Re: RT scheduling and a way to make a process hang, unkillable

From: Corey Hickey
Date: Mon Feb 16 2009 - 14:18:57 EST


Dhaval Giani wrote:
> And it continues on! Please try this version.
>
> sched: Don't allow setuid to succeed if the user does not have rt bandwidth
>
> Corey Hickey reported that on using setuid to change the uid of a
> rt process, the process would be unkillable and not be running.
> This is because there was no rt runtime for that user group. Add
> in a check to see if a user can attach an rt task to its task group.
>
> Disclaimer: Not sure about the return values, and if setuid allows
> return values other than EPERM and EAGAIN.
>
> Changes from v3:
> 1. Actually fix the leak.
>
> Changes from v2:
> 1. Patch compiles for CONFIG_CGROUP_SCHED as well
> 2. Fix two memory leaks.
>
> Changes from v1:
> 1. Peter suggested that rt_task_can_change_user should be renamed to
> task_can_change_user
> 2. Changed sched_rt_can_attach to boolean.
>
> Signed-off-by: Dhaval Giani <dhaval@xxxxxxxxxxxxxxxxxx>

Thank you, Peter and Dhaval, for looking at this. I appreciate your work.

I tested patch v4 on 2.6.29-rc5, and I get frequent kernel BUG messages.
Should I be testing your patch on a different source tree? The patch
applied to rc5 ok but with lots of offsets.

I attached the full dmesg log, and here's a sample of one of the messages:

------------------------------------------------------------------------
BUG: unable to handle kernel NULL pointer dereference at 00000034
IP: [<c011d642>] task_can_switch_user+0xe/0x28
*pde = 00000000
Oops: 0000 [#1]
last sysfs file: /sys/devices/virtual/net/lo/address
Modules linked in:

Pid: 1058, comm: vol_id Not tainted (2.6.29-rc5-fix1 #1) Satellite 5105
EIP: 0060:[<c011d642>] EFLAGS: 00010202 CPU: 0
EIP is at task_can_switch_user+0xe/0x28
EAX: 00000000 EBX: dfbe6ae0 ECX: 0000fffe EDX: c039a4a0
ESI: 00000000 EDI: 0000fffe EBP: dfbc7f88 ESP: dfbc7f80
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process vol_id (pid: 1058, ti=dfbc6000 task=dfbe6ae0 task.ti=dfbc6000)
Stack:
fffffff4 df9a5e80 dfbc7f98 c0120c0a fffffff4 df9a5e80 dfbc7fb0 c0120da8
df9a5180 0000fffe 00000003 bff8dec1 dfbc6000 c0102b45 0000fffe b8050ff4
00000000 00000003 bff8dec1 bff8c918 000000d5 0000007b 0000007b c0100000
Call Trace:
[<c0120c0a>] ? set_user+0x15/0x78
[<c0120da8>] ? sys_setuid+0x4d/0x9d
[<c0102b45>] ? sysenter_do_call+0x12/0x25
Code: f2 a1 90 b9 3f c0 e8 58 69 03 00 eb 02 53 9d b8 14 a9 39 c0 e8 fb
49 1b 00 5b 5e 5d c3 55 89 e5 56 53 89 d3 e8 3d fc ff ff 89 c6 <8b> 40
34 89 da e8 4b 22 ff ff 89 c3 89 f0 e8 04 ff ff ff 89 d8
EIP: [<c011d642>] task_can_switch_user+0xe/0x28 SS:ESP 0068:dfbc7f80
---[ end trace 3e1918a81c708690 ]---

Thank you,
Corey

Attachment: dmesg.log.gz
Description: application/gzip