sst-linux/include/linux/sched
Shakeel Butt 28e51dd4f2 cgroup: fix race between fork and cgroup.kill
commit b69bb476dee99d564d65d418e9a20acca6f32c3f upstream.

Tejun reported the following race between fork() and cgroup.kill at [1].

Tejun:
  I was looking at cgroup.kill implementation and wondering whether there
  could be a race window. So, __cgroup_kill() does the following:

   k1. Set CGRP_KILL.
   k2. Iterate tasks and deliver SIGKILL.
   k3. Clear CGRP_KILL.

  The copy_process() does the following:

   c1. Copy a bunch of stuff.
   c2. Grab siglock.
   c3. Check fatal_signal_pending().
   c4. Commit to forking.
   c5. Release siglock.
   c6. Call cgroup_post_fork() which puts the task on the css_set and tests
       CGRP_KILL.

  The intention seems to be that either a forking task gets SIGKILL and
  terminates on c3 or it sees CGRP_KILL on c6 and kills the child. However, I
  don't see what guarantees that k3 can't happen before c6. ie. After a
  forking task passes c5, k2 can take place and then before the forking task
  reaches c6, k3 can happen. Then, nobody would send SIGKILL to the child.
  What am I missing?

This is indeed a race. One way to fix this race is by taking
cgroup_threadgroup_rwsem in write mode in __cgroup_kill() as the fork()
side takes cgroup_threadgroup_rwsem in read mode from cgroup_can_fork()
to cgroup_post_fork(). However that would be heavy handed as this adds
one more potential stall scenario for cgroup.kill which is usually
called under extreme situation like memory pressure.

To fix this race, let's maintain a sequence number per cgroup which gets
incremented on __cgroup_kill() call. On the fork() side, the
cgroup_can_fork() will cache the sequence number locally and recheck it
against the cgroup's sequence number at cgroup_post_fork() site. If the
sequence numbers mismatch, it means __cgroup_kill() can been called and
we should send SIGKILL to the newly created task.

Reported-by: Tejun Heo <tj@kernel.org>
Closes: https://lore.kernel.org/all/Z5QHE2Qn-QZ6M-KW@slm.duckdns.org/ [1]
Fixes: 661ee62809 ("cgroup: introduce cgroup.kill")
Cc: stable@vger.kernel.org # v5.14+
Signed-off-by: Shakeel Butt <shakeel.butt@linux.dev>
Reviewed-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-02-21 13:50:04 +01:00
..
affinity.h sched/headers: Add initial new headers as identity mappings 2022-02-23 10:58:28 +01:00
autogroup.h
clock.h
cond_resched.h
coredump.h mm: delete unused MMF_OOM_VICTIM flag 2022-09-26 19:46:27 -07:00
cpufreq.h sched/cpufreq: Consider reduced CPU capacity in energy calculation 2021-06-17 14:11:43 +02:00
cputime.h
deadline.h
debug.h sched: Change task_struct::state 2021-06-18 11:43:09 +02:00
hotplug.h sched/hotplug: Consolidate task migration on CPU unplug 2020-11-10 18:38:58 +01:00
idle.h
init.h
isolation.h sched/isolation: Use single feature type while referring to housekeeping cpumask 2022-02-16 15:57:55 +01:00
jobctl.h
loadavg.h sched: nohz: stop passing around unused "ticks" parameter. 2020-07-22 10:22:04 +02:00
mm.h
nohz.h
numa_balancing.h
posix-timers.h
prio.h
rseq_api.h sched/headers: Add initial new headers as identity mappings 2022-02-23 10:58:28 +01:00
rt.h
sd_flags.h sched/core: Introduce SD_ASYM_CPUCAPACITY_FULL sched_domain flag 2021-06-24 09:07:50 +02:00
signal.h posix-timers: Ensure timer ID search-loop limit is valid 2024-08-29 17:30:17 +02:00
smt.h
stat.h
sysctl.h memory tiering: rate limit NUMA migration throughput 2022-09-11 20:25:54 -07:00
task_flags.h
task_stack.h
task.h
thread_info_api.h sched/headers: Add initial new headers as identity mappings 2022-02-23 10:58:28 +01:00
topology.h
types.h
user.h KVM: s390: pci: provide routines for enabling/disabling interrupt forwarding 2022-07-11 09:54:32 +02:00
wake_q.h
xacct.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00