From 343f4c49f2438d8920f1f76fa823ee59b91f02e4 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Mon, 11 Apr 2022 11:40:14 -0500 Subject: kthread: Don't allocate kthread_struct for init and umh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If kthread_is_per_cpu runs concurrently with free_kthread_struct the kthread_struct that was just freed may be read from. This bug was introduced by commit 40966e316f86 ("kthread: Ensure struct kthread is present for all kthreads"). When kthread_struct started to be allocated for all tasks that have PF_KTHREAD set. This in turn required the kthread_struct to be freed in kernel_execve and violated the assumption that kthread_struct will have the same lifetime as the task. Looking a bit deeper this only applies to callers of kernel_execve which is just the init process and the user mode helper processes. These processes really don't want to be kernel threads but are for historical reasons. Mostly that copy_thread does not know how to take a kernel mode function to the process with for processes without PF_KTHREAD or PF_IO_WORKER set. Solve this by not allocating kthread_struct for the init process and the user mode helper processes. This is done by adding a kthread member to struct kernel_clone_args. Setting kthread in fork_idle and kernel_thread. Adding user_mode_thread that works like kernel_thread except it does not set kthread. In fork only allocating the kthread_struct if .kthread is set. I have looked at kernel/kthread.c and since commit 40966e316f86 ("kthread: Ensure struct kthread is present for all kthreads") there have been no assumptions added that to_kthread or __to_kthread will not return NULL. There are a few callers of to_kthread or __to_kthread that assume a non-NULL struct kthread pointer will be returned. These functions are kthread_data(), kthread_parmme(), kthread_exit(), kthread(), kthread_park(), kthread_unpark(), kthread_stop(). All of those functions can reasonably expected to be called when it is know that a task is a kthread so that assumption seems reasonable. Cc: stable@vger.kernel.org Fixes: 40966e316f86 ("kthread: Ensure struct kthread is present for all kthreads") Reported-by: Максим Кутявин Link: https://lkml.kernel.org/r/20220506141512.516114-1-ebiederm@xmission.com Signed-off-by: "Eric W. Biederman" --- init/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'init') diff --git a/init/main.c b/init/main.c index 98182c3c2c4b..39baac0211c6 100644 --- a/init/main.c +++ b/init/main.c @@ -688,7 +688,7 @@ noinline void __ref rest_init(void) * the init task will end up wanting to create kthreads, which, if * we schedule it before we create kthreadd, will OOPS. */ - pid = kernel_thread(kernel_init, NULL, CLONE_FS); + pid = user_mode_thread(kernel_init, NULL, CLONE_FS); /* * Pin init on the boot CPU. Task migration is not properly working * until sched_init_smp() has been run. It will set the allowed -- cgit v1.2.3 From 68d85f0a33b0cbfe4921485160ff75ea7a081215 Mon Sep 17 00:00:00 2001 From: "Eric W. Biederman" Date: Mon, 11 Apr 2022 09:58:26 -0500 Subject: init: Deal with the init process being a user mode process It is silly for user_mode_thread to leave PF_KTHREAD set on the resulting task. Update the init process so that it does not care if PF_KTHREAD is set or not. Ensure do_populate_rootfs flushes all delayed fput work by calling task_work_run. In the rare instance that async_schedule_domain calls do_populate_rootfs synchronously it is possible do_populate_rootfs will be called directly from the init process. At which point fput will call "task_work_add(current, ..., TWA_RESUME)". The files on the initramfs need to be completely put before we attempt to exec them (which is before the code enters userspace). So call task_work_run just in case there are any pending fput operations. Link: https://lkml.kernel.org/r/20220506141512.516114-5-ebiederm@xmission.com Signed-off-by: "Eric W. Biederman" --- init/initramfs.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'init') diff --git a/init/initramfs.c b/init/initramfs.c index 2f3d96dc3db6..41e7857d510d 100644 --- a/init/initramfs.c +++ b/init/initramfs.c @@ -15,6 +15,7 @@ #include #include #include +#include #include static ssize_t __init xwrite(struct file *file, const char *p, size_t count, @@ -703,6 +704,7 @@ done: initrd_end = 0; flush_delayed_fput(); + task_work_run(); } static ASYNC_DOMAIN_EXCLUSIVE(initramfs_domain); -- cgit v1.2.3