•  * kmem_cache_zalloc().
  

•  */
  

• smp_store_release(&sig->stats, stats_new);
  

• stats_new = NULL;
  

  } spin_unlock_irq(&tsk->sighand->siglock);

• if (stats)

• kmem_cache_free(taskstats_cache, stats);
  

-ret:

• if (stats_new)

• kmem_cache_free(taskstats_cache, stats_new);
  

• return sig->stats;

} -- 2.23.0

When assiging and testing taskstats in taskstats_exit() there's a race when writing and reading sig->stats when a thread-group with more than one thread exits:

cpu0: thread catches fatal signal and whole thread-group gets taken down do_exit() do_group_exit() taskstats_exit() taskstats_tgid_alloc() The tasks reads sig->stats without holding sighand lock.

cpu1: task calls exit_group() do_exit() do_group_exit() taskstats_exit() taskstats_tgid_alloc() The task takes sighand lock and assigns new stats to sig->stats.

The first approach used smp_load_acquire() and smp_store_release(). However, after having discussed this it seems that the data dependency for kmem_cache_alloc() would be fixed by WRITE_ONCE(). Furthermore, the smp_load_acquire() would only manage to order the stats check before the thread_group_empty() check. So it seems just using READ_ONCE() and WRITE_ONCE() will do the job and I wanted to bring this up for discussion at least.

Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") Cc: Will Deacon will@kernel.org Cc: Marco Elver elver@google.com Cc: Andrea Parri parri.andrea@gmail.com Cc: Dmitry Vyukov dvyukov@google.com Cc: stable@vger.kernel.org Signed-off-by: Christian Brauner christian.brauner@ubuntu.com --- /* v1 */ Link: https://lore.kernel.org/r/20191005112806.13960-1-christian.brauner@ubuntu.co...

/* v2 */ Link: https://lore.kernel.org/r/20191006235216.7483-1-christian.brauner@ubuntu.com - Dmitry Vyukov dvyukov@google.com, Marco Elver elver@google.com: - fix the original double-checked locking using memory barriers

/* v3 */ Link: https://lore.kernel.org/r/20191007110117.1096-1-christian.brauner@ubuntu.com - Andrea Parri parri.andrea@gmail.com: - document memory barriers to make checkpatch happy

/* v4 */ Link: https://lore.kernel.org/r/20191009113134.5171-1-christian.brauner@ubuntu.com - Andrea Parri parri.andrea@gmail.com: - use smp_load_acquire(), not READ_ONCE() - update commit message

/* v5 */ Link: https://lore.kernel.org/r/20191009114809.8643-1-christian.brauner@ubuntu.com - Andrea Parri parri.andrea@gmail.com: - fix typo in smp_load_acquire()

/* v6 */ - Christian Brauner christian.brauner@ubuntu.com: - bring up READ_ONCE()/WRITE_ONCE() approach for discussion --- kernel/taskstats.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/kernel/taskstats.c b/kernel/taskstats.c index 13a0f2e6ebc2..111bb4139aa2 100644 --- a/kernel/taskstats.c +++ b/kernel/taskstats.c @@ -554,25 +554,29 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) { struct signal_struct *sig = tsk->signal; - struct taskstats *stats; + struct taskstats *stats_new, *stats;

- if (sig->stats || thread_group_empty(tsk)) - goto ret; + /* Pairs with WRITE_ONCE() below. */ + stats = READ_ONCE(sig->stats); + if (stats || thread_group_empty(tsk)) + return stats;

/* No problem if kmem_cache_zalloc() fails */ - stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); + stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);

spin_lock_irq(&tsk->sighand->siglock); - if (!sig->stats) { - sig->stats = stats; - stats = NULL; + if (!stats) { + stats = stats_new; + /* Pairs with READ_ONCE() above. */ + WRITE_ONCE(sig->stats, stats_new); + stats_new = NULL; } spin_unlock_irq(&tsk->sighand->siglock);

- if (stats) - kmem_cache_free(taskstats_cache, stats); -ret: - return sig->stats; + if (stats_new) + kmem_cache_free(taskstats_cache, stats_new); + + return stats; }

/* Send pid data out on exit */

On Mon, Oct 21, 2019 at 02:19:01PM +0200, Rasmus Villemoes wrote:

On 21/10/2019 13.33, Christian Brauner wrote:

...

The first approach used smp_load_acquire() and smp_store_release(). However, after having discussed this it seems that the data dependency for kmem_cache_alloc() would be fixed by WRITE_ONCE(). Furthermore, the smp_load_acquire() would only manage to order the stats check before the thread_group_empty() check. So it seems just using READ_ONCE() and WRITE_ONCE() will do the job and I wanted to bring this up for discussion at least.

/* v6 */

• Christian Brauner christian.brauner@ubuntu.com:
  • bring up READ_ONCE()/WRITE_ONCE() approach for discussion

---

kernel/taskstats.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/kernel/taskstats.c b/kernel/taskstats.c index 13a0f2e6ebc2..111bb4139aa2 100644 --- a/kernel/taskstats.c +++ b/kernel/taskstats.c @@ -554,25 +554,29 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) { struct signal_struct *sig = tsk->signal;

• struct taskstats *stats;

• struct taskstats *stats_new, *stats;

• if (sig->stats || thread_group_empty(tsk))

• goto ret;
  

• /* Pairs with WRITE_ONCE() below. */
• stats = READ_ONCE(sig->stats);
• if (stats || thread_group_empty(tsk))

• return stats;
  

/* No problem if kmem_cache_zalloc() fails */

• stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);

• stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);

spin_lock_irq(&tsk->sighand->siglock);

• if (!sig->stats) {

• sig->stats = stats;
  

• stats = NULL;
  

• if (!stats) {

• stats = stats_new;
  

• /* Pairs with READ_ONCE() above. */
  

• WRITE_ONCE(sig->stats, stats_new);
  

• stats_new = NULL;
  

No idea about the memory ordering issues, but don't you need to load/check sig->stats again? Otherwise it seems that two threads might both see !sig->stats, both allocate a stats_new, and both unconditionally in turn assign their stats_new to sig->stats. Then the first assignment ends up becoming a memory leak (and any writes through that pointer done by the caller end up in /dev/null...)

Trigger hand too fast. I guess you're thinking sm like:

diff --git a/kernel/taskstats.c b/kernel/taskstats.c index 13a0f2e6ebc2..c4e1ed11e785 100644 --- a/kernel/taskstats.c +++ b/kernel/taskstats.c @@ -554,25 +554,27 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) { struct signal_struct *sig = tsk->signal; - struct taskstats *stats; + struct taskstats *stats_new, *stats;

- if (sig->stats || thread_group_empty(tsk)) - goto ret; + stats = READ_ONCE(sig->stats); + if (stats || thread_group_empty(tsk)) + return stats;

- /* No problem if kmem_cache_zalloc() fails */ - stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL); + stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);

spin_lock_irq(&tsk->sighand->siglock); - if (!sig->stats) { - sig->stats = stats; - stats = NULL; + stats = READ_ONCE(sig->stats); + if (!stats) { + stats = stats_new; + WRITE_ONCE(sig->stats, stats_new); + stats_new = NULL; } spin_unlock_irq(&tsk->sighand->siglock);

- if (stats) - kmem_cache_free(taskstats_cache, stats); -ret: - return sig->stats; + if (stats_new) + kmem_cache_free(taskstats_cache, stats_new); + + return stats; }

On Fri, Nov 29, 2019 at 05:56:05PM +0000, Will Deacon wrote:

On Mon, Oct 21, 2019 at 03:04:18PM +0200, Christian Brauner wrote:

...

On Mon, Oct 21, 2019 at 02:19:01PM +0200, Rasmus Villemoes wrote:

...

On 21/10/2019 13.33, Christian Brauner wrote:

...

The first approach used smp_load_acquire() and smp_store_release(). However, after having discussed this it seems that the data dependency for kmem_cache_alloc() would be fixed by WRITE_ONCE(). Furthermore, the smp_load_acquire() would only manage to order the stats check before the thread_group_empty() check. So it seems just using READ_ONCE() and WRITE_ONCE() will do the job and I wanted to bring this up for discussion at least.

/* v6 */

• Christian Brauner christian.brauner@ubuntu.com:
  • bring up READ_ONCE()/WRITE_ONCE() approach for discussion

---

kernel/taskstats.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/kernel/taskstats.c b/kernel/taskstats.c index 13a0f2e6ebc2..111bb4139aa2 100644 --- a/kernel/taskstats.c +++ b/kernel/taskstats.c @@ -554,25 +554,29 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) { struct signal_struct *sig = tsk->signal;

• struct taskstats *stats;

• struct taskstats *stats_new, *stats;

• if (sig->stats || thread_group_empty(tsk))

• goto ret;
  

• /* Pairs with WRITE_ONCE() below. */
• stats = READ_ONCE(sig->stats);
• if (stats || thread_group_empty(tsk))

• return stats;
  

/* No problem if kmem_cache_zalloc() fails */

• stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);

• stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);

spin_lock_irq(&tsk->sighand->siglock);

• if (!sig->stats) {

• sig->stats = stats;
  

• stats = NULL;
  

• if (!stats) {

• stats = stats_new;
  

• /* Pairs with READ_ONCE() above. */
  

• WRITE_ONCE(sig->stats, stats_new);
  

• stats_new = NULL;
  

No idea about the memory ordering issues, but don't you need to load/check sig->stats again? Otherwise it seems that two threads might both see !sig->stats, both allocate a stats_new, and both unconditionally in turn assign their stats_new to sig->stats. Then the first assignment ends up becoming a memory leak (and any writes through that pointer done by the caller end up in /dev/null...)

Trigger hand too fast. I guess you're thinking sm like:

diff --git a/kernel/taskstats.c b/kernel/taskstats.c index 13a0f2e6ebc2..c4e1ed11e785 100644 --- a/kernel/taskstats.c +++ b/kernel/taskstats.c @@ -554,25 +554,27 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) { struct signal_struct *sig = tsk->signal;

• struct taskstats *stats;

• struct taskstats *stats_new, *stats;

• if (sig->stats || thread_group_empty(tsk))

• goto ret;
  

• stats = READ_ONCE(sig->stats);

This probably wants to be an acquire, since both the memcpy() later on in taskstats_exit() and the accesses in {b,x}acct_add_tsk() appear to read from the taskstats structure without the sighand->siglock held and therefore may miss zeroed allocation from the zalloc() below, I think.

...

• if (stats || thread_group_empty(tsk))

• return stats;
  

• /* No problem if kmem_cache_zalloc() fails */
• stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);

• stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);

spin_lock_irq(&tsk->sighand->siglock);

• if (!sig->stats) {

• sig->stats = stats;
  

• stats = NULL;
  

• stats = READ_ONCE(sig->stats);

You hold the spinlock here, so I don't think you need the READ_ONCE().

...

• if (!stats) {

• stats = stats_new;
  

• WRITE_ONCE(sig->stats, stats_new);
  

You probably want a release here to publish the zeroes from the zalloc() (back to my first comment). With those changes:

Reviewed-by: Will Deacon will@kernel.org

Thanks, this is basically what we had in v5. I'll rework and send this after the merge window closes.

However, this caused me to look at do_group_exit() and we appear to have racy accesses on sig->flags there thanks to signal_group_exit(). I worry that might run quite deep, and can probably be looked at separately.

Yeah, we should look into this but separate from this patch.

Thanks for taking a look at this! Much appreciated! Christian

On Wed, 9 Oct 2019 at 13:31, Christian Brauner christian.brauner@ubuntu.com wrote:

When assiging and testing taskstats in taskstats_exit() there's a race when writing and reading sig->stats when a thread-group with more than one thread exits:

cpu0: thread catches fatal signal and whole thread-group gets taken down do_exit() do_group_exit() taskstats_exit() taskstats_tgid_alloc() The tasks reads sig->stats without holding sighand lock seeing garbage.

cpu1: task calls exit_group() do_exit() do_group_exit() taskstats_exit() taskstats_tgid_alloc() The task takes sighand lock and assigns new stats to sig->stats.

Fix this by using smp_load_acquire() and smp_store_release().

Reported-by: syzbot+c5d03165a1bd1dead0c1@syzkaller.appspotmail.com Fixes: 34ec12349c8a ("taskstats: cleanup ->signal->stats allocation") Cc: stable@vger.kernel.org Signed-off-by: Christian Brauner christian.brauner@ubuntu.com Reviewed-by: Dmitry Vyukov dvyukov@google.com

---

/* v1 */ Link: https://lore.kernel.org/r/20191005112806.13960-1-christian.brauner@ubuntu.co...

/* v2 */ Link: https://lore.kernel.org/r/20191006235216.7483-1-christian.brauner@ubuntu.com

• Dmitry Vyukov dvyukov@google.com, Marco Elver elver@google.com:
  • fix the original double-checked locking using memory barriers

/* v3 */ Link: https://lore.kernel.org/r/20191007110117.1096-1-christian.brauner@ubuntu.com...

• Andrea Parri parri.andrea@gmail.com:
  • document memory barriers to make checkpatch happy

/* v4 */

• Andrea Parri parri.andrea@gmail.com:
  • use smp_load_acquire(), not READ_ONCE()
  • update commit message

Acked-by: Marco Elver elver@google.com

Note that this now looks almost like what I suggested, except the return at the end of the function is accessing sig->stats again. In this case, it seems it's fine assuming sig->stats cannot be written elsewhere. Just wanted to point it out to make sure it's considered.

Thanks!

---

kernel/taskstats.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/kernel/taskstats.c b/kernel/taskstats.c index 13a0f2e6ebc2..e6b45315607a 100644 --- a/kernel/taskstats.c +++ b/kernel/taskstats.c @@ -554,24 +554,30 @@ static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info) static struct taskstats *taskstats_tgid_alloc(struct task_struct *tsk) { struct signal_struct *sig = tsk->signal;

•   struct taskstats *stats;
  

•   struct taskstats *stats_new, *stats;
  
  

•   if (sig->stats || thread_group_empty(tsk))
  

•           goto ret;
  

•   /* Pairs with smp_store_release() below. */
  

•   stats = smp_load_acquire(sig->stats);
  

•   if (stats || thread_group_empty(tsk))
  

•           return stats;
  
    /* No problem if kmem_cache_zalloc() fails */
  

•   stats = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
  

•   stats_new = kmem_cache_zalloc(taskstats_cache, GFP_KERNEL);
  
    spin_lock_irq(&tsk->sighand->siglock);
    if (!sig->stats) {
  

•           sig->stats = stats;
  

•           stats = NULL;
  

•           /*
  

•            * Pairs with smp_store_release() above and order the
  

•            * kmem_cache_zalloc().
  

•            */
  

•           smp_store_release(&sig->stats, stats_new);
  

•           stats_new = NULL;
    }
    spin_unlock_irq(&tsk->sighand->siglock);
  
  

•   if (stats)
  

•           kmem_cache_free(taskstats_cache, stats);
  

-ret:

•   if (stats_new)
  

•           kmem_cache_free(taskstats_cache, stats_new);
  

•   return sig->stats;
  

}

-- 2.23.0