The patch titled proc: readdir race fix (take 3) has been removed from the -mm tree. Its filename is proc-readdir-race-fix-take-3.patch This patch was dropped because it needs lots of updates for -mm changes ------------------------------------------------------ Subject: proc: readdir race fix (take 3) From: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> The problem: An opendir, readdir, closedir sequence can fail to report process ids that are continually in use throughout the sequence of system calls. For this race to trigger the process that proc_pid_readdir stops at must exit before readdir is called again. This can cause ps to fail to report processes, and it is in violation of posix guarantees and normal application expectations with respect to readdir. Currently there is no way to work around this problem in user space short of providing a gargantuan buffer to user space so the directory read all happens in on system call. This patch implements the normal directory semantics for proc, that guarantee that a directory entry that is neither created nor destroyed while reading the directory entry will be returned. For directory that are either created or destroyed during the readdir you may or may not see them. Furthermore you may seek to a directory offset you have previously seen. These are the guarantee that ext[23] provides and that posix requires, and more importantly that user space expects. Plus it is a simple semantic to implement reliable service. It is just a matter of calling readdir a second time if you are wondering if something new has show up. These better semantics are implemented by scanning through the pids in numerical order and by making the file offset a pid plus a fixed offset. The pid scan happens on the pid bitmap, which when you look at it is remarkably efficient for a brute force algorithm. Given that a typical cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There are only 40 cache lines for the entire 32K pid space. A typical system will have 100 pids or more so this is actually fewer cache lines we have to look at to scan a linked list, and the worst case of having to scan the entire pid bitmap is pretty reasonable. If we need something more efficient we can go to a more efficient data structure for indexing the pids, but for now what we have should be sufficient. In addition this takes no additional locks and is actually less code than what we are doing now. Also another very subtle bug in this area has been fixed. It is possible to catch a task in the middle of de_thread where a thread is assuming the thread of it's thread group leader. This patch carefully handles that case so if we hit it we don't fail to return the pid, that is undergoing the de_thread dance. Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@xxxxxxxxxxxxxx> for providing the first fix, pointing this out and working on it. Signed-off-by: Eric W. Biederman <ebiederm@xxxxxxxxxxxx> Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@xxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxx> --- fs/proc/base.c | 104 +++++++++++++--------------------------- include/linux/pid.h | 1 include/linux/sched.h | 11 ++++ kernel/pid.c | 36 +++++++++++++ 4 files changed, 83 insertions(+), 69 deletions(-) diff -puN fs/proc/base.c~proc-readdir-race-fix-take-3 fs/proc/base.c --- a/fs/proc/base.c~proc-readdir-race-fix-take-3 +++ a/fs/proc/base.c @@ -1876,72 +1876,43 @@ out: } /* - * Find the first tgid to return to user space. + * Find the first task with tgid >= tgid * - * Usually this is just whatever follows &init_task, but if the users - * buffer was too small to hold the full list or there was a seek into - * the middle of the directory we have more work to do. - * - * In the case of a short read we start with find_task_by_pid. - * - * In the case of a seek we start with &init_task and walk nr - * threads past it. */ -static struct task_struct *first_tgid(int tgid, unsigned int nr) +static struct task_struct *next_tgid(unsigned int tgid) { - struct task_struct *pos; - rcu_read_lock(); - if (tgid && nr) { - pos = find_task_by_pid(tgid); - if (pos && thread_group_leader(pos)) - goto found; - } - /* If nr exceeds the number of processes get out quickly */ - pos = NULL; - if (nr && nr >= nr_processes()) - goto done; - - /* If we haven't found our starting place yet start with - * the init_task and walk nr tasks forward. - */ - for (pos = next_task(&init_task); nr > 0; --nr) { - pos = next_task(pos); - if (pos == &init_task) { - pos = NULL; - goto done; - } - } -found: - get_task_struct(pos); -done: - rcu_read_unlock(); - return pos; -} + struct task_struct *task; + struct pid *pid; -/* - * Find the next task in the task list. - * Return NULL if we loop or there is any error. - * - * The reference to the input task_struct is released. - */ -static struct task_struct *next_tgid(struct task_struct *start) -{ - struct task_struct *pos; + task = NULL; rcu_read_lock(); - pos = start; - if (pid_alive(start)) - pos = next_task(start); - if (pid_alive(pos) && (pos != &init_task)) { - get_task_struct(pos); - goto done; +retry: + pid = find_ge_pid(tgid); + if (pid) { + tgid = pid->nr + 1; + task = pid_task(pid, PIDTYPE_PID); + /* What we to know is if the pid we have find is the + * pid of a thread_group_leader. Testing for task + * being a thread_group_leader is the obvious thing + * todo but there is a window when it fails, due to + * the pid transfer logic in de_thread. + * + * So we perform the straight forward test of seeing + * if the pid we have found is the pid of a thread + * group leader, and don't worry if the task we have + * found doesn't happen to be a thread group leader. + * As we don't care in the case of readdir. + */ + if (!task || !has_group_leader_pid(task)) + goto retry; + get_task_struct(task); } - pos = NULL; -done: rcu_read_unlock(); - put_task_struct(start); - return pos; + return task; } +#define TGID_OFFSET (FIRST_PROCESS_ENTRY + (1 /* /proc/self */)) + /* for the /proc/ directory itself, after non-process stuff has been done */ int proc_pid_readdir(struct file * filp, void * dirent, filldir_t filldir) { @@ -1957,29 +1928,24 @@ int proc_pid_readdir(struct file * filp, filp->f_pos++; nr++; } - nr -= 1; - /* f_version caches the tgid value that the last readdir call couldn't - * return. lseek aka telldir automagically resets f_version to 0. - */ - tgid = filp->f_version; - filp->f_version = 0; - for (task = first_tgid(tgid, nr); + tgid = filp->f_pos - TGID_OFFSET; + for (task = next_tgid(tgid); task; - task = next_tgid(task), filp->f_pos++) { + put_task_struct(task), task = next_tgid(tgid + 1)) { int len; ino_t ino; tgid = task->pid; + filp->f_pos = tgid + TGID_OFFSET; len = snprintf(buf, sizeof(buf), "%d", tgid); ino = fake_ino(tgid, PROC_TGID_INO); if (filldir(dirent, buf, len, filp->f_pos, ino, DT_DIR) < 0) { - /* returning this tgid failed, save it as the first - * pid for the next readir call */ - filp->f_version = tgid; put_task_struct(task); - break; + goto out; } } + filp->f_pos = PID_MAX_LIMIT + TGID_OFFSET; +out: return 0; } diff -puN include/linux/pid.h~proc-readdir-race-fix-take-3 include/linux/pid.h --- a/include/linux/pid.h~proc-readdir-race-fix-take-3 +++ a/include/linux/pid.h @@ -89,6 +89,7 @@ extern struct pid *FASTCALL(find_pid(int * Lookup a PID in the hash table, and return with it's count elevated. */ extern struct pid *find_get_pid(int nr); +extern struct pid *find_ge_pid(int nr); extern struct pid *alloc_pid(void); extern void FASTCALL(free_pid(struct pid *pid)); diff -puN include/linux/sched.h~proc-readdir-race-fix-take-3 include/linux/sched.h --- a/include/linux/sched.h~proc-readdir-race-fix-take-3 +++ a/include/linux/sched.h @@ -1377,6 +1377,17 @@ extern void wait_task_inactive(struct ta /* de_thread depends on thread_group_leader not being a pid based check */ #define thread_group_leader(p) (p == p->group_leader) +/* Do to the insanities of de_thread it is possible for a process + * to have the pid of the thread group leader without actually being + * the thread group leader. For iteration through the pids in proc + * all we care about is that we have a task with the appropriate + * pid, we don't actually care if we have the right task. + */ +static inline int has_group_leader_pid(struct task_struct *p) +{ + return p->pid == p->tgid; +} + static inline struct task_struct *next_thread(const struct task_struct *p) { return list_entry(rcu_dereference(p->thread_group.next), diff -puN kernel/pid.c~proc-readdir-race-fix-take-3 kernel/pid.c --- a/kernel/pid.c~proc-readdir-race-fix-take-3 +++ a/kernel/pid.c @@ -149,6 +149,23 @@ static int alloc_pidmap(struct pspace *p return -1; } +static int next_pidmap(int last) +{ + int offset; + pidmap_t *map; + + offset = (last + 1) & BITS_PER_PAGE_MASK; + map = &pidmap_array[(last + 1)/BITS_PER_PAGE]; + for (; map < &pidmap_array[PIDMAP_ENTRIES]; map++, offset = 0) { + if (unlikely(!map->page)) + continue; + offset = find_next_bit((map)->page, BITS_PER_PAGE, offset); + if (offset < BITS_PER_PAGE) + return mk_pid(map, offset); + } + return -1; +} + fastcall void put_pid(struct pid *pid) { if (!pid) @@ -310,6 +327,25 @@ struct pid *find_get_pid(pid_t nr) EXPORT_SYMBOL_GPL(find_get_pid); /* + * Used by proc to find the first pid that is greater then or equal to nr. + * + * If there is a pid at nr this function is exactly the same as find_pid. + */ +struct pid *find_ge_pid(int nr) +{ + struct pid *pid; + + do { + pid = find_pid(nr); + if (pid) + break; + nr = next_pidmap(nr); + } while (nr > 0); + + return pid; +} + +/* * The pid hash table is scaled according to the amount of memory in the * machine. From a minimum of 16 slots up to 4096 slots at one gigabyte or * more. _ Patches currently in -mm which might be from ebiederm@xxxxxxxxxxxx are megaraid-use-the-proper-type-to-hold-the-irq-number.patch x86-put-note-sections-into-a-pt_note-segment-in-vmlinux.patch msi-use-kmem_cache_zalloc.patch sysctl-allow-proc-sys-without-sys_sysctl.patch sysctl-allow-proc-sys-without-sys_sysctl-fix.patch sysctl-document-that-sys_sysctl-will-be-removed.patch pid-implement-transfer_pid-and-use-it-to-simplify-de_thread.patch pid-remove-temporary-debug-code-in-attach_pid.patch de_thread-use-tsk-not-current.patch fix-conflict-with-the-is_init-identifier-on-parisc.patch pidspace-is_init.patch simplify-update_times-avoid-jiffies-jiffies_64-aliasing-problem-2.patch kexec-warning-fix.patch kill-extraneous-printk-in-kernel_restart.patch fix-mem_write-return-value.patch kcore-elf-note-namesz-field-fix.patch stack-overflow-safe-kdump-safe_smp_processor_id.patch stack-overflow-safe-kdump-safe_smp_processor_id_voyager.patch stack-overflow-safe-kdump-crash_use_safe_smp_processor_id.patch stack-overflow-safe-kdump-crash_use_safe_smp_processor_id-fix.patch stack-overflow-safe-kdump-safe_smp_send_nmi_allbutself.patch proc-reorder-the-functions-in-basec.patch proc-modify-proc_pident_lookup-to-be-completely-table-driven.patch proc-give-the-root-directory-a-task.patch pid-implement-access-helpers-for-a-tacks-various-process-groups.patch pid-add-do_each_pid_task.patch pid-implement-signal-functions-that-take-a-struct-pid.patch pid-export-the-symbols-needed-to-use-struct-pid.patch pid-implement-pid_nr.patch vt-update-spawnpid-to-be-a-struct-pid_t.patch vt-update-spawnpid-to-be-a-struct-pid_t-tidy.patch file-modify-struct-fown_struct-to-use-a-struct-pid.patch file-modify-struct-fown_struct-to-use-a-struct-pid-fix.patch pids-coding-style-use-struct-pidmap.patch simplify-pid-iterators.patch move-pidmap-to-pspaceh.patch move-pidmap-to-pspaceh-fix.patch define-struct-pspace.patch proc-readdir-race-fix-take-3.patch proc-sysctl-add-_proc_do_string-helper.patch namespaces-add-nsproxy.patch namespaces-add-nsproxy-move-init_nsproxy-into-kernel-nsproxyc.patch namespaces-incorporate-fs-namespace-into-nsproxy.patch namespaces-utsname-introduce-temporary-helpers.patch namespaces-utsname-switch-to-using-uts-namespaces.patch namespaces-utsname-use-init_utsname-when-appropriate.patch namespaces-utsname-implement-utsname-namespaces.patch namespaces-utsname-sysctl-hack.patch namespaces-utsname-remove-system_utsname.patch namespaces-utsname-implement-clone_newuts-flag.patch uts-copy-nsproxy-only-when-needed.patch namespaces-utsname-switch-to-using-uts-namespaces-klibc-bit.patch namespaces-utsname-use-init_utsname-when-appropriate-klibc-bit.patch namespaces-utsname-switch-to-using-uts-namespaces-klibc-bit-2.patch ipc-namespace-core.patch ipc-namespace-utils.patch genirq-irq-convert-the-move_irq-flag-from-a-32bit-word-to-a-single-bit.patch genirq-irq-add-moved_masked_irq.patch genirq-x86_64-irq-reenable-migrating-irqs-to-other-cpus.patch genirq-msi-simplify-msi-enable-and-disable.patch genirq-msi-make-the-msi-boolean-tests-return-either-0-or-1.patch genirq-msi-implement-helper-functions-read_msi_msg-and-write_msi_msg.patch genirq-msi-refactor-the-msi_ops.patch genirq-msi-simplify-the-msi-irq-limit-policy.patch genirq-irq-add-a-dynamic-irq-creation-api.patch genirq-ia64-irq-dynamic-irq-support.patch genirq-i386-irq-dynamic-irq-support.patch genirq-x86_64-irq-dynamic-irq-support.patch genirq-msi-make-the-msi-code-irq-based-and-not-vector-based.patch genirq-x86_64-irq-move-msi-message-composition-into-io_apicc.patch genirq-i386-irq-move-msi-message-composition-into-io_apicc.patch genirq-msi-only-build-msi-apicc-on-ia64.patch genirq-msi-only-build-msi-apicc-on-ia64-fix.patch genirq-x86_64-irq-remove-the-msi-assumption-that-irq-==-vector.patch genirq-i386-irq-remove-the-msi-assumption-that-irq-==-vector.patch genirq-irq-remove-msi-hacks.patch genirq-irq-generalize-the-check-for-hardirq_bits.patch genirq-x86_64-irq-make-the-external-irq-handlers-report-their-vector-not-the-irq-number.patch genirq-x86_64-irq-make-vector_irq-per-cpu.patch genirq-x86_64-irq-make-vector_irq-per-cpu-fix.patch genirq-x86_64-irq-make-vector_irq-per-cpu-warning-fix.patch genirq-x86_64-irq-kill-gsi_irq_sharing.patch genirq-x86_64-irq-kill-irq-compression.patch add-hypertransport-capability-defines.patch add-hypertransport-capability-defines-fix.patch initial-generic-hypertransport-interrupt-support.patch initial-generic-hypertransport-interrupt-support-Kconfig-fix.patch pidhash-temporary-debug-checks.patch - To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html