Re: Thread flags modified without set_thread_flag() (non atomically)

From: Mathieu Desnoyers
Date: Mon Mar 05 2007 - 23:36:33 EST

Next message: Willy Tarreau: "Re: [ANNOUNCE] RSDL completely fair starvation free interactive cpu scheduler"
Previous message: David Miller: "Re: [RFC] Arp announce (for Xen)"
In reply to: Andrew Morton: "Re: Thread flags modified without set_thread_flag() (nonatomically)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andi Kleen wrote:

It does seem risky. Perhaps it is a micro-optimisation which utilises
knowledge that this thread_struct cannot be looked up via any path in this
context.

Or perhaps it is a bug. Andi, can you please comment?

On flush_thread nobody else can mess with the thread, so yes it's a micro
optimization.

Hi Andi,

Here is what I think would be a counter example :

If, at the same time, we have, on x86_64 :

parent process executing :
sys_ptrace()
(lock_kernel())
(ptrace_get_task_struct(pid))
arch_ptrace()
ptrace_detach()
ptrace_disable(child);
clear_singlestep(child);
clear_tsk_thread_flag(child, TIF_SINGLESTEP);
(which clears the TIF_SINGLESTEP flag atomically from a different process)
(put_task_struct(child))
(unlock_kernel())

And at the same time, in the child process :
sys_execve()
do_execve()
search_binary_handler()
load_elf_binary()
flush_old_exec()
flush_thread()
doing a non-atomic thread flag update

Is there any protection mechanism that would protect from this race condition
that I have missed ?

And about this specific flush_thread, I am puzzled about the t->flags ^= (_TIF_ABI_PENDING | _TIF_IA32); line. The XOR will clearly flip the _TIF_ABI_PENDING bit to 0, and very likely set _TIF_IA32 to the opposite of its current value. Why does this change need to be written atomically (can other threads play with these flags ?) ?

Don't know.

iirc it came from DaveM originally. He just likes to write things in comp^wclever ways :0) It's just a little shorter.

No, I don't immediately see anything in the flush_old_exec() code path
which tells us that nobody else can look up this thread_info (or be holding
a ref to it) in this context.

Normally the process flags atomicity should only matter with signals;
i don't think you can send a signal to a process being in exec this way.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Willy Tarreau: "Re: [ANNOUNCE] RSDL completely fair starvation free interactive cpu scheduler"
Previous message: David Miller: "Re: [RFC] Arp announce (for Xen)"
In reply to: Andrew Morton: "Re: Thread flags modified without set_thread_flag() (nonatomically)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]