On Mon, Oct 07, 2019 at 09:31:16AM +0200, Dmitry Vyukov wrote: > On Mon, Oct 7, 2019 at 1:52 AM Christian Brauner > <christian.brau...@ubuntu.com> wrote: > > > > When assiging and testing taskstats in taskstats_exit() there's a race > > when writing and reading sig->stats when a thread-group with more than > > one thread exits: > > > > cpu0: > > thread catches fatal signal and whole thread-group gets taken down > > do_exit() > > do_group_exit() > > taskstats_exit() > > taskstats_tgid_alloc() > > The tasks reads sig->stats holding sighand lock seeing garbage. > > > > cpu1: > > task calls exit_group() > > do_exit() > > do_group_exit() > > taskstats_exit() > > taskstats_tgid_alloc() > > The task takes sighand lock and assigns new stats to sig->stats. > > > > Fix this by using READ_ONCE() and smp_store_release(). > > > > Reported-by: syzbot+c5d03165a1bd1dead...@syzkaller.appspotmail.com > > Cc: Dmitry Vyukov <dvyu...@google.com> > > Signed-off-by: Christian Brauner <christian.brau...@ubuntu.com> > > --- > > /* v1 */ > > Link: > > https://lore.kernel.org/r/20191005112806.13960-1-christian.brau...@ubuntu.com > > > > /* v2 */ > > - Dmitry Vyukov <dvyu...@google.com>, Marco Elver <el...@google.com>: > > - fix the original double-checked locking using memory barriers > > --- > > kernel/taskstats.c | 19 ++++++++++--------- > > 1 file changed, 10 insertions(+), 9 deletions(-) > > Reviewed-by: Dmitry Vyukov <dvyu...@google.com>
Applied to: https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git/log/?h=fixes Should show up in linux-next tomorrow. Targeting v5.4-rc3. Cced stable. Christian
