https://github.com/torvalds/linux
Revision 4c5640cb5f5a6fd780d99397eca028b575cb1206 authored by David Meybohm on 22 August 2005, 20:11:08 UTC, committed by Linus Torvalds on 23 August 2005, 18:44:29 UTC
With CONFIG_PREEMPT && !CONFIG_SMP, it's possible for sys_getppid to
return a bogus value if the parent's task_struct gets reallocated after
current->group_leader->real_parent is read:
asmlinkage long sys_getppid(void)
{
int pid;
struct task_struct *me = current;
struct task_struct *parent;
parent = me->group_leader->real_parent;
RACE HERE => for (;;) {
pid = parent->tgid;
#ifdef CONFIG_SMP
{
struct task_struct *old = parent;
/*
* Make sure we read the pid before re-reading the
* parent pointer:
*/
smp_rmb();
parent = me->group_leader->real_parent;
if (old != parent)
continue;
}
#endif
break;
}
return pid;
}
If the process gets preempted at the indicated point, the parent process
can go ahead and call exit() and then get wait()'d on to reap its
task_struct. When the preempted process gets resumed, it will not do any
further checks of the parent pointer on !CONFIG_SMP: it will read the
bad pid and return.
So, the same algorithm used when SMP is enabled should be used when
preempt is enabled, which will recheck ->real_parent in this case.
Signed-off-by: David Meybohm <dmeybohmlkml@bellsouth.net>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
1 parent 3f024c1
Tip revision: 4c5640cb5f5a6fd780d99397eca028b575cb1206 authored by David Meybohm on 22 August 2005, 20:11:08 UTC
[PATCH] preempt race in getppid
[PATCH] preempt race in getppid
Tip revision: 4c5640c
nfsctl.c
/*
* fs/nfsctl.c
*
* This should eventually move to userland.
*
*/
#include <linux/config.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/sunrpc/svc.h>
#include <linux/nfsd/nfsd.h>
#include <linux/nfsd/syscall.h>
#include <linux/linkage.h>
#include <linux/namei.h>
#include <linux/mount.h>
#include <linux/syscalls.h>
#include <asm/uaccess.h>
/*
* open a file on nfsd fs
*/
static struct file *do_open(char *name, int flags)
{
struct nameidata nd;
int error;
nd.mnt = do_kern_mount("nfsd", 0, "nfsd", NULL);
if (IS_ERR(nd.mnt))
return (struct file *)nd.mnt;
nd.dentry = dget(nd.mnt->mnt_root);
nd.last_type = LAST_ROOT;
nd.flags = 0;
nd.depth = 0;
error = path_walk(name, &nd);
if (error)
return ERR_PTR(error);
if (flags == O_RDWR)
error = may_open(&nd,MAY_READ|MAY_WRITE,FMODE_READ|FMODE_WRITE);
else
error = may_open(&nd, MAY_WRITE, FMODE_WRITE);
if (!error)
return dentry_open(nd.dentry, nd.mnt, flags);
path_release(&nd);
return ERR_PTR(error);
}
static struct {
char *name; int wsize; int rsize;
} map[] = {
[NFSCTL_SVC] = {
.name = ".svc",
.wsize = sizeof(struct nfsctl_svc)
},
[NFSCTL_ADDCLIENT] = {
.name = ".add",
.wsize = sizeof(struct nfsctl_client)
},
[NFSCTL_DELCLIENT] = {
.name = ".del",
.wsize = sizeof(struct nfsctl_client)
},
[NFSCTL_EXPORT] = {
.name = ".export",
.wsize = sizeof(struct nfsctl_export)
},
[NFSCTL_UNEXPORT] = {
.name = ".unexport",
.wsize = sizeof(struct nfsctl_export)
},
[NFSCTL_GETFD] = {
.name = ".getfd",
.wsize = sizeof(struct nfsctl_fdparm),
.rsize = NFS_FHSIZE
},
[NFSCTL_GETFS] = {
.name = ".getfs",
.wsize = sizeof(struct nfsctl_fsparm),
.rsize = sizeof(struct knfsd_fh)
},
};
long
asmlinkage sys_nfsservctl(int cmd, struct nfsctl_arg __user *arg, void __user *res)
{
struct file *file;
void __user *p = &arg->u;
int version;
int err;
if (copy_from_user(&version, &arg->ca_version, sizeof(int)))
return -EFAULT;
if (version != NFSCTL_VERSION) {
printk(KERN_WARNING "nfsd: incompatible version in syscall.\n");
return -EINVAL;
}
if (cmd < 0 || cmd >= sizeof(map)/sizeof(map[0]) || !map[cmd].name)
return -EINVAL;
file = do_open(map[cmd].name, map[cmd].rsize ? O_RDWR : O_WRONLY);
if (IS_ERR(file))
return PTR_ERR(file);
err = file->f_op->write(file, p, map[cmd].wsize, &file->f_pos);
if (err >= 0 && map[cmd].rsize)
err = file->f_op->read(file, res, map[cmd].rsize, &file->f_pos);
if (err >= 0)
err = 0;
fput(file);
return err;
}
Computing file changes ...
