| Message ID | 20230713071713.5762-1-xuewen.yan@unisoc.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:a6b2:0:b0:3e4:2afc:c1 with SMTP id c18csp1655977vqm;
Thu, 13 Jul 2023 00:45:16 -0700 (PDT)
X-Google-Smtp-Source:
APBJJlESuOxw4OnWsABwXZndUNuWRdEUBWUqwtDNlFgq5dcvt5YHM3GA2Z1FRyXnRNajGmw2jxXy
X-Received: by 2002:aa7:d48f:0:b0:50b:c630:a956 with SMTP id
b15-20020aa7d48f000000b0050bc630a956mr1058188edr.17.1689234316504;
Thu, 13 Jul 2023 00:45:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1689234316; cv=none;
d=google.com; s=arc-20160816;
b=v8N0y/8JRsMOpIn/CBYvhk1GPKlMrTFK3EzxQ3te/XE5ySjHy8pbtutE0hsVIO122F
NbD1pUqxQ1aOSeyad82t6vJhojPaD+w2X6A97L35jaSe15iw/7fRt3lENkC96OxJDSkN
jrXeyXpMrdW0SsX6+Q4WoR2yXCrtuaN0gy2fa2JGsVS0x5Sq0cqcVpmQgWMVG62oLu0R
PPS3M9t6VvbmV3dj7MGW4lxX9UMJ5nijbYgJmhp8M1gjbjD3GGFZCDh0SMuLMy+m1/9+
Dfu1Qom/ArC88+9DujGbpO9rnF1iZHU49fMkLsCWbgh+cMWfgsq2QapyyVn4oRX0jgxf
GYMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from;
bh=rClPgrZU548B6ztuTu3yfWH+AglLkkj35UunFFi8PBA=;
fh=3mjrIilZhNyhfIqzk92PZQjk8WgduZSOzStXutZeIQ4=;
b=Pq8uSXD92afyq7n1Jmh/oAOQ9/mw2veOluzONW+Ou7R6LnnEw+bp3v8pCRn1wsrR1V
q8Yay8kpUSSzU7KQ8rin7rcas3u4WsJZK8NYW5fnq4nVYwbIXjBvGhWwh7KuU6wKrY6q
lGnidE7Du0X8zipeP/LQS07fHRE7ysSDUBSX8gZ8qpA1QytP/uwWQdlLR11/sQbkEwJO
xqdOdo8Q3kt+9Xo7+g8UK/8PsEg4nl9EewpDFIZo53BWABYa9vs0DRvV43mxxGU2qpym
RRbN52sKepu+JwapGYqY4cS7aH6o8oBz4LqTrHgmzqYHpa0cyd5W66MHC3ihf+DOpGb0
2u9w==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
n5-20020a056402514500b0051db78fcbdbsi6617754edd.437.2023.07.13.00.44.51;
Thu, 13 Jul 2023 00:45:16 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234199AbjGMHSc (ORCPT <rfc822;tebrre53rla2o@gmail.com>
+ 99 others); Thu, 13 Jul 2023 03:18:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42382 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234195AbjGMHSb (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 13 Jul 2023 03:18:31 -0400
Received: from SHSQR01.spreadtrum.com (mx1.unisoc.com [222.66.158.135])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55B62E75
for <linux-kernel@vger.kernel.org>;
Thu, 13 Jul 2023 00:18:28 -0700 (PDT)
Received: from dlp.unisoc.com ([10.29.3.86])
by SHSQR01.spreadtrum.com with ESMTP id 36D7HIYx035713;
Thu, 13 Jul 2023 15:17:18 +0800 (+08)
(envelope-from Xuewen.Yan@unisoc.com)
Received: from SHDLP.spreadtrum.com (bjmbx01.spreadtrum.com [10.0.64.7])
by dlp.unisoc.com (SkyGuard) with ESMTPS id 4R1m9p6Sg7z2MDcHl;
Thu, 13 Jul 2023 15:16:14 +0800 (CST)
Received: from BJ10918NBW01.spreadtrum.com (10.0.73.72) by
BJMBX01.spreadtrum.com (10.0.64.7) with Microsoft SMTP Server (TLS) id
15.0.1497.23; Thu, 13 Jul 2023 15:17:16 +0800
From: Xuewen Yan <xuewen.yan@unisoc.com>
To: <brauner@kernel.org>, <jack@suse.cz>, <keescook@chromium.org>,
<peterz@infradead.org>, <vincent.guittot@linaro.org>
CC: <linux-kernel@vger.kernel.org>, <xuewen.yan@unisoc.com>,
<di.shen@unisoc.com>
Subject: [PATCH] pid: Add the judgment of whether ns is NULL in the
find_pid_ns
Date: Thu, 13 Jul 2023 15:17:13 +0800
Message-ID: <20230713071713.5762-1-xuewen.yan@unisoc.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
Content-Transfer-Encoding: 7BIT
Content-Type: text/plain; charset=US-ASCII
X-Originating-IP: [10.0.73.72]
X-ClientProxiedBy: SHCAS01.spreadtrum.com (10.0.1.201) To
BJMBX01.spreadtrum.com (10.0.64.7)
X-MAIL: SHSQR01.spreadtrum.com 36D7HIYx035713
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE
autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1771290562460660622
X-GMAIL-MSGID: 1771290562460660622
|
| Series |
pid: Add the judgment of whether ns is NULL in the find_pid_ns
|
|
Commit Message
Xuewen Yan
July 13, 2023, 7:17 a.m. UTC
There is no the judgment of whether namspace is NULL in find_pid_ns.
But there is a corner case when ns is null, for example: if user
call find_get_pid when current is in exiting, the following stack would
set thread_id be null:
release_task
__exit_signal(p);
__unhash_process(tsk, group_dead);
detach_pid(p, PIDTYPE_PID);
__change_pid(task, type, NULL);
If user call find_get_pid at now, in find_vpid function, the
task_active_pid_ns would return NULL. As a result, it would be
error when access the ns in find_pid_ns.
So add the judgment of whether ns is NULL in the find_pid_ns to
prevent this case happen.
Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com>
---
kernel/pid.c | 3 +++
1 file changed, 3 insertions(+)
Comments
Dear all Is there any comment about this patch? Thanks! On Thu, Jul 13, 2023 at 3:58 PM Xuewen Yan <xuewen.yan@unisoc.com> wrote: > > There is no the judgment of whether namspace is NULL in find_pid_ns. > But there is a corner case when ns is null, for example: if user > call find_get_pid when current is in exiting, the following stack would > set thread_id be null: > release_task > __exit_signal(p); > __unhash_process(tsk, group_dead); > detach_pid(p, PIDTYPE_PID); > __change_pid(task, type, NULL); > > If user call find_get_pid at now, in find_vpid function, the > task_active_pid_ns would return NULL. As a result, it would be > error when access the ns in find_pid_ns. > > So add the judgment of whether ns is NULL in the find_pid_ns to > prevent this case happen. > > Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com> > --- > kernel/pid.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/kernel/pid.c b/kernel/pid.c > index 6a1d23a11026..d4a9cb6f3eb9 100644 > --- a/kernel/pid.c > +++ b/kernel/pid.c > @@ -308,6 +308,9 @@ void disable_pid_allocation(struct pid_namespace *ns) > > struct pid *find_pid_ns(int nr, struct pid_namespace *ns) > { > + if (!ns) > + return NULL; > + > return idr_find(&ns->idr, nr); > } > EXPORT_SYMBOL_GPL(find_pid_ns); > -- > 2.25.1 >
On Thu, Jul 13, 2023 at 03:17:13PM +0800, Xuewen Yan wrote: > There is no the judgment of whether namspace is NULL in find_pid_ns. > But there is a corner case when ns is null, for example: if user > call find_get_pid when current is in exiting, the following stack would > set thread_id be null: > release_task > __exit_signal(p); > __unhash_process(tsk, group_dead); > detach_pid(p, PIDTYPE_PID); > __change_pid(task, type, NULL); > > If user call find_get_pid at now, in find_vpid function, the I fail to see how this can happen. The code you're referencing is in release_task(). If current has gone through that then current obviously can't call find_vpid() on itself anymore or anything else for that matter.
On Tue, Jul 25, 2023 at 4:49 PM Christian Brauner <brauner@kernel.org> wrote: > > On Thu, Jul 13, 2023 at 03:17:13PM +0800, Xuewen Yan wrote: > > There is no the judgment of whether namspace is NULL in find_pid_ns. > > But there is a corner case when ns is null, for example: if user > > call find_get_pid when current is in exiting, the following stack would > > set thread_id be null: > > release_task > > __exit_signal(p); > > __unhash_process(tsk, group_dead); > > detach_pid(p, PIDTYPE_PID); > > __change_pid(task, type, NULL); > > > > If user call find_get_pid at now, in find_vpid function, the > > I fail to see how this can happen. The code you're referencing is in > release_task(). If current has gone through that then current obviously > can't call find_vpid() on itself anymore or anything else for that > matter. This happened when user calls find_vpid() in irq. [72117.635162] Call trace: [72117.635595] idr_find+0xc/0x24 [72117.636103] find_get_pid+0x40/0x68 [72117.636812] send_event+0x88/0x180 [demux] [72117.637593] vbvop_copy_data+0x150/0x344 [demux] [72117.638434] dmisr_video_parsing_mpeg12+0x29c/0x42c [demux] [72117.639393] dmisr_video_parsing_switch+0x68/0xec [demux] [72117.640332] dmisr_handle_video_pes+0x10c/0x26c [demux] [72117.641108] tasklet_action_common+0x130/0x224 [72117.641784] tasklet_action+0x28/0x34 [72117.642366] __do_softirq+0x128/0x4dc [72117.642944] irq_exit+0xf8/0xfc [72117.643459] __handle_domain_irq+0xb0/0x108 [72117.644102] gic_handle_irq+0x6c/0x124 [72117.644691] el1_irq+0x108/0x200 [72117.645217] _raw_write_unlock_irq+0x2c/0x5c [72117.645870] release_task+0x144/0x1ac <<<<<< [72117.646447] do_exit+0x524/0x94c [72117.646970] __do_sys_exit_group+0x0/0x14 [72117.647591] do_group_exit+0x0/0xa0 [72117.648146] __se_sys_exit+0x0/0x20 [72117.648704] el0_svc_common+0xcc/0x1bc [72117.649292] el0_svc_handler+0x2c/0x3c [72117.649881] el0_svc+0x8/0xc In release_task, write_unlock_irq(&tasklist_lock) will open irq, at this time, if user calls find_get_pid() in irq, because current->thread_id is NULL, it will handle the NULL pointer. BR --- xuewen
On Tue, Jul 25, 2023 at 08:24:18PM +0800, Xuewen Yan wrote: > On Tue, Jul 25, 2023 at 4:49 PM Christian Brauner <brauner@kernel.org> wrote: > > > > On Thu, Jul 13, 2023 at 03:17:13PM +0800, Xuewen Yan wrote: > > > There is no the judgment of whether namspace is NULL in find_pid_ns. > > > But there is a corner case when ns is null, for example: if user > > > call find_get_pid when current is in exiting, the following stack would > > > set thread_id be null: > > > release_task > > > __exit_signal(p); > > > __unhash_process(tsk, group_dead); > > > detach_pid(p, PIDTYPE_PID); > > > __change_pid(task, type, NULL); > > > > > > If user call find_get_pid at now, in find_vpid function, the > > > > I fail to see how this can happen. The code you're referencing is in > > release_task(). If current has gone through that then current obviously > > can't call find_vpid() on itself anymore or anything else for that > > matter. > > This happened when user calls find_vpid() in irq. > > [72117.635162] Call trace: > [72117.635595] idr_find+0xc/0x24 > [72117.636103] find_get_pid+0x40/0x68 > [72117.636812] send_event+0x88/0x180 [demux] > [72117.637593] vbvop_copy_data+0x150/0x344 [demux] > [72117.638434] dmisr_video_parsing_mpeg12+0x29c/0x42c [demux] > [72117.639393] dmisr_video_parsing_switch+0x68/0xec [demux] > [72117.640332] dmisr_handle_video_pes+0x10c/0x26c [demux] > [72117.641108] tasklet_action_common+0x130/0x224 > [72117.641784] tasklet_action+0x28/0x34 > [72117.642366] __do_softirq+0x128/0x4dc > [72117.642944] irq_exit+0xf8/0xfc > [72117.643459] __handle_domain_irq+0xb0/0x108 > [72117.644102] gic_handle_irq+0x6c/0x124 > [72117.644691] el1_irq+0x108/0x200 > [72117.645217] _raw_write_unlock_irq+0x2c/0x5c > [72117.645870] release_task+0x144/0x1ac <<<<<< > [72117.646447] do_exit+0x524/0x94c > [72117.646970] __do_sys_exit_group+0x0/0x14 > [72117.647591] do_group_exit+0x0/0xa0 > [72117.648146] __se_sys_exit+0x0/0x20 > [72117.648704] el0_svc_common+0xcc/0x1bc > [72117.649292] el0_svc_handler+0x2c/0x3c > [72117.649881] el0_svc+0x8/0xc > > In release_task, write_unlock_irq(&tasklist_lock) will open irq, at > this time, if user calls find_get_pid() in irq, because > current->thread_id is NULL, > it will handle the NULL pointer. Uhm, where is that code from? This doesn't seem to be upstream.
On Tue, Jul 25, 2023 at 8:47 PM Christian Brauner <brauner@kernel.org> wrote: > > On Tue, Jul 25, 2023 at 08:24:18PM +0800, Xuewen Yan wrote: > > On Tue, Jul 25, 2023 at 4:49 PM Christian Brauner <brauner@kernel.org> wrote: > > > > > > On Thu, Jul 13, 2023 at 03:17:13PM +0800, Xuewen Yan wrote: > > > > There is no the judgment of whether namspace is NULL in find_pid_ns. > > > > But there is a corner case when ns is null, for example: if user > > > > call find_get_pid when current is in exiting, the following stack would > > > > set thread_id be null: > > > > release_task > > > > __exit_signal(p); > > > > __unhash_process(tsk, group_dead); > > > > detach_pid(p, PIDTYPE_PID); > > > > __change_pid(task, type, NULL); > > > > > > > > If user call find_get_pid at now, in find_vpid function, the > > > > > > I fail to see how this can happen. The code you're referencing is in > > > release_task(). If current has gone through that then current obviously > > > can't call find_vpid() on itself anymore or anything else for that > > > matter. > > > > This happened when user calls find_vpid() in irq. > > > > [72117.635162] Call trace: > > [72117.635595] idr_find+0xc/0x24 > > [72117.636103] find_get_pid+0x40/0x68 > > [72117.636812] send_event+0x88/0x180 [demux] > > [72117.637593] vbvop_copy_data+0x150/0x344 [demux] > > [72117.638434] dmisr_video_parsing_mpeg12+0x29c/0x42c [demux] > > [72117.639393] dmisr_video_parsing_switch+0x68/0xec [demux] > > [72117.640332] dmisr_handle_video_pes+0x10c/0x26c [demux] > > [72117.641108] tasklet_action_common+0x130/0x224 > > [72117.641784] tasklet_action+0x28/0x34 > > [72117.642366] __do_softirq+0x128/0x4dc > > [72117.642944] irq_exit+0xf8/0xfc > > [72117.643459] __handle_domain_irq+0xb0/0x108 > > [72117.644102] gic_handle_irq+0x6c/0x124 > > [72117.644691] el1_irq+0x108/0x200 > > [72117.645217] _raw_write_unlock_irq+0x2c/0x5c > > [72117.645870] release_task+0x144/0x1ac <<<<<< > > [72117.646447] do_exit+0x524/0x94c > > [72117.646970] __do_sys_exit_group+0x0/0x14 > > [72117.647591] do_group_exit+0x0/0xa0 > > [72117.648146] __se_sys_exit+0x0/0x20 > > [72117.648704] el0_svc_common+0xcc/0x1bc > > [72117.649292] el0_svc_handler+0x2c/0x3c > > [72117.649881] el0_svc+0x8/0xc > > > > In release_task, write_unlock_irq(&tasklist_lock) will open irq, at > > this time, if user calls find_get_pid() in irq, because > > current->thread_id is NULL, > > it will handle the NULL pointer. > > Uhm, where is that code from? This doesn't seem to be upstream. It's from our own platform, we found someone called find_get_pid() in the module, and caused the crash. BR
On Wed, Jul 26, 2023 at 09:23:13AM +0800, Xuewen Yan wrote: > On Tue, Jul 25, 2023 at 8:47 PM Christian Brauner <brauner@kernel.org> wrote: > > > > On Tue, Jul 25, 2023 at 08:24:18PM +0800, Xuewen Yan wrote: > > > On Tue, Jul 25, 2023 at 4:49 PM Christian Brauner <brauner@kernel.org> wrote: > > > > > > > > On Thu, Jul 13, 2023 at 03:17:13PM +0800, Xuewen Yan wrote: > > > > > There is no the judgment of whether namspace is NULL in find_pid_ns. > > > > > But there is a corner case when ns is null, for example: if user > > > > > call find_get_pid when current is in exiting, the following stack would > > > > > set thread_id be null: > > > > > release_task > > > > > __exit_signal(p); > > > > > __unhash_process(tsk, group_dead); > > > > > detach_pid(p, PIDTYPE_PID); > > > > > __change_pid(task, type, NULL); > > > > > > > > > > If user call find_get_pid at now, in find_vpid function, the > > > > > > > > I fail to see how this can happen. The code you're referencing is in > > > > release_task(). If current has gone through that then current obviously > > > > can't call find_vpid() on itself anymore or anything else for that > > > > matter. > > > > > > This happened when user calls find_vpid() in irq. > > > > > > [72117.635162] Call trace: > > > [72117.635595] idr_find+0xc/0x24 > > > [72117.636103] find_get_pid+0x40/0x68 > > > [72117.636812] send_event+0x88/0x180 [demux] > > > [72117.637593] vbvop_copy_data+0x150/0x344 [demux] > > > [72117.638434] dmisr_video_parsing_mpeg12+0x29c/0x42c [demux] > > > [72117.639393] dmisr_video_parsing_switch+0x68/0xec [demux] > > > [72117.640332] dmisr_handle_video_pes+0x10c/0x26c [demux] > > > [72117.641108] tasklet_action_common+0x130/0x224 > > > [72117.641784] tasklet_action+0x28/0x34 > > > [72117.642366] __do_softirq+0x128/0x4dc > > > [72117.642944] irq_exit+0xf8/0xfc > > > [72117.643459] __handle_domain_irq+0xb0/0x108 > > > [72117.644102] gic_handle_irq+0x6c/0x124 > > > [72117.644691] el1_irq+0x108/0x200 > > > [72117.645217] _raw_write_unlock_irq+0x2c/0x5c > > > [72117.645870] release_task+0x144/0x1ac <<<<<< > > > [72117.646447] do_exit+0x524/0x94c > > > [72117.646970] __do_sys_exit_group+0x0/0x14 > > > [72117.647591] do_group_exit+0x0/0xa0 > > > [72117.648146] __se_sys_exit+0x0/0x20 > > > [72117.648704] el0_svc_common+0xcc/0x1bc > > > [72117.649292] el0_svc_handler+0x2c/0x3c > > > [72117.649881] el0_svc+0x8/0xc > > > > > > In release_task, write_unlock_irq(&tasklist_lock) will open irq, at > > > this time, if user calls find_get_pid() in irq, because > > > current->thread_id is NULL, > > > it will handle the NULL pointer. > > > > Uhm, where is that code from? This doesn't seem to be upstream. > > It's from our own platform, we found someone called find_get_pid() in > the module, and caused the crash. So this is a bug report for an out of tree driver which I'm sure you're aware we consider mostly irrelevant unless this is an upstream issue. Please work around or better fix this in your out of tree driver or please show a reproducer how this can happen on upstream kernels. Otherwise I don't see why we'd care.
On Wed, Jul 26, 2023 at 5:25 PM Christian Brauner <brauner@kernel.org> wrote: > > On Wed, Jul 26, 2023 at 09:23:13AM +0800, Xuewen Yan wrote: > > On Tue, Jul 25, 2023 at 8:47 PM Christian Brauner <brauner@kernel.org> wrote: > > > > > > On Tue, Jul 25, 2023 at 08:24:18PM +0800, Xuewen Yan wrote: > > > > On Tue, Jul 25, 2023 at 4:49 PM Christian Brauner <brauner@kernel.org> wrote: > > > > > > > > > > On Thu, Jul 13, 2023 at 03:17:13PM +0800, Xuewen Yan wrote: > > > > > > There is no the judgment of whether namspace is NULL in find_pid_ns. > > > > > > But there is a corner case when ns is null, for example: if user > > > > > > call find_get_pid when current is in exiting, the following stack would > > > > > > set thread_id be null: > > > > > > release_task > > > > > > __exit_signal(p); > > > > > > __unhash_process(tsk, group_dead); > > > > > > detach_pid(p, PIDTYPE_PID); > > > > > > __change_pid(task, type, NULL); > > > > > > > > > > > > If user call find_get_pid at now, in find_vpid function, the > > > > > > > > > > I fail to see how this can happen. The code you're referencing is in > > > > > release_task(). If current has gone through that then current obviously > > > > > can't call find_vpid() on itself anymore or anything else for that > > > > > matter. > > > > > > > > This happened when user calls find_vpid() in irq. > > > > > > > > [72117.635162] Call trace: > > > > [72117.635595] idr_find+0xc/0x24 > > > > [72117.636103] find_get_pid+0x40/0x68 > > > > [72117.636812] send_event+0x88/0x180 [demux] > > > > [72117.637593] vbvop_copy_data+0x150/0x344 [demux] > > > > [72117.638434] dmisr_video_parsing_mpeg12+0x29c/0x42c [demux] > > > > [72117.639393] dmisr_video_parsing_switch+0x68/0xec [demux] > > > > [72117.640332] dmisr_handle_video_pes+0x10c/0x26c [demux] > > > > [72117.641108] tasklet_action_common+0x130/0x224 > > > > [72117.641784] tasklet_action+0x28/0x34 > > > > [72117.642366] __do_softirq+0x128/0x4dc > > > > [72117.642944] irq_exit+0xf8/0xfc > > > > [72117.643459] __handle_domain_irq+0xb0/0x108 > > > > [72117.644102] gic_handle_irq+0x6c/0x124 > > > > [72117.644691] el1_irq+0x108/0x200 > > > > [72117.645217] _raw_write_unlock_irq+0x2c/0x5c > > > > [72117.645870] release_task+0x144/0x1ac <<<<<< > > > > [72117.646447] do_exit+0x524/0x94c > > > > [72117.646970] __do_sys_exit_group+0x0/0x14 > > > > [72117.647591] do_group_exit+0x0/0xa0 > > > > [72117.648146] __se_sys_exit+0x0/0x20 > > > > [72117.648704] el0_svc_common+0xcc/0x1bc > > > > [72117.649292] el0_svc_handler+0x2c/0x3c > > > > [72117.649881] el0_svc+0x8/0xc > > > > > > > > In release_task, write_unlock_irq(&tasklist_lock) will open irq, at > > > > this time, if user calls find_get_pid() in irq, because > > > > current->thread_id is NULL, > > > > it will handle the NULL pointer. > > > > > > Uhm, where is that code from? This doesn't seem to be upstream. > > > > It's from our own platform, we found someone called find_get_pid() in > > the module, and caused the crash. > > So this is a bug report for an out of tree driver which I'm sure you're > aware we consider mostly irrelevant unless this is an upstream issue. > > Please work around or better fix this in your out of tree driver or > please show a reproducer how this can happen on upstream kernels. > > Otherwise I don't see why we'd care. Okay, Thanks a lot! BR
diff --git a/kernel/pid.c b/kernel/pid.c index 6a1d23a11026..d4a9cb6f3eb9 100644 --- a/kernel/pid.c +++ b/kernel/pid.c @@ -308,6 +308,9 @@ void disable_pid_allocation(struct pid_namespace *ns) struct pid *find_pid_ns(int nr, struct pid_namespace *ns) { + if (!ns) + return NULL; + return idr_find(&ns->idr, nr); } EXPORT_SYMBOL_GPL(find_pid_ns);