PRIO_PGRP needs the tasklist_lock mainly to serialize vs setpgid(2),
to protect against any concurrent change_pid(PIDTYPE_PGID) that
can move the task from one hlist to another while iterating.

However, the remaining can only rely only on RCU:

PRIO_PROCESS only does the task lookup and never iterates over
tasklist and we already have an rcu-aware stable pointer.

PRIO_USER is already racy vs setuid(2) so with creds being rcu
protected, we can end up seeing stale data. When removing the
tasklist_lock there can be a race with (i) fork but this is benign
as the child's nice is inherited and the new task is not observable
by the user yet either, hence the return semantics do not differ.
And (ii) a race with exit, which is a small window and can cause
us to miss a task which was removed from the list and it had the
highest nice.

Similarly change the buggy do_each_thread/while_each_thread combo
in PRIO_USER for the rcu-safe for_each_process_thread flavor,
which doesn't make use of next_thread/p->thread_group.

Suggested-by: Oleg Nesterov <o...@redhat.com>
Signed-off-by: Davidlohr Bueso <dbu...@suse.de>
---
 kernel/sys.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/kernel/sys.c b/kernel/sys.c
index ca11af9d815d..4d4f17c01a4f 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -214,7 +214,6 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, 
niceval)
                niceval = MAX_NICE;
 
        rcu_read_lock();
-       read_lock(&tasklist_lock);
        switch (which) {
        case PRIO_PROCESS:
                if (who)
@@ -229,9 +228,11 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, 
niceval)
                        pgrp = find_vpid(who);
                else
                        pgrp = task_pgrp(current);
+               read_lock(&tasklist_lock);
                do_each_pid_thread(pgrp, PIDTYPE_PGID, p) {
                        error = set_one_prio(p, niceval, error);
                } while_each_pid_thread(pgrp, PIDTYPE_PGID, p);
+               read_unlock(&tasklist_lock);
                break;
        case PRIO_USER:
                uid = make_kuid(cred->user_ns, who);
@@ -243,16 +244,15 @@ SYSCALL_DEFINE3(setpriority, int, which, int, who, int, 
niceval)
                        if (!user)
                                goto out_unlock;        /* No processes for 
this user */
                }
-               do_each_thread(g, p) {
+               for_each_process_thread(g, p) {
                        if (uid_eq(task_uid(p), uid) && task_pid_vnr(p))
                                error = set_one_prio(p, niceval, error);
-               } while_each_thread(g, p);
+               }
                if (!uid_eq(uid, cred->uid))
                        free_uid(user);         /* For find_user() */
                break;
        }
 out_unlock:
-       read_unlock(&tasklist_lock);
        rcu_read_unlock();
 out:
        return error;
@@ -277,7 +277,6 @@ SYSCALL_DEFINE2(getpriority, int, which, int, who)
                return -EINVAL;
 
        rcu_read_lock();
-       read_lock(&tasklist_lock);
        switch (which) {
        case PRIO_PROCESS:
                if (who)
@@ -295,11 +294,13 @@ SYSCALL_DEFINE2(getpriority, int, which, int, who)
                        pgrp = find_vpid(who);
                else
                        pgrp = task_pgrp(current);
+               read_lock(&tasklist_lock);
                do_each_pid_thread(pgrp, PIDTYPE_PGID, p) {
                        niceval = nice_to_rlimit(task_nice(p));
                        if (niceval > retval)
                                retval = niceval;
                } while_each_pid_thread(pgrp, PIDTYPE_PGID, p);
+               read_unlock(&tasklist_lock);
                break;
        case PRIO_USER:
                uid = make_kuid(cred->user_ns, who);
@@ -311,19 +312,18 @@ SYSCALL_DEFINE2(getpriority, int, which, int, who)
                        if (!user)
                                goto out_unlock;        /* No processes for 
this user */
                }
-               do_each_thread(g, p) {
+               for_each_process_thread(g, p) {
                        if (uid_eq(task_uid(p), uid) && task_pid_vnr(p)) {
                                niceval = nice_to_rlimit(task_nice(p));
                                if (niceval > retval)
                                        retval = niceval;
                        }
-               } while_each_thread(g, p);
+               }
                if (!uid_eq(uid, cred->uid))
                        free_uid(user);         /* for find_user() */
                break;
        }
 out_unlock:
-       read_unlock(&tasklist_lock);
        rcu_read_unlock();
 
        return retval;
-- 
2.26.2

Reply via email to