Re: [PATCH v2 4.9 00/10] fix a race in release_task when flushing the dentry

[Greg Kroah-Hartman]

On Thu, Jan 07, 2021 at 03:52:12PM +0800, Wen Yang wrote:
> The dentries such as /proc/<pid>/ns/ have the DCACHE_OP_DELETE flag, they 
> should be deleted when the process exits. 
> 
> Suppose the following race appears： 
> 
> release_task                 dput 
> -> proc_flush_task 
>                              -> dentry->d_op->d_delete(dentry) 
> -> __exit_signal 
>                              -> dentry->d_lockref.count--  and return. 
> 
> In the proc_flush_task(), if another process is using this dentry, it will
> not be deleted. At the same time, in dput(), d_op->d_delete() can be executed
> before __exit_signal(pid has not been hashed), d_delete returns false, so
> this dentry still cannot be deleted.
> 
> This dentry will always be cached (although its count is 0 and the
> DCACHE_OP_DELETE flag is set), its parent denry will also be cached too, and
> these dentries can only be deleted when drop_caches is manually triggered.
> 
> This will result in wasted memory. What's more troublesome is that these
> dentries reference pid, according to the commit f333c700c610 ("pidns: Add a
> limit on the number of pid namespaces"), if the pid cannot be released, it
> may result in the inability to create a new pid_ns.
> 
> This issue was introduced by 60347f6716aa ("pid namespaces: prepare
> proc_flust_task() to flush entries from multiple proc trees"), exposed by
> f333c700c610 ("pidns: Add a limit on the number of pid namespaces"), and then
> fixed by 7bc3e6e55acf ("proc: Use a list of inodes to flush from proc").

Why are you just submitting a series for 4.9 and 4.19, what about 4.14?
We can't have users move to a newer kernel and then experience old bugs,
right?

But the larger question is why are you backporting a whole new feature
here?  Why is CLONE_PIDFD needed?  That feels really wrong...

thanks,

greg k-h