2005-04-17 02:20:36 +04:00
/*
* linux / fs / proc / base . c
*
* Copyright ( C ) 1991 , 1992 Linus Torvalds
*
* proc base directory handling functions
*
* 1999 , Al Viro . Rewritten . Now it covers the whole per - process part .
* Instead of using magical inumbers to determine the kind of object
* we allocate and fill in - core inodes upon lookup . They don ' t even
* go into icache . We cache the reference to task_struct upon lookup too .
* Eventually it should become a filesystem in its own . We don ' t use the
* rest of procfs anymore .
2005-09-04 02:55:10 +04:00
*
*
* Changelog :
* 17 - Jan - 2005
* Allan Bezerra
* Bruna Moreira < bruna . moreira @ indt . org . br >
* Edjard Mota < edjard . mota @ indt . org . br >
* Ilias Biris < ilias . biris @ indt . org . br >
* Mauricio Lin < mauricio . lin @ indt . org . br >
*
* Embedded Linux Lab - 10L E Instituto Nokia de Tecnologia - INdT
*
* A new process specific entry ( smaps ) included in / proc . It shows the
* size of rss for each memory area . The maps entry lacks information
* about physical memory size ( rss ) for each mapped file , i . e . ,
* rss information for executables and library files .
* This additional information is useful for any tools that need to know
* about physical memory consumption for a process specific library .
*
* Changelog :
* 21 - Feb - 2005
* Embedded Linux Lab - 10L E Instituto Nokia de Tecnologia - INdT
* Pud inclusion in the page table walking .
*
* ChangeLog :
* 10 - Mar - 2005
* 10L E Instituto Nokia de Tecnologia - INdT :
* A better way to walks through the page table as suggested by Hugh Dickins .
*
* Simo Piiroinen < simo . piiroinen @ nokia . com > :
* Smaps information related to shared , private , clean and dirty pages .
*
* Paul Mundt < paul . mundt @ nokia . com > :
* Overall revision about smaps .
2005-04-17 02:20:36 +04:00
*/
# include <asm/uaccess.h>
# include <linux/errno.h>
# include <linux/time.h>
# include <linux/proc_fs.h>
# include <linux/stat.h>
2008-07-27 19:29:15 +04:00
# include <linux/task_io_accounting_ops.h>
2005-04-17 02:20:36 +04:00
# include <linux/init.h>
2006-01-11 23:17:46 +03:00
# include <linux/capability.h>
2005-04-17 02:20:36 +04:00
# include <linux/file.h>
2008-04-24 15:44:08 +04:00
# include <linux/fdtable.h>
2005-04-17 02:20:36 +04:00
# include <linux/string.h>
# include <linux/seq_file.h>
# include <linux/namei.h>
2006-12-08 13:37:56 +03:00
# include <linux/mnt_namespace.h>
2005-04-17 02:20:36 +04:00
# include <linux/mm.h>
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
# include <linux/swap.h>
2005-09-10 00:04:14 +04:00
# include <linux/rcupdate.h>
2005-04-17 02:20:36 +04:00
# include <linux/kallsyms.h>
2008-11-10 11:26:08 +03:00
# include <linux/stacktrace.h>
2007-10-19 10:40:37 +04:00
# include <linux/resource.h>
2007-05-08 11:26:04 +04:00
# include <linux/module.h>
2005-04-17 02:20:36 +04:00
# include <linux/mount.h>
# include <linux/security.h>
# include <linux/ptrace.h>
2008-07-26 06:45:49 +04:00
# include <linux/tracehook.h>
2007-10-19 10:39:35 +04:00
# include <linux/cgroup.h>
2005-04-17 02:20:36 +04:00
# include <linux/cpuset.h>
# include <linux/audit.h>
2005-11-08 01:15:49 +03:00
# include <linux/poll.h>
2006-10-02 13:18:08 +04:00
# include <linux/nsproxy.h>
2006-10-20 10:28:32 +04:00
# include <linux/oom.h>
2007-07-19 12:48:28 +04:00
# include <linux/elf.h>
2007-10-19 10:40:03 +04:00
# include <linux/pid_namespace.h>
2009-03-30 03:50:06 +04:00
# include <linux/fs_struct.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 11:04:11 +03:00
# include <linux/slab.h>
2012-01-11 03:11:23 +04:00
# include <linux/flex_array.h>
arch/tile: more /proc and /sys file support
This change introduces a few of the less controversial /proc and
/proc/sys interfaces for tile, along with sysfs attributes for
various things that were originally proposed as /proc/tile files.
It also adjusts the "hardwall" proc API.
Arnd Bergmann reviewed the initial arch/tile submission, which
included a complete set of all the /proc/tile and /proc/sys/tile
knobs that we had added in a somewhat ad hoc way during initial
development, and provided feedback on where most of them should go.
One knob turned out to be similar enough to the existing
/proc/sys/debug/exception-trace that it was re-implemented to use
that model instead.
Another knob was /proc/tile/grid, which reported the "grid" dimensions
of a tile chip (e.g. 8x8 processors = 64-core chip). Arnd suggested
looking at sysfs for that, so this change moves that information
to a pair of sysfs attributes (chip_width and chip_height) in the
/sys/devices/system/cpu directory. We also put the "chip_serial"
and "chip_revision" information from our old /proc/tile/board file
as attributes in /sys/devices/system/cpu.
Other information collected via hypervisor APIs is now placed in
/sys/hypervisor. We create a /sys/hypervisor/type file (holding the
constant string "tilera") to be parallel with the Xen use of
/sys/hypervisor/type holding "xen". We create three top-level files,
"version" (the hypervisor's own version), "config_version" (the
version of the configuration file), and "hvconfig" (the contents of
the configuration file). The remaining information from our old
/proc/tile/board and /proc/tile/switch files becomes an attribute
group appearing under /sys/hypervisor/board/.
Finally, after some feedback from Arnd Bergmann for the previous
version of this patch, the /proc/tile/hardwall file is split up into
two conceptual parts. First, a directory /proc/tile/hardwall/ which
contains one file per active hardwall, each file named after the
hardwall's ID and holding a cpulist that says which cpus are enclosed by
the hardwall. Second, a /proc/PID file "hardwall" that is either
empty (for non-hardwall-using processes) or contains the hardwall ID.
Finally, this change pushes the /proc/sys/tile/unaligned_fixup/
directory, with knobs controlling the kernel code for handling the
fixup of unaligned exceptions.
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2011-05-26 20:40:09 +04:00
# ifdef CONFIG_HARDWALL
# include <asm/hardwall.h>
# endif
2012-01-11 03:08:09 +04:00
# include <trace/events/oom.h>
2005-04-17 02:20:36 +04:00
# include "internal.h"
2006-06-26 11:25:46 +04:00
/* NOTE:
* Implementing inode permission operations in / proc is almost
* certainly an error . Permission checks need to happen during
* each system call not at open time . The reason is that most of
* what we wish to check for permissions in / proc varies at runtime .
*
* The classic example of a problem is opening file descriptors
* in / proc for a task before it execs a suid executable .
*/
2005-04-17 02:20:36 +04:00
struct pid_entry {
char * name ;
2007-05-08 11:26:15 +04:00
int len ;
2011-07-24 11:36:29 +04:00
umode_t mode ;
2007-02-12 11:55:40 +03:00
const struct inode_operations * iop ;
2007-02-12 11:55:34 +03:00
const struct file_operations * fop ;
2006-10-02 13:17:07 +04:00
union proc_op op ;
2005-04-17 02:20:36 +04:00
} ;
2006-10-02 13:18:49 +04:00
# define NOD(NAME, MODE, IOP, FOP, OP) { \
2006-10-02 13:17:07 +04:00
. name = ( NAME ) , \
2007-05-08 11:26:15 +04:00
. len = sizeof ( NAME ) - 1 , \
2006-10-02 13:17:07 +04:00
. mode = MODE , \
. iop = IOP , \
. fop = FOP , \
. op = OP , \
}
2008-11-10 01:32:52 +03:00
# define DIR(NAME, MODE, iops, fops) \
NOD ( NAME , ( S_IFDIR | ( MODE ) ) , & iops , & fops , { } )
# define LNK(NAME, get_link) \
2006-10-02 13:18:49 +04:00
NOD ( NAME , ( S_IFLNK | S_IRWXUGO ) , \
2006-10-02 13:17:07 +04:00
& proc_pid_link_inode_operations , NULL , \
2008-11-10 01:32:52 +03:00
{ . proc_get_link = get_link } )
# define REG(NAME, MODE, fops) \
NOD ( NAME , ( S_IFREG | ( MODE ) ) , NULL , & fops , { } )
# define INF(NAME, MODE, read) \
2006-10-02 13:18:49 +04:00
NOD ( NAME , ( S_IFREG | ( MODE ) ) , \
2006-10-02 13:17:07 +04:00
NULL , & proc_info_file_operations , \
2008-11-10 01:32:52 +03:00
{ . proc_read = read } )
# define ONE(NAME, MODE, show) \
2008-02-08 15:18:30 +03:00
NOD ( NAME , ( S_IFREG | ( MODE ) ) , \
NULL , & proc_single_file_operations , \
2008-11-10 01:32:52 +03:00
{ . proc_show = show } )
2005-04-17 02:20:36 +04:00
2012-01-11 03:11:23 +04:00
static int proc_fd_permission ( struct inode * inode , int mask ) ;
2008-06-06 09:46:53 +04:00
/*
* Count the number of hardlinks for the pid_entry table , excluding the .
* and . . links .
*/
static unsigned int pid_entry_count_dirs ( const struct pid_entry * entries ,
unsigned int n )
{
unsigned int i ;
unsigned int count ;
count = 0 ;
for ( i = 0 ; i < n ; + + i ) {
if ( S_ISDIR ( entries [ i ] . mode ) )
+ + count ;
}
return count ;
}
2010-08-10 13:41:36 +04:00
static int get_task_root ( struct task_struct * task , struct path * root )
2005-04-17 02:20:36 +04:00
{
2009-03-29 03:21:27 +04:00
int result = - ENOENT ;
2005-09-07 02:18:22 +04:00
task_lock ( task ) ;
2010-08-10 13:41:36 +04:00
if ( task - > fs ) {
get_fs_root ( task - > fs , root ) ;
2009-03-29 03:21:27 +04:00
result = 0 ;
}
2005-09-07 02:18:22 +04:00
task_unlock ( task ) ;
2009-03-29 03:21:27 +04:00
return result ;
2005-09-07 02:18:22 +04:00
}
2012-01-11 03:11:20 +04:00
static int proc_cwd_link ( struct dentry * dentry , struct path * path )
2005-09-07 02:18:22 +04:00
{
2012-01-11 03:11:20 +04:00
struct task_struct * task = get_proc_task ( dentry - > d_inode ) ;
2005-09-07 02:18:22 +04:00
int result = - ENOENT ;
2006-06-26 11:25:55 +04:00
if ( task ) {
2010-08-10 13:41:36 +04:00
task_lock ( task ) ;
if ( task - > fs ) {
get_fs_pwd ( task - > fs , path ) ;
result = 0 ;
}
task_unlock ( task ) ;
2006-06-26 11:25:55 +04:00
put_task_struct ( task ) ;
}
2005-04-17 02:20:36 +04:00
return result ;
}
2012-01-11 03:11:20 +04:00
static int proc_root_link ( struct dentry * dentry , struct path * path )
2005-04-17 02:20:36 +04:00
{
2012-01-11 03:11:20 +04:00
struct task_struct * task = get_proc_task ( dentry - > d_inode ) ;
2005-04-17 02:20:36 +04:00
int result = - ENOENT ;
2006-06-26 11:25:55 +04:00
if ( task ) {
2010-08-10 13:41:36 +04:00
result = get_task_root ( task , path ) ;
2006-06-26 11:25:55 +04:00
put_task_struct ( task ) ;
}
2005-04-17 02:20:36 +04:00
return result ;
}
2011-03-13 22:49:23 +03:00
static struct mm_struct * __check_mem_permission ( struct task_struct * task )
2008-04-29 12:01:38 +04:00
{
2011-03-13 22:49:23 +03:00
struct mm_struct * mm ;
mm = get_task_mm ( task ) ;
if ( ! mm )
return ERR_PTR ( - EINVAL ) ;
2008-04-29 12:01:38 +04:00
/*
* A task can always look at itself , in case it chooses
* to use system calls instead of load instructions .
*/
if ( task = = current )
2011-03-13 22:49:23 +03:00
return mm ;
2008-04-29 12:01:38 +04:00
/*
* If current is actively ptrace ' ing , and would also be
* permitted to freshly attach with ptrace now , permit it .
*/
2008-07-26 06:45:49 +04:00
if ( task_is_stopped_or_traced ( task ) ) {
int match ;
rcu_read_lock ( ) ;
2011-06-17 18:50:40 +04:00
match = ( ptrace_parent ( task ) = = current ) ;
2008-07-26 06:45:49 +04:00
rcu_read_unlock ( ) ;
if ( match & & ptrace_may_access ( task , PTRACE_MODE_ATTACH ) )
2011-03-13 22:49:23 +03:00
return mm ;
2008-07-26 06:45:49 +04:00
}
2008-04-29 12:01:38 +04:00
/*
2011-03-31 05:57:33 +04:00
* No one else is allowed .
2008-04-29 12:01:38 +04:00
*/
2011-03-13 22:49:23 +03:00
mmput ( mm ) ;
return ERR_PTR ( - EPERM ) ;
2008-04-29 12:01:38 +04:00
}
2005-04-17 02:20:36 +04:00
2011-03-13 22:49:22 +03:00
/*
2011-03-13 22:49:23 +03:00
* If current may access user memory in @ task return a reference to the
* corresponding mm , otherwise ERR_PTR .
2011-03-13 22:49:22 +03:00
*/
2011-03-13 22:49:23 +03:00
static struct mm_struct * check_mem_permission ( struct task_struct * task )
2011-03-13 22:49:22 +03:00
{
2011-03-13 22:49:23 +03:00
struct mm_struct * mm ;
2011-03-13 22:49:22 +03:00
int err ;
/*
* Avoid racing if task exec ' s as we might get a new mm but validate
* against old credentials .
*/
err = mutex_lock_killable ( & task - > signal - > cred_guard_mutex ) ;
if ( err )
2011-03-13 22:49:23 +03:00
return ERR_PTR ( err ) ;
2011-03-13 22:49:22 +03:00
2011-03-13 22:49:23 +03:00
mm = __check_mem_permission ( task ) ;
2011-03-13 22:49:22 +03:00
mutex_unlock ( & task - > signal - > cred_guard_mutex ) ;
2011-03-13 22:49:23 +03:00
return mm ;
2008-04-29 12:01:38 +04:00
}
2005-04-17 02:20:36 +04:00
2008-01-02 17:09:57 +03:00
struct mm_struct * mm_for_maps ( struct task_struct * task )
{
2009-07-10 05:27:40 +04:00
struct mm_struct * mm ;
2011-02-16 06:22:54 +03:00
int err ;
2009-07-10 05:27:40 +04:00
2011-02-16 06:22:54 +03:00
err = mutex_lock_killable ( & task - > signal - > cred_guard_mutex ) ;
if ( err )
return ERR_PTR ( err ) ;
2009-07-10 05:27:38 +04:00
2009-07-10 05:27:40 +04:00
mm = get_task_mm ( task ) ;
if ( mm & & mm ! = current - > mm & &
! ptrace_may_access ( task , PTRACE_MODE_READ ) ) {
mmput ( mm ) ;
2011-02-16 06:22:54 +03:00
mm = ERR_PTR ( - EACCES ) ;
2009-06-23 23:25:32 +04:00
}
2010-10-28 02:34:08 +04:00
mutex_unlock ( & task - > signal - > cred_guard_mutex ) ;
2009-07-10 05:27:40 +04:00
2008-01-02 17:09:57 +03:00
return mm ;
}
2005-04-17 02:20:36 +04:00
static int proc_pid_cmdline ( struct task_struct * task , char * buffer )
{
int res = 0 ;
unsigned int len ;
struct mm_struct * mm = get_task_mm ( task ) ;
if ( ! mm )
goto out ;
if ( ! mm - > arg_end )
goto out_mm ; /* Shh! No looking before we're done */
len = mm - > arg_end - mm - > arg_start ;
if ( len > PAGE_SIZE )
len = PAGE_SIZE ;
res = access_process_vm ( task , mm - > arg_start , buffer , len , 0 ) ;
// If the nul at the end of args has been overwritten, then
// assume application is using setproctitle(3).
if ( res > 0 & & buffer [ res - 1 ] ! = ' \0 ' & & len < PAGE_SIZE ) {
len = strnlen ( buffer , res ) ;
if ( len < res ) {
res = len ;
} else {
len = mm - > env_end - mm - > env_start ;
if ( len > PAGE_SIZE - res )
len = PAGE_SIZE - res ;
res + = access_process_vm ( task , mm - > env_start , buffer + res , len , 0 ) ;
res = strnlen ( buffer , res ) ;
}
}
out_mm :
mmput ( mm ) ;
out :
return res ;
}
static int proc_pid_auxv ( struct task_struct * task , char * buffer )
{
2011-02-16 06:52:11 +03:00
struct mm_struct * mm = mm_for_maps ( task ) ;
int res = PTR_ERR ( mm ) ;
if ( mm & & ! IS_ERR ( mm ) ) {
2005-04-17 02:20:36 +04:00
unsigned int nwords = 0 ;
2008-12-30 18:49:13 +03:00
do {
2005-04-17 02:20:36 +04:00
nwords + = 2 ;
2008-12-30 18:49:13 +03:00
} while ( mm - > saved_auxv [ nwords - 2 ] ! = 0 ) ; /* AT_NULL */
2005-04-17 02:20:36 +04:00
res = nwords * sizeof ( mm - > saved_auxv [ 0 ] ) ;
if ( res > PAGE_SIZE )
res = PAGE_SIZE ;
memcpy ( buffer , mm - > saved_auxv , res ) ;
mmput ( mm ) ;
}
return res ;
}
# ifdef CONFIG_KALLSYMS
/*
* Provides a wchan file via kallsyms in a proper one - value - per - file format .
* Returns the resolved symbol . If that fails , simply return the address .
*/
static int proc_pid_wchan ( struct task_struct * task , char * buffer )
{
2007-05-08 11:28:41 +04:00
unsigned long wchan ;
2007-07-17 15:03:51 +04:00
char symname [ KSYM_NAME_LEN ] ;
2005-04-17 02:20:36 +04:00
wchan = get_wchan ( task ) ;
2007-05-08 11:28:43 +04:00
if ( lookup_symbol_name ( wchan , symname ) < 0 )
2009-05-04 22:51:14 +04:00
if ( ! ptrace_may_access ( task , PTRACE_MODE_READ ) )
return 0 ;
else
return sprintf ( buffer , " %lu " , wchan ) ;
2007-05-08 11:28:43 +04:00
else
return sprintf ( buffer , " %s " , symname ) ;
2005-04-17 02:20:36 +04:00
}
# endif /* CONFIG_KALLSYMS */
2011-03-23 22:52:50 +03:00
static int lock_trace ( struct task_struct * task )
{
int err = mutex_lock_killable ( & task - > signal - > cred_guard_mutex ) ;
if ( err )
return err ;
if ( ! ptrace_may_access ( task , PTRACE_MODE_ATTACH ) ) {
mutex_unlock ( & task - > signal - > cred_guard_mutex ) ;
return - EPERM ;
}
return 0 ;
}
static void unlock_trace ( struct task_struct * task )
{
mutex_unlock ( & task - > signal - > cred_guard_mutex ) ;
}
2008-11-10 11:26:08 +03:00
# ifdef CONFIG_STACKTRACE
# define MAX_STACK_TRACE_DEPTH 64
static int proc_pid_stack ( struct seq_file * m , struct pid_namespace * ns ,
struct pid * pid , struct task_struct * task )
{
struct stack_trace trace ;
unsigned long * entries ;
2011-03-23 22:52:50 +03:00
int err ;
2008-11-10 11:26:08 +03:00
int i ;
entries = kmalloc ( MAX_STACK_TRACE_DEPTH * sizeof ( * entries ) , GFP_KERNEL ) ;
if ( ! entries )
return - ENOMEM ;
trace . nr_entries = 0 ;
trace . max_entries = MAX_STACK_TRACE_DEPTH ;
trace . entries = entries ;
trace . skip = 0 ;
2011-03-23 22:52:50 +03:00
err = lock_trace ( task ) ;
if ( ! err ) {
save_stack_trace_tsk ( task , & trace ) ;
for ( i = 0 ; i < trace . nr_entries ; i + + ) {
2011-03-24 06:51:42 +03:00
seq_printf ( m , " [<%pK>] %pS \n " ,
2011-03-23 22:52:50 +03:00
( void * ) entries [ i ] , ( void * ) entries [ i ] ) ;
}
unlock_trace ( task ) ;
2008-11-10 11:26:08 +03:00
}
kfree ( entries ) ;
2011-03-23 22:52:50 +03:00
return err ;
2008-11-10 11:26:08 +03:00
}
# endif
2005-04-17 02:20:36 +04:00
# ifdef CONFIG_SCHEDSTATS
/*
* Provides / proc / PID / schedstat
*/
static int proc_pid_schedstat ( struct task_struct * task , char * buffer )
{
2007-07-09 20:52:00 +04:00
return sprintf ( buffer , " %llu %llu %lu \n " ,
2008-12-22 09:37:41 +03:00
( unsigned long long ) task - > se . sum_exec_runtime ,
( unsigned long long ) task - > sched_info . run_delay ,
2007-10-15 19:00:12 +04:00
task - > sched_info . pcount ) ;
2005-04-17 02:20:36 +04:00
}
# endif
2008-01-25 23:08:34 +03:00
# ifdef CONFIG_LATENCYTOP
static int lstats_show_proc ( struct seq_file * m , void * v )
{
int i ;
2008-02-21 03:53:29 +03:00
struct inode * inode = m - > private ;
struct task_struct * task = get_proc_task ( inode ) ;
2008-01-25 23:08:34 +03:00
2008-02-21 03:53:29 +03:00
if ( ! task )
return - ESRCH ;
seq_puts ( m , " Latency Top version : v0.1 \n " ) ;
2008-01-25 23:08:34 +03:00
for ( i = 0 ; i < 32 ; i + + ) {
2011-01-13 04:00:30 +03:00
struct latency_record * lr = & task - > latency_record [ i ] ;
if ( lr - > backtrace [ 0 ] ) {
2008-01-25 23:08:34 +03:00
int q ;
2011-01-13 04:00:30 +03:00
seq_printf ( m , " %i %li %li " ,
lr - > count , lr - > time , lr - > max ) ;
2008-01-25 23:08:34 +03:00
for ( q = 0 ; q < LT_BACKTRACEDEPTH ; q + + ) {
2011-01-13 04:00:30 +03:00
unsigned long bt = lr - > backtrace [ q ] ;
if ( ! bt )
2008-01-25 23:08:34 +03:00
break ;
2011-01-13 04:00:30 +03:00
if ( bt = = ULONG_MAX )
2008-01-25 23:08:34 +03:00
break ;
2011-01-13 04:00:30 +03:00
seq_printf ( m , " %ps " , ( void * ) bt ) ;
2008-01-25 23:08:34 +03:00
}
2011-01-13 04:00:32 +03:00
seq_putc ( m , ' \n ' ) ;
2008-01-25 23:08:34 +03:00
}
}
2008-02-21 03:53:29 +03:00
put_task_struct ( task ) ;
2008-01-25 23:08:34 +03:00
return 0 ;
}
static int lstats_open ( struct inode * inode , struct file * file )
{
2008-02-21 03:53:29 +03:00
return single_open ( file , lstats_show_proc , inode ) ;
2008-02-14 21:27:00 +03:00
}
2008-01-25 23:08:34 +03:00
static ssize_t lstats_write ( struct file * file , const char __user * buf ,
size_t count , loff_t * offs )
{
2008-02-21 03:53:29 +03:00
struct task_struct * task = get_proc_task ( file - > f_dentry - > d_inode ) ;
2008-01-25 23:08:34 +03:00
2008-02-21 03:53:29 +03:00
if ( ! task )
return - ESRCH ;
2008-01-25 23:08:34 +03:00
clear_all_latency_tracing ( task ) ;
2008-02-21 03:53:29 +03:00
put_task_struct ( task ) ;
2008-01-25 23:08:34 +03:00
return count ;
}
static const struct file_operations proc_lstats_operations = {
. open = lstats_open ,
. read = seq_read ,
. write = lstats_write ,
. llseek = seq_lseek ,
2008-02-21 03:53:29 +03:00
. release = single_release ,
2008-01-25 23:08:34 +03:00
} ;
# endif
2005-04-17 02:20:36 +04:00
static int proc_oom_score ( struct task_struct * task , char * buffer )
{
2010-04-01 17:13:57 +04:00
unsigned long points = 0 ;
2005-04-17 02:20:36 +04:00
2007-05-08 11:26:46 +04:00
read_lock ( & tasklist_lock ) ;
2010-04-01 17:13:57 +04:00
if ( pid_alive ( task ) )
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
points = oom_badness ( task , NULL , NULL ,
totalram_pages + total_swap_pages ) ;
2007-05-08 11:26:46 +04:00
read_unlock ( & tasklist_lock ) ;
2005-04-17 02:20:36 +04:00
return sprintf ( buffer , " %lu \n " , points ) ;
}
2007-10-19 10:40:37 +04:00
struct limit_names {
char * name ;
char * unit ;
} ;
static const struct limit_names lnames [ RLIM_NLIMITS ] = {
2009-09-23 03:45:32 +04:00
[ RLIMIT_CPU ] = { " Max cpu time " , " seconds " } ,
2007-10-19 10:40:37 +04:00
[ RLIMIT_FSIZE ] = { " Max file size " , " bytes " } ,
[ RLIMIT_DATA ] = { " Max data size " , " bytes " } ,
[ RLIMIT_STACK ] = { " Max stack size " , " bytes " } ,
[ RLIMIT_CORE ] = { " Max core file size " , " bytes " } ,
[ RLIMIT_RSS ] = { " Max resident set " , " bytes " } ,
[ RLIMIT_NPROC ] = { " Max processes " , " processes " } ,
[ RLIMIT_NOFILE ] = { " Max open files " , " files " } ,
[ RLIMIT_MEMLOCK ] = { " Max locked memory " , " bytes " } ,
[ RLIMIT_AS ] = { " Max address space " , " bytes " } ,
[ RLIMIT_LOCKS ] = { " Max file locks " , " locks " } ,
[ RLIMIT_SIGPENDING ] = { " Max pending signals " , " signals " } ,
[ RLIMIT_MSGQUEUE ] = { " Max msgqueue size " , " bytes " } ,
[ RLIMIT_NICE ] = { " Max nice priority " , NULL } ,
[ RLIMIT_RTPRIO ] = { " Max realtime priority " , NULL } ,
2008-02-24 02:23:52 +03:00
[ RLIMIT_RTTIME ] = { " Max realtime timeout " , " us " } ,
2007-10-19 10:40:37 +04:00
} ;
/* Display limits for a process */
static int proc_pid_limits ( struct task_struct * task , char * buffer )
{
unsigned int i ;
int count = 0 ;
unsigned long flags ;
char * bufptr = buffer ;
struct rlimit rlim [ RLIM_NLIMITS ] ;
2008-10-05 00:51:15 +04:00
if ( ! lock_task_sighand ( task , & flags ) )
2007-10-19 10:40:37 +04:00
return 0 ;
memcpy ( rlim , task - > signal - > rlim , sizeof ( struct rlimit ) * RLIM_NLIMITS ) ;
unlock_task_sighand ( task , & flags ) ;
/*
* print the file header
*/
count + = sprintf ( & bufptr [ count ] , " %-25s %-20s %-20s %-10s \n " ,
" Limit " , " Soft Limit " , " Hard Limit " , " Units " ) ;
for ( i = 0 ; i < RLIM_NLIMITS ; i + + ) {
if ( rlim [ i ] . rlim_cur = = RLIM_INFINITY )
count + = sprintf ( & bufptr [ count ] , " %-25s %-20s " ,
lnames [ i ] . name , " unlimited " ) ;
else
count + = sprintf ( & bufptr [ count ] , " %-25s %-20lu " ,
lnames [ i ] . name , rlim [ i ] . rlim_cur ) ;
if ( rlim [ i ] . rlim_max = = RLIM_INFINITY )
count + = sprintf ( & bufptr [ count ] , " %-20s " , " unlimited " ) ;
else
count + = sprintf ( & bufptr [ count ] , " %-20lu " ,
rlim [ i ] . rlim_max ) ;
if ( lnames [ i ] . unit )
count + = sprintf ( & bufptr [ count ] , " %-10s \n " ,
lnames [ i ] . unit ) ;
else
count + = sprintf ( & bufptr [ count ] , " \n " ) ;
}
return count ;
}
2008-07-26 06:46:00 +04:00
# ifdef CONFIG_HAVE_ARCH_TRACEHOOK
static int proc_pid_syscall ( struct task_struct * task , char * buffer )
{
long nr ;
unsigned long args [ 6 ] , sp , pc ;
2011-03-23 22:52:50 +03:00
int res = lock_trace ( task ) ;
if ( res )
return res ;
2008-07-26 06:46:00 +04:00
if ( task_current_syscall ( task , & nr , args , 6 , & sp , & pc ) )
2011-03-23 22:52:50 +03:00
res = sprintf ( buffer , " running \n " ) ;
else if ( nr < 0 )
res = sprintf ( buffer , " %ld 0x%lx 0x%lx \n " , nr , sp , pc ) ;
else
res = sprintf ( buffer ,
2008-07-26 06:46:00 +04:00
" %ld 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx \n " ,
nr ,
args [ 0 ] , args [ 1 ] , args [ 2 ] , args [ 3 ] , args [ 4 ] , args [ 5 ] ,
sp , pc ) ;
2011-03-23 22:52:50 +03:00
unlock_trace ( task ) ;
return res ;
2008-07-26 06:46:00 +04:00
}
# endif /* CONFIG_HAVE_ARCH_TRACEHOOK */
2005-04-17 02:20:36 +04:00
/************************************************************************/
/* Here the fs part begins */
/************************************************************************/
/* permission checks */
2006-06-26 11:25:58 +04:00
static int proc_fd_access_allowed ( struct inode * inode )
2005-04-17 02:20:36 +04:00
{
2006-06-26 11:25:58 +04:00
struct task_struct * task ;
int allowed = 0 ;
2006-06-26 11:25:59 +04:00
/* Allow access to a task's file descriptors if it is us or we
* may use ptrace attach to the process and find out that
* information .
2006-06-26 11:25:58 +04:00
*/
task = get_proc_task ( inode ) ;
2006-06-26 11:25:59 +04:00
if ( task ) {
Security: split proc ptrace checking into read vs. attach
Enable security modules to distinguish reading of process state via
proc from full ptrace access by renaming ptrace_may_attach to
ptrace_may_access and adding a mode argument indicating whether only
read access or full attach access is requested. This allows security
modules to permit access to reading process state without granting
full ptrace access. The base DAC/capability checking remains unchanged.
Read access to /proc/pid/mem continues to apply a full ptrace attach
check since check_mem_permission() already requires the current task
to already be ptracing the target. The other ptrace checks within
proc for elements like environ, maps, and fds are changed to pass the
read mode instead of attach.
In the SELinux case, we model such reading of process state as a
reading of a proc file labeled with the target process' label. This
enables SELinux policy to permit such reading of process state without
permitting control or manipulation of the target process, as there are
a number of cases where programs probe for such information via proc
but do not need to be able to control the target (e.g. procps,
lsof, PolicyKit, ConsoleKit). At present we have to choose between
allowing full ptrace in policy (more permissive than required/desired)
or breaking functionality (or in some cases just silencing the denials
via dontaudit rules but this can hide genuine attacks).
This version of the patch incorporates comments from Casey Schaufler
(change/replace existing ptrace_may_attach interface, pass access
mode), and Chris Wright (provide greater consistency in the checking).
Note that like their predecessors __ptrace_may_attach and
ptrace_may_attach, the __ptrace_may_access and ptrace_may_access
interfaces use different return value conventions from each other (0
or -errno vs. 1 or 0). I retained this difference to avoid any
changes to the caller logic but made the difference clearer by
changing the latter interface to return a bool rather than an int and
by adding a comment about it to ptrace.h for any future callers.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: James Morris <jmorris@namei.org>
2008-05-19 16:32:49 +04:00
allowed = ptrace_may_access ( task , PTRACE_MODE_READ ) ;
2006-06-26 11:25:58 +04:00
put_task_struct ( task ) ;
2006-06-26 11:25:59 +04:00
}
2006-06-26 11:25:58 +04:00
return allowed ;
2005-04-17 02:20:36 +04:00
}
2010-03-08 03:41:34 +03:00
int proc_setattr ( struct dentry * dentry , struct iattr * attr )
2006-07-15 23:26:45 +04:00
{
int error ;
struct inode * inode = dentry - > d_inode ;
if ( attr - > ia_valid & ATTR_MODE )
return - EPERM ;
error = inode_change_ok ( inode , attr ) ;
2010-06-04 13:30:02 +04:00
if ( error )
return error ;
if ( ( attr - > ia_valid & ATTR_SIZE ) & &
attr - > ia_size ! = i_size_read ( inode ) ) {
error = vmtruncate ( inode , attr - > ia_size ) ;
if ( error )
return error ;
}
setattr_copy ( inode , attr ) ;
mark_inode_dirty ( inode ) ;
return 0 ;
2006-07-15 23:26:45 +04:00
}
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 03:11:31 +04:00
/*
* May current process learn task ' s sched / cmdline info ( for hide_pid_min = 1 )
* or euid / egid ( for hide_pid_min = 2 ) ?
*/
static bool has_pid_permissions ( struct pid_namespace * pid ,
struct task_struct * task ,
int hide_pid_min )
{
if ( pid - > hide_pid < hide_pid_min )
return true ;
if ( in_group_p ( pid - > pid_gid ) )
return true ;
return ptrace_may_access ( task , PTRACE_MODE_READ ) ;
}
static int proc_pid_permission ( struct inode * inode , int mask )
{
struct pid_namespace * pid = inode - > i_sb - > s_fs_info ;
struct task_struct * task ;
bool has_perms ;
task = get_proc_task ( inode ) ;
2012-01-13 05:17:08 +04:00
if ( ! task )
return - ESRCH ;
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 03:11:31 +04:00
has_perms = has_pid_permissions ( pid , task , 1 ) ;
put_task_struct ( task ) ;
if ( ! has_perms ) {
if ( pid - > hide_pid = = 2 ) {
/*
* Let ' s make getdents ( ) , stat ( ) , and open ( )
* consistent with each other . If a process
* may not stat ( ) a file , it shouldn ' t be seen
* in procfs at all .
*/
return - ENOENT ;
}
return - EPERM ;
}
return generic_permission ( inode , mask ) ;
}
2007-02-12 11:55:40 +03:00
static const struct inode_operations proc_def_inode_operations = {
2006-07-15 23:26:45 +04:00
. setattr = proc_setattr ,
} ;
2005-04-17 02:20:36 +04:00
# define PROC_BLOCK_SIZE (3*1024) /* 4K page size but our output routines use some slack for overruns */
static ssize_t proc_info_read ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
2006-12-08 13:36:36 +03:00
struct inode * inode = file - > f_path . dentry - > d_inode ;
2005-04-17 02:20:36 +04:00
unsigned long page ;
ssize_t length ;
2006-06-26 11:25:55 +04:00
struct task_struct * task = get_proc_task ( inode ) ;
length = - ESRCH ;
if ( ! task )
goto out_no_task ;
2005-04-17 02:20:36 +04:00
if ( count > PROC_BLOCK_SIZE )
count = PROC_BLOCK_SIZE ;
2006-06-26 11:25:55 +04:00
length = - ENOMEM ;
2007-10-16 12:25:52 +04:00
if ( ! ( page = __get_free_page ( GFP_TEMPORARY ) ) )
2006-06-26 11:25:55 +04:00
goto out ;
2005-04-17 02:20:36 +04:00
length = PROC_I ( inode ) - > op . proc_read ( task , ( char * ) page ) ;
if ( length > = 0 )
length = simple_read_from_buffer ( buf , count , ppos , ( char * ) page , length ) ;
free_page ( page ) ;
2006-06-26 11:25:55 +04:00
out :
put_task_struct ( task ) ;
out_no_task :
2005-04-17 02:20:36 +04:00
return length ;
}
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_info_file_operations = {
2005-04-17 02:20:36 +04:00
. read = proc_info_read ,
2010-03-18 01:06:02 +03:00
. llseek = generic_file_llseek ,
2005-04-17 02:20:36 +04:00
} ;
2008-02-08 15:18:30 +03:00
static int proc_single_show ( struct seq_file * m , void * v )
{
struct inode * inode = m - > private ;
struct pid_namespace * ns ;
struct pid * pid ;
struct task_struct * task ;
int ret ;
ns = inode - > i_sb - > s_fs_info ;
pid = proc_pid ( inode ) ;
task = get_pid_task ( pid , PIDTYPE_PID ) ;
if ( ! task )
return - ESRCH ;
ret = PROC_I ( inode ) - > op . proc_show ( m , ns , pid , task ) ;
put_task_struct ( task ) ;
return ret ;
}
static int proc_single_open ( struct inode * inode , struct file * filp )
{
2011-01-13 04:00:34 +03:00
return single_open ( filp , proc_single_show , inode ) ;
2008-02-08 15:18:30 +03:00
}
static const struct file_operations proc_single_file_operations = {
. open = proc_single_open ,
. read = seq_read ,
. llseek = seq_lseek ,
. release = single_release ,
} ;
2005-04-17 02:20:36 +04:00
static int mem_open ( struct inode * inode , struct file * file )
{
file - > private_data = ( void * ) ( ( long ) current - > self_exec_id ) ;
2010-10-02 01:20:22 +04:00
/* OK to pass negative loff_t, we can catch out-of-range */
file - > f_mode | = FMODE_UNSIGNED_OFFSET ;
2005-04-17 02:20:36 +04:00
return 0 ;
}
static ssize_t mem_read ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
2006-12-08 13:36:36 +03:00
struct task_struct * task = get_proc_task ( file - > f_path . dentry - > d_inode ) ;
2005-04-17 02:20:36 +04:00
char * page ;
unsigned long src = * ppos ;
int ret = - ESRCH ;
struct mm_struct * mm ;
2006-06-26 11:25:55 +04:00
if ( ! task )
goto out_no_task ;
2005-04-17 02:20:36 +04:00
ret = - ENOMEM ;
2007-10-16 12:25:52 +04:00
page = ( char * ) __get_free_page ( GFP_TEMPORARY ) ;
2005-04-17 02:20:36 +04:00
if ( ! page )
goto out ;
2011-03-13 22:49:23 +03:00
mm = check_mem_permission ( task ) ;
ret = PTR_ERR ( mm ) ;
if ( IS_ERR ( mm ) )
2005-04-17 02:20:36 +04:00
goto out_free ;
ret = - EIO ;
if ( file - > private_data ! = ( void * ) ( ( long ) current - > self_exec_id ) )
goto out_put ;
ret = 0 ;
while ( count > 0 ) {
int this_len , retval ;
this_len = ( count > PAGE_SIZE ) ? PAGE_SIZE : count ;
2011-03-13 22:49:23 +03:00
retval = access_remote_vm ( mm , src , page , this_len , 0 ) ;
if ( ! retval ) {
2005-04-17 02:20:36 +04:00
if ( ! ret )
ret = - EIO ;
break ;
}
if ( copy_to_user ( buf , page , retval ) ) {
ret = - EFAULT ;
break ;
}
ret + = retval ;
src + = retval ;
buf + = retval ;
count - = retval ;
}
* ppos = src ;
out_put :
mmput ( mm ) ;
out_free :
free_page ( ( unsigned long ) page ) ;
out :
2006-06-26 11:25:55 +04:00
put_task_struct ( task ) ;
out_no_task :
2005-04-17 02:20:36 +04:00
return ret ;
}
2007-02-21 00:58:12 +03:00
static ssize_t mem_write ( struct file * file , const char __user * buf ,
2005-04-17 02:20:36 +04:00
size_t count , loff_t * ppos )
{
2006-09-29 13:01:02 +04:00
int copied ;
2005-04-17 02:20:36 +04:00
char * page ;
2006-12-08 13:36:36 +03:00
struct task_struct * task = get_proc_task ( file - > f_path . dentry - > d_inode ) ;
2005-04-17 02:20:36 +04:00
unsigned long dst = * ppos ;
2011-03-13 22:49:23 +03:00
struct mm_struct * mm ;
2005-04-17 02:20:36 +04:00
2006-06-26 11:25:55 +04:00
copied = - ESRCH ;
if ( ! task )
goto out_no_task ;
2011-05-27 03:25:52 +04:00
copied = - ENOMEM ;
page = ( char * ) __get_free_page ( GFP_TEMPORARY ) ;
if ( ! page )
goto out_task ;
2011-03-13 22:49:23 +03:00
mm = check_mem_permission ( task ) ;
copied = PTR_ERR ( mm ) ;
if ( IS_ERR ( mm ) )
2011-05-27 03:25:52 +04:00
goto out_free ;
2005-04-17 02:20:36 +04:00
2011-03-13 22:49:21 +03:00
copied = - EIO ;
if ( file - > private_data ! = ( void * ) ( ( long ) current - > self_exec_id ) )
2011-03-13 22:49:23 +03:00
goto out_mm ;
2005-04-17 02:20:36 +04:00
2006-09-29 13:01:02 +04:00
copied = 0 ;
2005-04-17 02:20:36 +04:00
while ( count > 0 ) {
int this_len , retval ;
this_len = ( count > PAGE_SIZE ) ? PAGE_SIZE : count ;
if ( copy_from_user ( page , buf , this_len ) ) {
copied = - EFAULT ;
break ;
}
2011-03-13 22:49:23 +03:00
retval = access_remote_vm ( mm , dst , page , this_len , 1 ) ;
2005-04-17 02:20:36 +04:00
if ( ! retval ) {
if ( ! copied )
copied = - EIO ;
break ;
}
copied + = retval ;
buf + = retval ;
dst + = retval ;
count - = retval ;
}
* ppos = dst ;
2011-05-27 03:25:52 +04:00
2011-03-13 22:49:23 +03:00
out_mm :
mmput ( mm ) ;
2011-05-27 03:25:52 +04:00
out_free :
free_page ( ( unsigned long ) page ) ;
2011-03-13 22:49:23 +03:00
out_task :
2006-06-26 11:25:55 +04:00
put_task_struct ( task ) ;
out_no_task :
2005-04-17 02:20:36 +04:00
return copied ;
}
2008-02-05 09:29:04 +03:00
loff_t mem_lseek ( struct file * file , loff_t offset , int orig )
2005-04-17 02:20:36 +04:00
{
switch ( orig ) {
case 0 :
file - > f_pos = offset ;
break ;
case 1 :
file - > f_pos + = offset ;
break ;
default :
return - EINVAL ;
}
force_successful_syscall_return ( ) ;
return file - > f_pos ;
}
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_mem_operations = {
2005-04-17 02:20:36 +04:00
. llseek = mem_lseek ,
. read = mem_read ,
. write = mem_write ,
. open = mem_open ,
} ;
2007-10-17 10:30:17 +04:00
static ssize_t environ_read ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
struct task_struct * task = get_proc_task ( file - > f_dentry - > d_inode ) ;
char * page ;
unsigned long src = * ppos ;
int ret = - ESRCH ;
struct mm_struct * mm ;
if ( ! task )
goto out_no_task ;
ret = - ENOMEM ;
page = ( char * ) __get_free_page ( GFP_TEMPORARY ) ;
if ( ! page )
goto out ;
2011-02-16 06:26:01 +03:00
mm = mm_for_maps ( task ) ;
ret = PTR_ERR ( mm ) ;
if ( ! mm | | IS_ERR ( mm ) )
2007-10-17 10:30:17 +04:00
goto out_free ;
2011-02-16 06:26:01 +03:00
ret = 0 ;
2007-10-17 10:30:17 +04:00
while ( count > 0 ) {
int this_len , retval , max_len ;
this_len = mm - > env_end - ( mm - > env_start + src ) ;
if ( this_len < = 0 )
break ;
max_len = ( count > PAGE_SIZE ) ? PAGE_SIZE : count ;
this_len = ( this_len > max_len ) ? max_len : this_len ;
retval = access_process_vm ( task , ( mm - > env_start + src ) ,
page , this_len , 0 ) ;
if ( retval < = 0 ) {
ret = retval ;
break ;
}
if ( copy_to_user ( buf , page , retval ) ) {
ret = - EFAULT ;
break ;
}
ret + = retval ;
src + = retval ;
buf + = retval ;
count - = retval ;
}
* ppos = src ;
mmput ( mm ) ;
out_free :
free_page ( ( unsigned long ) page ) ;
out :
put_task_struct ( task ) ;
out_no_task :
return ret ;
}
static const struct file_operations proc_environ_operations = {
. read = environ_read ,
2010-03-18 01:06:02 +03:00
. llseek = generic_file_llseek ,
2007-10-17 10:30:17 +04:00
} ;
2005-04-17 02:20:36 +04:00
static ssize_t oom_adjust_read ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
2006-12-08 13:36:36 +03:00
struct task_struct * task = get_proc_task ( file - > f_path . dentry - > d_inode ) ;
2006-06-26 11:25:54 +04:00
char buffer [ PROC_NUMBUF ] ;
2005-04-17 02:20:36 +04:00
size_t len ;
oom: move oom_adj value from task_struct to signal_struct
Currently, OOM logic callflow is here.
__out_of_memory()
select_bad_process() for each task
badness() calculate badness of one task
oom_kill_process() search child
oom_kill_task() kill target task and mm shared tasks with it
example, process-A have two thread, thread-A and thread-B and it have very
fat memory and each thread have following oom_adj and oom_score.
thread-A: oom_adj = OOM_DISABLE, oom_score = 0
thread-B: oom_adj = 0, oom_score = very-high
Then, select_bad_process() select thread-B, but oom_kill_task() refuse
kill the task because thread-A have OOM_DISABLE. Thus __out_of_memory()
call select_bad_process() again. but select_bad_process() select the same
task. It mean kernel fall in livelock.
The fact is, select_bad_process() must select killable task. otherwise
OOM logic go into livelock.
And root cause is, oom_adj shouldn't be per-thread value. it should be
per-process value because OOM-killer kill a process, not thread. Thus
This patch moves oomkilladj (now more appropriately named oom_adj) from
struct task_struct to struct signal_struct. it naturally prevent
select_bad_process() choose wrong task.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 04:03:13 +04:00
int oom_adjust = OOM_DISABLE ;
unsigned long flags ;
2005-04-17 02:20:36 +04:00
2006-06-26 11:25:55 +04:00
if ( ! task )
return - ESRCH ;
oom: move oom_adj value from task_struct to signal_struct
Currently, OOM logic callflow is here.
__out_of_memory()
select_bad_process() for each task
badness() calculate badness of one task
oom_kill_process() search child
oom_kill_task() kill target task and mm shared tasks with it
example, process-A have two thread, thread-A and thread-B and it have very
fat memory and each thread have following oom_adj and oom_score.
thread-A: oom_adj = OOM_DISABLE, oom_score = 0
thread-B: oom_adj = 0, oom_score = very-high
Then, select_bad_process() select thread-B, but oom_kill_task() refuse
kill the task because thread-A have OOM_DISABLE. Thus __out_of_memory()
call select_bad_process() again. but select_bad_process() select the same
task. It mean kernel fall in livelock.
The fact is, select_bad_process() must select killable task. otherwise
OOM logic go into livelock.
And root cause is, oom_adj shouldn't be per-thread value. it should be
per-process value because OOM-killer kill a process, not thread. Thus
This patch moves oomkilladj (now more appropriately named oom_adj) from
struct task_struct to struct signal_struct. it naturally prevent
select_bad_process() choose wrong task.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 04:03:13 +04:00
if ( lock_task_sighand ( task , & flags ) ) {
oom_adjust = task - > signal - > oom_adj ;
unlock_task_sighand ( task , & flags ) ;
}
2006-06-26 11:25:55 +04:00
put_task_struct ( task ) ;
2006-06-26 11:25:54 +04:00
len = snprintf ( buffer , sizeof ( buffer ) , " %i \n " , oom_adjust ) ;
2007-05-08 11:31:41 +04:00
return simple_read_from_buffer ( buf , count , ppos , buffer , len ) ;
2005-04-17 02:20:36 +04:00
}
static ssize_t oom_adjust_write ( struct file * file , const char __user * buf ,
size_t count , loff_t * ppos )
{
2006-06-26 11:25:55 +04:00
struct task_struct * task ;
2009-09-22 04:03:16 +04:00
char buffer [ PROC_NUMBUF ] ;
2011-05-27 03:25:50 +04:00
int oom_adjust ;
oom: move oom_adj value from task_struct to signal_struct
Currently, OOM logic callflow is here.
__out_of_memory()
select_bad_process() for each task
badness() calculate badness of one task
oom_kill_process() search child
oom_kill_task() kill target task and mm shared tasks with it
example, process-A have two thread, thread-A and thread-B and it have very
fat memory and each thread have following oom_adj and oom_score.
thread-A: oom_adj = OOM_DISABLE, oom_score = 0
thread-B: oom_adj = 0, oom_score = very-high
Then, select_bad_process() select thread-B, but oom_kill_task() refuse
kill the task because thread-A have OOM_DISABLE. Thus __out_of_memory()
call select_bad_process() again. but select_bad_process() select the same
task. It mean kernel fall in livelock.
The fact is, select_bad_process() must select killable task. otherwise
OOM logic go into livelock.
And root cause is, oom_adj shouldn't be per-thread value. it should be
per-process value because OOM-killer kill a process, not thread. Thus
This patch moves oomkilladj (now more appropriately named oom_adj) from
struct task_struct to struct signal_struct. it naturally prevent
select_bad_process() choose wrong task.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 04:03:13 +04:00
unsigned long flags ;
2009-09-22 04:03:16 +04:00
int err ;
2005-04-17 02:20:36 +04:00
2006-06-26 11:25:54 +04:00
memset ( buffer , 0 , sizeof ( buffer ) ) ;
if ( count > sizeof ( buffer ) - 1 )
count = sizeof ( buffer ) - 1 ;
2010-10-27 01:21:25 +04:00
if ( copy_from_user ( buffer , buf , count ) ) {
err = - EFAULT ;
goto out ;
}
2009-09-22 04:03:16 +04:00
2011-05-27 03:25:50 +04:00
err = kstrtoint ( strstrip ( buffer ) , 0 , & oom_adjust ) ;
2009-09-22 04:03:16 +04:00
if ( err )
2010-10-27 01:21:25 +04:00
goto out ;
2006-10-20 10:28:32 +04:00
if ( ( oom_adjust < OOM_ADJUST_MIN | | oom_adjust > OOM_ADJUST_MAX ) & &
2010-10-27 01:21:25 +04:00
oom_adjust ! = OOM_DISABLE ) {
err = - EINVAL ;
goto out ;
}
2009-09-22 04:03:16 +04:00
2006-12-08 13:36:36 +03:00
task = get_proc_task ( file - > f_path . dentry - > d_inode ) ;
2010-10-27 01:21:25 +04:00
if ( ! task ) {
err = - ESRCH ;
goto out ;
}
2010-10-27 01:21:26 +04:00
task_lock ( task ) ;
if ( ! task - > mm ) {
err = - EINVAL ;
goto err_task_lock ;
}
oom: move oom_adj value from task_struct to signal_struct
Currently, OOM logic callflow is here.
__out_of_memory()
select_bad_process() for each task
badness() calculate badness of one task
oom_kill_process() search child
oom_kill_task() kill target task and mm shared tasks with it
example, process-A have two thread, thread-A and thread-B and it have very
fat memory and each thread have following oom_adj and oom_score.
thread-A: oom_adj = OOM_DISABLE, oom_score = 0
thread-B: oom_adj = 0, oom_score = very-high
Then, select_bad_process() select thread-B, but oom_kill_task() refuse
kill the task because thread-A have OOM_DISABLE. Thus __out_of_memory()
call select_bad_process() again. but select_bad_process() select the same
task. It mean kernel fall in livelock.
The fact is, select_bad_process() must select killable task. otherwise
OOM logic go into livelock.
And root cause is, oom_adj shouldn't be per-thread value. it should be
per-process value because OOM-killer kill a process, not thread. Thus
This patch moves oomkilladj (now more appropriately named oom_adj) from
struct task_struct to struct signal_struct. it naturally prevent
select_bad_process() choose wrong task.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 04:03:13 +04:00
if ( ! lock_task_sighand ( task , & flags ) ) {
2010-10-27 01:21:25 +04:00
err = - ESRCH ;
2010-10-27 01:21:26 +04:00
goto err_task_lock ;
oom: move oom_adj value from task_struct to signal_struct
Currently, OOM logic callflow is here.
__out_of_memory()
select_bad_process() for each task
badness() calculate badness of one task
oom_kill_process() search child
oom_kill_task() kill target task and mm shared tasks with it
example, process-A have two thread, thread-A and thread-B and it have very
fat memory and each thread have following oom_adj and oom_score.
thread-A: oom_adj = OOM_DISABLE, oom_score = 0
thread-B: oom_adj = 0, oom_score = very-high
Then, select_bad_process() select thread-B, but oom_kill_task() refuse
kill the task because thread-A have OOM_DISABLE. Thus __out_of_memory()
call select_bad_process() again. but select_bad_process() select the same
task. It mean kernel fall in livelock.
The fact is, select_bad_process() must select killable task. otherwise
OOM logic go into livelock.
And root cause is, oom_adj shouldn't be per-thread value. it should be
per-process value because OOM-killer kill a process, not thread. Thus
This patch moves oomkilladj (now more appropriately named oom_adj) from
struct task_struct to struct signal_struct. it naturally prevent
select_bad_process() choose wrong task.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 04:03:13 +04:00
}
if ( oom_adjust < task - > signal - > oom_adj & & ! capable ( CAP_SYS_RESOURCE ) ) {
2010-10-27 01:21:25 +04:00
err = - EACCES ;
goto err_sighand ;
2006-12-07 07:32:24 +03:00
}
oom: move oom_adj value from task_struct to signal_struct
Currently, OOM logic callflow is here.
__out_of_memory()
select_bad_process() for each task
badness() calculate badness of one task
oom_kill_process() search child
oom_kill_task() kill target task and mm shared tasks with it
example, process-A have two thread, thread-A and thread-B and it have very
fat memory and each thread have following oom_adj and oom_score.
thread-A: oom_adj = OOM_DISABLE, oom_score = 0
thread-B: oom_adj = 0, oom_score = very-high
Then, select_bad_process() select thread-B, but oom_kill_task() refuse
kill the task because thread-A have OOM_DISABLE. Thus __out_of_memory()
call select_bad_process() again. but select_bad_process() select the same
task. It mean kernel fall in livelock.
The fact is, select_bad_process() must select killable task. otherwise
OOM logic go into livelock.
And root cause is, oom_adj shouldn't be per-thread value. it should be
per-process value because OOM-killer kill a process, not thread. Thus
This patch moves oomkilladj (now more appropriately named oom_adj) from
struct task_struct to struct signal_struct. it naturally prevent
select_bad_process() choose wrong task.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 04:03:13 +04:00
2010-08-10 04:19:47 +04:00
/*
* Warn that / proc / pid / oom_adj is deprecated , see
* Documentation / feature - removal - schedule . txt .
*/
2011-08-06 22:43:08 +04:00
printk_once ( KERN_WARNING " %s (%d): /proc/%d/oom_adj is deprecated, please use /proc/%d/oom_score_adj instead. \n " ,
2011-07-26 04:12:18 +04:00
current - > comm , task_pid_nr ( current ) , task_pid_nr ( task ) ,
task_pid_nr ( task ) ) ;
oom: move oom_adj value from task_struct to signal_struct
Currently, OOM logic callflow is here.
__out_of_memory()
select_bad_process() for each task
badness() calculate badness of one task
oom_kill_process() search child
oom_kill_task() kill target task and mm shared tasks with it
example, process-A have two thread, thread-A and thread-B and it have very
fat memory and each thread have following oom_adj and oom_score.
thread-A: oom_adj = OOM_DISABLE, oom_score = 0
thread-B: oom_adj = 0, oom_score = very-high
Then, select_bad_process() select thread-B, but oom_kill_task() refuse
kill the task because thread-A have OOM_DISABLE. Thus __out_of_memory()
call select_bad_process() again. but select_bad_process() select the same
task. It mean kernel fall in livelock.
The fact is, select_bad_process() must select killable task. otherwise
OOM logic go into livelock.
And root cause is, oom_adj shouldn't be per-thread value. it should be
per-process value because OOM-killer kill a process, not thread. Thus
This patch moves oomkilladj (now more appropriately named oom_adj) from
struct task_struct to struct signal_struct. it naturally prevent
select_bad_process() choose wrong task.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 04:03:13 +04:00
task - > signal - > oom_adj = oom_adjust ;
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
/*
* Scale / proc / pid / oom_score_adj appropriately ensuring that a maximum
* value is always attainable .
*/
if ( task - > signal - > oom_adj = = OOM_ADJUST_MAX )
task - > signal - > oom_score_adj = OOM_SCORE_ADJ_MAX ;
else
task - > signal - > oom_score_adj = ( oom_adjust * OOM_SCORE_ADJ_MAX ) /
- OOM_DISABLE ;
2012-01-11 03:08:09 +04:00
trace_oom_score_adj_update ( task ) ;
2010-10-27 01:21:25 +04:00
err_sighand :
oom: move oom_adj value from task_struct to signal_struct
Currently, OOM logic callflow is here.
__out_of_memory()
select_bad_process() for each task
badness() calculate badness of one task
oom_kill_process() search child
oom_kill_task() kill target task and mm shared tasks with it
example, process-A have two thread, thread-A and thread-B and it have very
fat memory and each thread have following oom_adj and oom_score.
thread-A: oom_adj = OOM_DISABLE, oom_score = 0
thread-B: oom_adj = 0, oom_score = very-high
Then, select_bad_process() select thread-B, but oom_kill_task() refuse
kill the task because thread-A have OOM_DISABLE. Thus __out_of_memory()
call select_bad_process() again. but select_bad_process() select the same
task. It mean kernel fall in livelock.
The fact is, select_bad_process() must select killable task. otherwise
OOM logic go into livelock.
And root cause is, oom_adj shouldn't be per-thread value. it should be
per-process value because OOM-killer kill a process, not thread. Thus
This patch moves oomkilladj (now more appropriately named oom_adj) from
struct task_struct to struct signal_struct. it naturally prevent
select_bad_process() choose wrong task.
Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Cc: David Rientjes <rientjes@google.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-22 04:03:13 +04:00
unlock_task_sighand ( task , & flags ) ;
2010-10-27 01:21:26 +04:00
err_task_lock :
task_unlock ( task ) ;
2006-06-26 11:25:55 +04:00
put_task_struct ( task ) ;
2010-10-27 01:21:25 +04:00
out :
return err < 0 ? err : count ;
2005-04-17 02:20:36 +04:00
}
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_oom_adjust_operations = {
2005-04-17 02:20:36 +04:00
. read = oom_adjust_read ,
. write = oom_adjust_write ,
2010-03-18 01:06:02 +03:00
. llseek = generic_file_llseek ,
2005-04-17 02:20:36 +04:00
} ;
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
static ssize_t oom_score_adj_read ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
struct task_struct * task = get_proc_task ( file - > f_path . dentry - > d_inode ) ;
char buffer [ PROC_NUMBUF ] ;
int oom_score_adj = OOM_SCORE_ADJ_MIN ;
unsigned long flags ;
size_t len ;
if ( ! task )
return - ESRCH ;
if ( lock_task_sighand ( task , & flags ) ) {
oom_score_adj = task - > signal - > oom_score_adj ;
unlock_task_sighand ( task , & flags ) ;
}
put_task_struct ( task ) ;
len = snprintf ( buffer , sizeof ( buffer ) , " %d \n " , oom_score_adj ) ;
return simple_read_from_buffer ( buf , count , ppos , buffer , len ) ;
}
static ssize_t oom_score_adj_write ( struct file * file , const char __user * buf ,
size_t count , loff_t * ppos )
{
struct task_struct * task ;
char buffer [ PROC_NUMBUF ] ;
unsigned long flags ;
2011-05-27 03:25:50 +04:00
int oom_score_adj ;
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
int err ;
memset ( buffer , 0 , sizeof ( buffer ) ) ;
if ( count > sizeof ( buffer ) - 1 )
count = sizeof ( buffer ) - 1 ;
2010-10-27 01:21:25 +04:00
if ( copy_from_user ( buffer , buf , count ) ) {
err = - EFAULT ;
goto out ;
}
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
2011-05-27 03:25:50 +04:00
err = kstrtoint ( strstrip ( buffer ) , 0 , & oom_score_adj ) ;
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
if ( err )
2010-10-27 01:21:25 +04:00
goto out ;
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
if ( oom_score_adj < OOM_SCORE_ADJ_MIN | |
2010-10-27 01:21:25 +04:00
oom_score_adj > OOM_SCORE_ADJ_MAX ) {
err = - EINVAL ;
goto out ;
}
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
task = get_proc_task ( file - > f_path . dentry - > d_inode ) ;
2010-10-27 01:21:25 +04:00
if ( ! task ) {
err = - ESRCH ;
goto out ;
}
2010-10-27 01:21:26 +04:00
task_lock ( task ) ;
if ( ! task - > mm ) {
err = - EINVAL ;
goto err_task_lock ;
}
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
if ( ! lock_task_sighand ( task , & flags ) ) {
2010-10-27 01:21:25 +04:00
err = - ESRCH ;
2010-10-27 01:21:26 +04:00
goto err_task_lock ;
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
}
2010-10-27 01:21:26 +04:00
2011-01-14 02:46:05 +03:00
if ( oom_score_adj < task - > signal - > oom_score_adj_min & &
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
! capable ( CAP_SYS_RESOURCE ) ) {
2010-10-27 01:21:25 +04:00
err = - EACCES ;
goto err_sighand ;
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
}
task - > signal - > oom_score_adj = oom_score_adj ;
2011-01-14 02:46:05 +03:00
if ( has_capability_noaudit ( current , CAP_SYS_RESOURCE ) )
task - > signal - > oom_score_adj_min = oom_score_adj ;
2012-01-11 03:08:09 +04:00
trace_oom_score_adj_update ( task ) ;
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
/*
* Scale / proc / pid / oom_adj appropriately ensuring that OOM_DISABLE is
* always attainable .
*/
if ( task - > signal - > oom_score_adj = = OOM_SCORE_ADJ_MIN )
task - > signal - > oom_adj = OOM_DISABLE ;
else
task - > signal - > oom_adj = ( oom_score_adj * OOM_ADJUST_MAX ) /
OOM_SCORE_ADJ_MAX ;
2010-10-27 01:21:25 +04:00
err_sighand :
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
unlock_task_sighand ( task , & flags ) ;
2010-10-27 01:21:26 +04:00
err_task_lock :
task_unlock ( task ) ;
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
put_task_struct ( task ) ;
2010-10-27 01:21:25 +04:00
out :
return err < 0 ? err : count ;
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
}
static const struct file_operations proc_oom_score_adj_operations = {
. read = oom_score_adj_read ,
. write = oom_score_adj_write ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
} ;
2005-04-17 02:20:36 +04:00
# ifdef CONFIG_AUDITSYSCALL
# define TMPBUFLEN 21
static ssize_t proc_loginuid_read ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
2006-12-08 13:36:36 +03:00
struct inode * inode = file - > f_path . dentry - > d_inode ;
2006-06-26 11:25:55 +04:00
struct task_struct * task = get_proc_task ( inode ) ;
2005-04-17 02:20:36 +04:00
ssize_t length ;
char tmpbuf [ TMPBUFLEN ] ;
2006-06-26 11:25:55 +04:00
if ( ! task )
return - ESRCH ;
2005-04-17 02:20:36 +04:00
length = scnprintf ( tmpbuf , TMPBUFLEN , " %u " ,
2008-01-10 12:20:52 +03:00
audit_get_loginuid ( task ) ) ;
2006-06-26 11:25:55 +04:00
put_task_struct ( task ) ;
2005-04-17 02:20:36 +04:00
return simple_read_from_buffer ( buf , count , ppos , tmpbuf , length ) ;
}
static ssize_t proc_loginuid_write ( struct file * file , const char __user * buf ,
size_t count , loff_t * ppos )
{
2006-12-08 13:36:36 +03:00
struct inode * inode = file - > f_path . dentry - > d_inode ;
2005-04-17 02:20:36 +04:00
char * page , * tmp ;
ssize_t length ;
uid_t loginuid ;
if ( ! capable ( CAP_AUDIT_CONTROL ) )
return - EPERM ;
2010-02-23 04:04:52 +03:00
rcu_read_lock ( ) ;
if ( current ! = pid_task ( proc_pid ( inode ) , PIDTYPE_PID ) ) {
rcu_read_unlock ( ) ;
2005-04-17 02:20:36 +04:00
return - EPERM ;
2010-02-23 04:04:52 +03:00
}
rcu_read_unlock ( ) ;
2005-04-17 02:20:36 +04:00
2006-05-18 16:28:02 +04:00
if ( count > = PAGE_SIZE )
count = PAGE_SIZE - 1 ;
2005-04-17 02:20:36 +04:00
if ( * ppos ! = 0 ) {
/* No partial writes. */
return - EINVAL ;
}
2007-10-16 12:25:52 +04:00
page = ( char * ) __get_free_page ( GFP_TEMPORARY ) ;
2005-04-17 02:20:36 +04:00
if ( ! page )
return - ENOMEM ;
length = - EFAULT ;
if ( copy_from_user ( page , buf , count ) )
goto out_free_page ;
2006-05-18 16:28:02 +04:00
page [ count ] = ' \0 ' ;
2005-04-17 02:20:36 +04:00
loginuid = simple_strtoul ( page , & tmp , 10 ) ;
if ( tmp = = page ) {
length = - EINVAL ;
goto out_free_page ;
}
2006-06-26 11:25:55 +04:00
length = audit_set_loginuid ( current , loginuid ) ;
2005-04-17 02:20:36 +04:00
if ( likely ( length = = 0 ) )
length = count ;
out_free_page :
free_page ( ( unsigned long ) page ) ;
return length ;
}
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_loginuid_operations = {
2005-04-17 02:20:36 +04:00
. read = proc_loginuid_read ,
. write = proc_loginuid_write ,
2010-03-18 01:06:02 +03:00
. llseek = generic_file_llseek ,
2005-04-17 02:20:36 +04:00
} ;
2008-03-13 15:15:31 +03:00
static ssize_t proc_sessionid_read ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
struct inode * inode = file - > f_path . dentry - > d_inode ;
struct task_struct * task = get_proc_task ( inode ) ;
ssize_t length ;
char tmpbuf [ TMPBUFLEN ] ;
if ( ! task )
return - ESRCH ;
length = scnprintf ( tmpbuf , TMPBUFLEN , " %u " ,
audit_get_sessionid ( task ) ) ;
put_task_struct ( task ) ;
return simple_read_from_buffer ( buf , count , ppos , tmpbuf , length ) ;
}
static const struct file_operations proc_sessionid_operations = {
. read = proc_sessionid_read ,
2010-03-18 01:06:02 +03:00
. llseek = generic_file_llseek ,
2008-03-13 15:15:31 +03:00
} ;
2005-04-17 02:20:36 +04:00
# endif
2006-12-08 13:39:47 +03:00
# ifdef CONFIG_FAULT_INJECTION
static ssize_t proc_fault_inject_read ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
struct task_struct * task = get_proc_task ( file - > f_dentry - > d_inode ) ;
char buffer [ PROC_NUMBUF ] ;
size_t len ;
int make_it_fail ;
if ( ! task )
return - ESRCH ;
make_it_fail = task - > make_it_fail ;
put_task_struct ( task ) ;
len = snprintf ( buffer , sizeof ( buffer ) , " %i \n " , make_it_fail ) ;
2007-05-08 11:31:41 +04:00
return simple_read_from_buffer ( buf , count , ppos , buffer , len ) ;
2006-12-08 13:39:47 +03:00
}
static ssize_t proc_fault_inject_write ( struct file * file ,
const char __user * buf , size_t count , loff_t * ppos )
{
struct task_struct * task ;
char buffer [ PROC_NUMBUF ] , * end ;
int make_it_fail ;
if ( ! capable ( CAP_SYS_RESOURCE ) )
return - EPERM ;
memset ( buffer , 0 , sizeof ( buffer ) ) ;
if ( count > sizeof ( buffer ) - 1 )
count = sizeof ( buffer ) - 1 ;
if ( copy_from_user ( buffer , buf , count ) )
return - EFAULT ;
2009-09-23 03:45:38 +04:00
make_it_fail = simple_strtol ( strstrip ( buffer ) , & end , 0 ) ;
if ( * end )
return - EINVAL ;
2006-12-08 13:39:47 +03:00
task = get_proc_task ( file - > f_dentry - > d_inode ) ;
if ( ! task )
return - ESRCH ;
task - > make_it_fail = make_it_fail ;
put_task_struct ( task ) ;
2009-09-23 03:45:38 +04:00
return count ;
2006-12-08 13:39:47 +03:00
}
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_fault_inject_operations = {
2006-12-08 13:39:47 +03:00
. read = proc_fault_inject_read ,
. write = proc_fault_inject_write ,
2010-03-18 01:06:02 +03:00
. llseek = generic_file_llseek ,
2006-12-08 13:39:47 +03:00
} ;
# endif
2008-01-25 23:08:34 +03:00
2007-07-09 20:52:00 +04:00
# ifdef CONFIG_SCHED_DEBUG
/*
* Print out various scheduling related per - task fields :
*/
static int sched_show ( struct seq_file * m , void * v )
{
struct inode * inode = m - > private ;
struct task_struct * p ;
p = get_proc_task ( inode ) ;
if ( ! p )
return - ESRCH ;
proc_sched_show_task ( p , m ) ;
put_task_struct ( p ) ;
return 0 ;
}
static ssize_t
sched_write ( struct file * file , const char __user * buf ,
size_t count , loff_t * offset )
{
struct inode * inode = file - > f_path . dentry - > d_inode ;
struct task_struct * p ;
p = get_proc_task ( inode ) ;
if ( ! p )
return - ESRCH ;
proc_sched_set_task ( p ) ;
put_task_struct ( p ) ;
return count ;
}
static int sched_open ( struct inode * inode , struct file * filp )
{
2011-01-13 04:00:34 +03:00
return single_open ( filp , sched_show , inode ) ;
2007-07-09 20:52:00 +04:00
}
static const struct file_operations proc_pid_sched_operations = {
. open = sched_open ,
. read = seq_read ,
. write = sched_write ,
. llseek = seq_lseek ,
2007-07-31 11:38:50 +04:00
. release = single_release ,
2007-07-09 20:52:00 +04:00
} ;
# endif
sched: Add 'autogroup' scheduling feature: automated per session task groups
A recurring complaint from CFS users is that parallel kbuild has
a negative impact on desktop interactivity. This patch
implements an idea from Linus, to automatically create task
groups. Currently, only per session autogroups are implemented,
but the patch leaves the way open for enhancement.
Implementation: each task's signal struct contains an inherited
pointer to a refcounted autogroup struct containing a task group
pointer, the default for all tasks pointing to the
init_task_group. When a task calls setsid(), a new task group
is created, the process is moved into the new task group, and a
reference to the preveious task group is dropped. Child
processes inherit this task group thereafter, and increase it's
refcount. When the last thread of a process exits, the
process's reference is dropped, such that when the last process
referencing an autogroup exits, the autogroup is destroyed.
At runqueue selection time, IFF a task has no cgroup assignment,
its current autogroup is used.
Autogroup bandwidth is controllable via setting it's nice level
through the proc filesystem:
cat /proc/<pid>/autogroup
Displays the task's group and the group's nice level.
echo <nice level> > /proc/<pid>/autogroup
Sets the task group's shares to the weight of nice <level> task.
Setting nice level is rate limited for !admin users due to the
abuse risk of task group locking.
The feature is enabled from boot by default if
CONFIG_SCHED_AUTOGROUP=y is selected, but can be disabled via
the boot option noautogroup, and can also be turned on/off on
the fly via:
echo [01] > /proc/sys/kernel/sched_autogroup_enabled
... which will automatically move tasks to/from the root task group.
Signed-off-by: Mike Galbraith <efault@gmx.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Paul Turner <pjt@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
[ Removed the task_group_path() debug code, and fixed !EVENTFD build failure. ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
LKML-Reference: <1290281700.28711.9.camel@maggy.simson.net>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2010-11-30 16:18:03 +03:00
# ifdef CONFIG_SCHED_AUTOGROUP
/*
* Print out autogroup related information :
*/
static int sched_autogroup_show ( struct seq_file * m , void * v )
{
struct inode * inode = m - > private ;
struct task_struct * p ;
p = get_proc_task ( inode ) ;
if ( ! p )
return - ESRCH ;
proc_sched_autogroup_show_task ( p , m ) ;
put_task_struct ( p ) ;
return 0 ;
}
static ssize_t
sched_autogroup_write ( struct file * file , const char __user * buf ,
size_t count , loff_t * offset )
{
struct inode * inode = file - > f_path . dentry - > d_inode ;
struct task_struct * p ;
char buffer [ PROC_NUMBUF ] ;
2011-05-27 03:25:50 +04:00
int nice ;
sched: Add 'autogroup' scheduling feature: automated per session task groups
A recurring complaint from CFS users is that parallel kbuild has
a negative impact on desktop interactivity. This patch
implements an idea from Linus, to automatically create task
groups. Currently, only per session autogroups are implemented,
but the patch leaves the way open for enhancement.
Implementation: each task's signal struct contains an inherited
pointer to a refcounted autogroup struct containing a task group
pointer, the default for all tasks pointing to the
init_task_group. When a task calls setsid(), a new task group
is created, the process is moved into the new task group, and a
reference to the preveious task group is dropped. Child
processes inherit this task group thereafter, and increase it's
refcount. When the last thread of a process exits, the
process's reference is dropped, such that when the last process
referencing an autogroup exits, the autogroup is destroyed.
At runqueue selection time, IFF a task has no cgroup assignment,
its current autogroup is used.
Autogroup bandwidth is controllable via setting it's nice level
through the proc filesystem:
cat /proc/<pid>/autogroup
Displays the task's group and the group's nice level.
echo <nice level> > /proc/<pid>/autogroup
Sets the task group's shares to the weight of nice <level> task.
Setting nice level is rate limited for !admin users due to the
abuse risk of task group locking.
The feature is enabled from boot by default if
CONFIG_SCHED_AUTOGROUP=y is selected, but can be disabled via
the boot option noautogroup, and can also be turned on/off on
the fly via:
echo [01] > /proc/sys/kernel/sched_autogroup_enabled
... which will automatically move tasks to/from the root task group.
Signed-off-by: Mike Galbraith <efault@gmx.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Paul Turner <pjt@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
[ Removed the task_group_path() debug code, and fixed !EVENTFD build failure. ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
LKML-Reference: <1290281700.28711.9.camel@maggy.simson.net>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2010-11-30 16:18:03 +03:00
int err ;
memset ( buffer , 0 , sizeof ( buffer ) ) ;
if ( count > sizeof ( buffer ) - 1 )
count = sizeof ( buffer ) - 1 ;
if ( copy_from_user ( buffer , buf , count ) )
return - EFAULT ;
2011-05-27 03:25:50 +04:00
err = kstrtoint ( strstrip ( buffer ) , 0 , & nice ) ;
if ( err < 0 )
return err ;
sched: Add 'autogroup' scheduling feature: automated per session task groups
A recurring complaint from CFS users is that parallel kbuild has
a negative impact on desktop interactivity. This patch
implements an idea from Linus, to automatically create task
groups. Currently, only per session autogroups are implemented,
but the patch leaves the way open for enhancement.
Implementation: each task's signal struct contains an inherited
pointer to a refcounted autogroup struct containing a task group
pointer, the default for all tasks pointing to the
init_task_group. When a task calls setsid(), a new task group
is created, the process is moved into the new task group, and a
reference to the preveious task group is dropped. Child
processes inherit this task group thereafter, and increase it's
refcount. When the last thread of a process exits, the
process's reference is dropped, such that when the last process
referencing an autogroup exits, the autogroup is destroyed.
At runqueue selection time, IFF a task has no cgroup assignment,
its current autogroup is used.
Autogroup bandwidth is controllable via setting it's nice level
through the proc filesystem:
cat /proc/<pid>/autogroup
Displays the task's group and the group's nice level.
echo <nice level> > /proc/<pid>/autogroup
Sets the task group's shares to the weight of nice <level> task.
Setting nice level is rate limited for !admin users due to the
abuse risk of task group locking.
The feature is enabled from boot by default if
CONFIG_SCHED_AUTOGROUP=y is selected, but can be disabled via
the boot option noautogroup, and can also be turned on/off on
the fly via:
echo [01] > /proc/sys/kernel/sched_autogroup_enabled
... which will automatically move tasks to/from the root task group.
Signed-off-by: Mike Galbraith <efault@gmx.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Paul Turner <pjt@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
[ Removed the task_group_path() debug code, and fixed !EVENTFD build failure. ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
LKML-Reference: <1290281700.28711.9.camel@maggy.simson.net>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2010-11-30 16:18:03 +03:00
p = get_proc_task ( inode ) ;
if ( ! p )
return - ESRCH ;
err = nice ;
err = proc_sched_autogroup_set_nice ( p , & err ) ;
if ( err )
count = err ;
put_task_struct ( p ) ;
return count ;
}
static int sched_autogroup_open ( struct inode * inode , struct file * filp )
{
int ret ;
ret = single_open ( filp , sched_autogroup_show , NULL ) ;
if ( ! ret ) {
struct seq_file * m = filp - > private_data ;
m - > private = inode ;
}
return ret ;
}
static const struct file_operations proc_pid_sched_autogroup_operations = {
. open = sched_autogroup_open ,
. read = seq_read ,
. write = sched_autogroup_write ,
. llseek = seq_lseek ,
. release = single_release ,
} ;
# endif /* CONFIG_SCHED_AUTOGROUP */
2009-12-15 05:00:05 +03:00
static ssize_t comm_write ( struct file * file , const char __user * buf ,
size_t count , loff_t * offset )
{
struct inode * inode = file - > f_path . dentry - > d_inode ;
struct task_struct * p ;
char buffer [ TASK_COMM_LEN ] ;
memset ( buffer , 0 , sizeof ( buffer ) ) ;
if ( count > sizeof ( buffer ) - 1 )
count = sizeof ( buffer ) - 1 ;
if ( copy_from_user ( buffer , buf , count ) )
return - EFAULT ;
p = get_proc_task ( inode ) ;
if ( ! p )
return - ESRCH ;
if ( same_thread_group ( current , p ) )
set_task_comm ( p , buffer ) ;
else
count = - EINVAL ;
put_task_struct ( p ) ;
return count ;
}
static int comm_show ( struct seq_file * m , void * v )
{
struct inode * inode = m - > private ;
struct task_struct * p ;
p = get_proc_task ( inode ) ;
if ( ! p )
return - ESRCH ;
task_lock ( p ) ;
seq_printf ( m , " %s \n " , p - > comm ) ;
task_unlock ( p ) ;
put_task_struct ( p ) ;
return 0 ;
}
static int comm_open ( struct inode * inode , struct file * filp )
{
2011-01-13 04:00:34 +03:00
return single_open ( filp , comm_show , inode ) ;
2009-12-15 05:00:05 +03:00
}
static const struct file_operations proc_pid_set_comm_operations = {
. open = comm_open ,
. read = seq_read ,
. write = comm_write ,
. llseek = seq_lseek ,
. release = single_release ,
} ;
2012-01-11 03:11:20 +04:00
static int proc_exe_link ( struct dentry * dentry , struct path * exe_path )
2008-04-29 12:01:36 +04:00
{
struct task_struct * task ;
struct mm_struct * mm ;
struct file * exe_file ;
2012-01-11 03:11:20 +04:00
task = get_proc_task ( dentry - > d_inode ) ;
2008-04-29 12:01:36 +04:00
if ( ! task )
return - ENOENT ;
mm = get_task_mm ( task ) ;
put_task_struct ( task ) ;
if ( ! mm )
return - ENOENT ;
exe_file = get_mm_exe_file ( mm ) ;
mmput ( mm ) ;
if ( exe_file ) {
* exe_path = exe_file - > f_path ;
path_get ( & exe_file - > f_path ) ;
fput ( exe_file ) ;
return 0 ;
} else
return - ENOENT ;
}
[PATCH] Fix up symlink function pointers
This fixes up the symlink functions for the calling convention change:
* afs, autofs4, befs, devfs, freevxfs, jffs2, jfs, ncpfs, procfs,
smbfs, sysvfs, ufs, xfs - prototype change for ->follow_link()
* befs, smbfs, xfs - same for ->put_link()
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-08-20 03:17:39 +04:00
static void * proc_pid_follow_link ( struct dentry * dentry , struct nameidata * nd )
2005-04-17 02:20:36 +04:00
{
struct inode * inode = dentry - > d_inode ;
int error = - EACCES ;
/* We don't need a base pointer in the /proc filesystem */
2008-02-15 06:34:35 +03:00
path_put ( & nd - > path ) ;
2005-04-17 02:20:36 +04:00
2006-06-26 11:25:58 +04:00
/* Are we allowed to snoop on the tasks file descriptors? */
if ( ! proc_fd_access_allowed ( inode ) )
2005-04-17 02:20:36 +04:00
goto out ;
2012-01-11 03:11:20 +04:00
error = PROC_I ( inode ) - > op . proc_get_link ( dentry , & nd - > path ) ;
2005-04-17 02:20:36 +04:00
out :
[PATCH] Fix up symlink function pointers
This fixes up the symlink functions for the calling convention change:
* afs, autofs4, befs, devfs, freevxfs, jffs2, jfs, ncpfs, procfs,
smbfs, sysvfs, ufs, xfs - prototype change for ->follow_link()
* befs, smbfs, xfs - same for ->put_link()
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2005-08-20 03:17:39 +04:00
return ERR_PTR ( error ) ;
2005-04-17 02:20:36 +04:00
}
2008-02-15 06:38:35 +03:00
static int do_proc_readlink ( struct path * path , char __user * buffer , int buflen )
2005-04-17 02:20:36 +04:00
{
2007-10-16 12:25:52 +04:00
char * tmp = ( char * ) __get_free_page ( GFP_TEMPORARY ) ;
2008-02-15 06:38:35 +03:00
char * pathname ;
2005-04-17 02:20:36 +04:00
int len ;
if ( ! tmp )
return - ENOMEM ;
2007-05-08 11:31:41 +04:00
2010-12-06 02:51:21 +03:00
pathname = d_path ( path , tmp , PAGE_SIZE ) ;
2008-02-15 06:38:35 +03:00
len = PTR_ERR ( pathname ) ;
if ( IS_ERR ( pathname ) )
2005-04-17 02:20:36 +04:00
goto out ;
2008-02-15 06:38:35 +03:00
len = tmp + PAGE_SIZE - 1 - pathname ;
2005-04-17 02:20:36 +04:00
if ( len > buflen )
len = buflen ;
2008-02-15 06:38:35 +03:00
if ( copy_to_user ( buffer , pathname , len ) )
2005-04-17 02:20:36 +04:00
len = - EFAULT ;
out :
free_page ( ( unsigned long ) tmp ) ;
return len ;
}
static int proc_pid_readlink ( struct dentry * dentry , char __user * buffer , int buflen )
{
int error = - EACCES ;
struct inode * inode = dentry - > d_inode ;
2008-02-15 06:38:35 +03:00
struct path path ;
2005-04-17 02:20:36 +04:00
2006-06-26 11:25:58 +04:00
/* Are we allowed to snoop on the tasks file descriptors? */
if ( ! proc_fd_access_allowed ( inode ) )
2005-04-17 02:20:36 +04:00
goto out ;
2012-01-11 03:11:20 +04:00
error = PROC_I ( inode ) - > op . proc_get_link ( dentry , & path ) ;
2005-04-17 02:20:36 +04:00
if ( error )
goto out ;
2008-02-15 06:38:35 +03:00
error = do_proc_readlink ( & path , buffer , buflen ) ;
path_put ( & path ) ;
2005-04-17 02:20:36 +04:00
out :
return error ;
}
2007-02-12 11:55:40 +03:00
static const struct inode_operations proc_pid_link_inode_operations = {
2005-04-17 02:20:36 +04:00
. readlink = proc_pid_readlink ,
2006-07-15 23:26:45 +04:00
. follow_link = proc_pid_follow_link ,
. setattr = proc_setattr ,
2005-04-17 02:20:36 +04:00
} ;
2006-10-02 13:17:05 +04:00
/* building an inode */
static int task_dumpable ( struct task_struct * task )
2005-04-17 02:20:36 +04:00
{
2006-10-02 13:17:05 +04:00
int dumpable = 0 ;
struct mm_struct * mm ;
2005-04-17 02:20:36 +04:00
2006-10-02 13:17:05 +04:00
task_lock ( task ) ;
mm = task - > mm ;
if ( mm )
2007-07-19 12:48:27 +04:00
dumpable = get_dumpable ( mm ) ;
2006-10-02 13:17:05 +04:00
task_unlock ( task ) ;
if ( dumpable = = 1 )
return 1 ;
return 0 ;
}
2005-04-17 02:20:36 +04:00
2010-03-08 03:41:34 +03:00
struct inode * proc_pid_make_inode ( struct super_block * sb , struct task_struct * task )
2006-10-02 13:17:05 +04:00
{
struct inode * inode ;
struct proc_inode * ei ;
2008-11-14 02:39:19 +03:00
const struct cred * cred ;
2005-04-17 02:20:36 +04:00
2006-10-02 13:17:05 +04:00
/* We need a new inode */
2005-04-17 02:20:36 +04:00
2006-10-02 13:17:05 +04:00
inode = new_inode ( sb ) ;
if ( ! inode )
goto out ;
/* Common stuff */
ei = PROC_I ( inode ) ;
2010-10-23 19:19:54 +04:00
inode - > i_ino = get_next_ino ( ) ;
2006-10-02 13:17:05 +04:00
inode - > i_mtime = inode - > i_atime = inode - > i_ctime = CURRENT_TIME ;
inode - > i_op = & proc_def_inode_operations ;
/*
* grab the reference to task .
*/
2006-10-02 13:18:59 +04:00
ei - > pid = get_task_pid ( task , PIDTYPE_PID ) ;
2006-10-02 13:17:05 +04:00
if ( ! ei - > pid )
goto out_unlock ;
if ( task_dumpable ( task ) ) {
2008-11-14 02:39:19 +03:00
rcu_read_lock ( ) ;
cred = __task_cred ( task ) ;
inode - > i_uid = cred - > euid ;
inode - > i_gid = cred - > egid ;
rcu_read_unlock ( ) ;
2005-04-17 02:20:36 +04:00
}
2006-10-02 13:17:05 +04:00
security_task_to_inode ( task , inode ) ;
2005-04-17 02:20:36 +04:00
out :
2006-10-02 13:17:05 +04:00
return inode ;
out_unlock :
iput ( inode ) ;
return NULL ;
2005-04-17 02:20:36 +04:00
}
2010-03-08 03:41:34 +03:00
int pid_getattr ( struct vfsmount * mnt , struct dentry * dentry , struct kstat * stat )
2005-04-17 02:20:36 +04:00
{
struct inode * inode = dentry - > d_inode ;
2006-10-02 13:17:05 +04:00
struct task_struct * task ;
2008-11-14 02:39:19 +03:00
const struct cred * cred ;
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 03:11:31 +04:00
struct pid_namespace * pid = dentry - > d_sb - > s_fs_info ;
2008-11-14 02:39:19 +03:00
2006-10-02 13:17:05 +04:00
generic_fillattr ( inode , stat ) ;
2005-04-17 02:20:36 +04:00
2006-10-02 13:17:05 +04:00
rcu_read_lock ( ) ;
stat - > uid = 0 ;
stat - > gid = 0 ;
task = pid_task ( proc_pid ( inode ) , PIDTYPE_PID ) ;
if ( task ) {
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 03:11:31 +04:00
if ( ! has_pid_permissions ( pid , task , 2 ) ) {
rcu_read_unlock ( ) ;
/*
* This doesn ' t prevent learning whether PID exists ,
* it only makes getattr ( ) consistent with readdir ( ) .
*/
return - ENOENT ;
}
2006-10-02 13:17:05 +04:00
if ( ( inode - > i_mode = = ( S_IFDIR | S_IRUGO | S_IXUGO ) ) | |
task_dumpable ( task ) ) {
2008-11-14 02:39:19 +03:00
cred = __task_cred ( task ) ;
stat - > uid = cred - > euid ;
stat - > gid = cred - > egid ;
2005-04-17 02:20:36 +04:00
}
}
2006-10-02 13:17:05 +04:00
rcu_read_unlock ( ) ;
2005-06-23 11:09:43 +04:00
return 0 ;
2005-04-17 02:20:36 +04:00
}
/* dentry stuff */
/*
* Exceptional case : normally we are not allowed to unhash a busy
* directory . In this case , however , we can do it - no aliasing problems
* due to the way we treat inodes .
*
* Rewrite the inode ' s ownerships here because the owning task may have
* performed a setuid ( ) , etc .
2006-06-26 11:25:55 +04:00
*
* Before the / proc / pid / status file was created the only way to read
* the effective uid of a / process was to stat / proc / pid . Reading
* / proc / pid / status is slow enough that procps and other packages
* kept stating / proc / pid . To keep the rules in / proc simple I have
* made this apply to all per process world readable and executable
* directories .
2005-04-17 02:20:36 +04:00
*/
2010-03-08 03:41:34 +03:00
int pid_revalidate ( struct dentry * dentry , struct nameidata * nd )
2005-04-17 02:20:36 +04:00
{
2011-01-07 09:49:57 +03:00
struct inode * inode ;
struct task_struct * task ;
2008-11-14 02:39:19 +03:00
const struct cred * cred ;
2011-01-07 09:49:57 +03:00
if ( nd & & nd - > flags & LOOKUP_RCU )
return - ECHILD ;
inode = dentry - > d_inode ;
task = get_proc_task ( inode ) ;
2006-06-26 11:25:55 +04:00
if ( task ) {
if ( ( inode - > i_mode = = ( S_IFDIR | S_IRUGO | S_IXUGO ) ) | |
task_dumpable ( task ) ) {
2008-11-14 02:39:19 +03:00
rcu_read_lock ( ) ;
cred = __task_cred ( task ) ;
inode - > i_uid = cred - > euid ;
inode - > i_gid = cred - > egid ;
rcu_read_unlock ( ) ;
2005-04-17 02:20:36 +04:00
} else {
inode - > i_uid = 0 ;
inode - > i_gid = 0 ;
}
2006-07-15 08:48:03 +04:00
inode - > i_mode & = ~ ( S_ISUID | S_ISGID ) ;
2005-04-17 02:20:36 +04:00
security_task_to_inode ( task , inode ) ;
2006-06-26 11:25:55 +04:00
put_task_struct ( task ) ;
2005-04-17 02:20:36 +04:00
return 1 ;
}
d_drop ( dentry ) ;
return 0 ;
}
2011-01-07 09:49:23 +03:00
static int pid_delete_dentry ( const struct dentry * dentry )
2006-06-26 11:25:55 +04:00
{
2006-10-02 13:17:05 +04:00
/* Is the task we represent dead?
* If so , then don ' t put the dentry on the lru list ,
* kill it immediately .
*/
return ! proc_pid ( dentry - > d_inode ) - > tasks [ PIDTYPE_PID ] . first ;
}
2010-03-08 03:41:34 +03:00
const struct dentry_operations pid_dentry_operations =
2006-10-02 13:17:05 +04:00
{
. d_revalidate = pid_revalidate ,
. d_delete = pid_delete_dentry ,
} ;
/* Lookups */
2006-10-02 13:18:57 +04:00
/*
* Fill a directory entry .
*
* If possible create the dcache entry and derive our inode number and
* file type from dcache entry .
*
* Since all of the proc inode numbers are dynamically generated , the inode
* numbers do not exist until the inode is cache . This means creating the
* the dcache entry in readdir is necessary to keep the inode numbers
* reported by readdir in sync with the inode numbers reported
* by stat .
*/
2010-03-08 03:41:34 +03:00
int proc_fill_cache ( struct file * filp , void * dirent , filldir_t filldir ,
const char * name , int len ,
2007-05-08 11:26:15 +04:00
instantiate_t instantiate , struct task_struct * task , const void * ptr )
2006-10-02 13:18:49 +04:00
{
2006-12-08 13:36:36 +03:00
struct dentry * child , * dir = filp - > f_path . dentry ;
2006-10-02 13:18:49 +04:00
struct inode * inode ;
struct qstr qname ;
ino_t ino = 0 ;
unsigned type = DT_UNKNOWN ;
qname . name = name ;
qname . len = len ;
qname . hash = full_name_hash ( name , len ) ;
child = d_lookup ( dir , & qname ) ;
if ( ! child ) {
struct dentry * new ;
new = d_alloc ( dir , & qname ) ;
if ( new ) {
child = instantiate ( dir - > d_inode , new , task , ptr ) ;
if ( child )
dput ( new ) ;
else
child = new ;
}
}
if ( ! child | | IS_ERR ( child ) | | ! child - > d_inode )
goto end_instantiate ;
inode = child - > d_inode ;
if ( inode ) {
ino = inode - > i_ino ;
type = inode - > i_mode > > 12 ;
}
dput ( child ) ;
end_instantiate :
if ( ! ino )
ino = find_inode_number ( dir , & qname ) ;
if ( ! ino )
ino = 1 ;
return filldir ( dirent , name , len , filp - > f_pos , ino , type ) ;
}
2006-10-02 13:17:05 +04:00
static unsigned name_to_int ( struct dentry * dentry )
{
const char * name = dentry - > d_name . name ;
int len = dentry - > d_name . len ;
unsigned n = 0 ;
if ( len > 1 & & * name = = ' 0 ' )
goto out ;
while ( len - - > 0 ) {
unsigned c = * name + + - ' 0 ' ;
if ( c > 9 )
goto out ;
if ( n > = ( ~ 0U - 9 ) / 10 )
goto out ;
n * = 10 ;
n + = c ;
}
return n ;
out :
return ~ 0U ;
}
2007-05-08 11:26:17 +04:00
# define PROC_FDINFO_MAX 64
2008-02-15 06:38:35 +03:00
static int proc_fd_info ( struct inode * inode , struct path * path , char * info )
2006-10-02 13:17:05 +04:00
{
2011-11-10 03:16:00 +04:00
struct task_struct * task = get_proc_task ( inode ) ;
struct files_struct * files = NULL ;
2006-10-02 13:17:05 +04:00
struct file * file ;
int fd = proc_fd ( inode ) ;
proc: fix races against execve() of /proc/PID/fd**
fd* files are restricted to the task's owner, and other users may not get
direct access to them. But one may open any of these files and run any
setuid program, keeping opened file descriptors. As there are permission
checks on open(), but not on readdir() and read(), operations on the kept
file descriptors will not be checked. It makes it possible to violate
procfs permission model.
Reading fdinfo/* may disclosure current fds' position and flags, reading
directory contents of fdinfo/ and fd/ may disclosure the number of opened
files by the target task. This information is not sensible per se, but it
can reveal some private information (like length of a password stored in a
file) under certain conditions.
Used existing (un)lock_trace functions to check for ptrace_may_access(),
but instead of using EPERM return code from it use EACCES to be consistent
with existing proc_pid_follow_link()/proc_pid_readlink() return code. If
they differ, attacker can guess what fds exist by analyzing stat() return
code. Patched handlers: stat() for fd/*, stat() and read() for fdindo/*,
readdir() and lookup() for fd/ and fdinfo/.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Cc: <stable@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-11-03 00:38:44 +04:00
2011-11-10 03:16:00 +04:00
if ( task ) {
files = get_files_struct ( task ) ;
put_task_struct ( task ) ;
}
if ( files ) {
/*
* We are not taking a ref to the file structure , so we must
* hold - > file_lock .
*/
spin_lock ( & files - > file_lock ) ;
file = fcheck_files ( files , fd ) ;
if ( file ) {
unsigned int f_flags ;
struct fdtable * fdt ;
fdt = files_fdtable ( files ) ;
f_flags = file - > f_flags & ~ O_CLOEXEC ;
if ( FD_ISSET ( fd , fdt - > close_on_exec ) )
f_flags | = O_CLOEXEC ;
if ( path ) {
* path = file - > f_path ;
path_get ( & file - > f_path ) ;
}
if ( info )
snprintf ( info , PROC_FDINFO_MAX ,
" pos: \t %lli \n "
" flags: \t 0%o \n " ,
( long long ) file - > f_pos ,
f_flags ) ;
spin_unlock ( & files - > file_lock ) ;
put_files_struct ( files ) ;
return 0 ;
2006-06-26 11:25:55 +04:00
}
2011-11-10 03:16:00 +04:00
spin_unlock ( & files - > file_lock ) ;
put_files_struct ( files ) ;
}
return - ENOENT ;
2006-06-26 11:25:55 +04:00
}
2012-01-11 03:11:20 +04:00
static int proc_fd_link ( struct dentry * dentry , struct path * path )
2007-05-08 11:26:17 +04:00
{
2012-01-11 03:11:20 +04:00
return proc_fd_info ( dentry - > d_inode , path , NULL ) ;
2007-05-08 11:26:17 +04:00
}
2005-04-17 02:20:36 +04:00
static int tid_fd_revalidate ( struct dentry * dentry , struct nameidata * nd )
{
2011-01-07 09:49:57 +03:00
struct inode * inode ;
struct task_struct * task ;
int fd ;
2005-04-17 02:20:36 +04:00
struct files_struct * files ;
2008-11-14 02:39:19 +03:00
const struct cred * cred ;
2005-04-17 02:20:36 +04:00
2011-01-07 09:49:57 +03:00
if ( nd & & nd - > flags & LOOKUP_RCU )
return - ECHILD ;
inode = dentry - > d_inode ;
task = get_proc_task ( inode ) ;
fd = proc_fd ( inode ) ;
2006-06-26 11:25:55 +04:00
if ( task ) {
files = get_files_struct ( task ) ;
if ( files ) {
rcu_read_lock ( ) ;
if ( fcheck_files ( files , fd ) ) {
rcu_read_unlock ( ) ;
put_files_struct ( files ) ;
if ( task_dumpable ( task ) ) {
2008-11-14 02:39:19 +03:00
rcu_read_lock ( ) ;
cred = __task_cred ( task ) ;
inode - > i_uid = cred - > euid ;
inode - > i_gid = cred - > egid ;
rcu_read_unlock ( ) ;
2006-06-26 11:25:55 +04:00
} else {
inode - > i_uid = 0 ;
inode - > i_gid = 0 ;
}
2006-07-15 08:48:03 +04:00
inode - > i_mode & = ~ ( S_ISUID | S_ISGID ) ;
2006-06-26 11:25:55 +04:00
security_task_to_inode ( task , inode ) ;
put_task_struct ( task ) ;
return 1 ;
}
2005-09-10 00:04:14 +04:00
rcu_read_unlock ( ) ;
2005-04-17 02:20:36 +04:00
put_files_struct ( files ) ;
}
2006-06-26 11:25:55 +04:00
put_task_struct ( task ) ;
2005-04-17 02:20:36 +04:00
}
d_drop ( dentry ) ;
return 0 ;
}
2009-02-20 08:58:47 +03:00
static const struct dentry_operations tid_fd_dentry_operations =
2005-04-17 02:20:36 +04:00
{
. d_revalidate = tid_fd_revalidate ,
. d_delete = pid_delete_dentry ,
} ;
2006-10-02 13:18:49 +04:00
static struct dentry * proc_fd_instantiate ( struct inode * dir ,
2007-05-08 11:26:15 +04:00
struct dentry * dentry , struct task_struct * task , const void * ptr )
2005-04-17 02:20:36 +04:00
{
2007-05-08 11:26:15 +04:00
unsigned fd = * ( const unsigned * ) ptr ;
2006-10-02 13:18:49 +04:00
struct file * file ;
struct files_struct * files ;
struct inode * inode ;
struct proc_inode * ei ;
struct dentry * error = ERR_PTR ( - ENOENT ) ;
2005-04-17 02:20:36 +04:00
2006-10-02 13:18:49 +04:00
inode = proc_pid_make_inode ( dir - > i_sb , task ) ;
2005-04-17 02:20:36 +04:00
if ( ! inode )
goto out ;
ei = PROC_I ( inode ) ;
2006-06-26 11:25:44 +04:00
ei - > fd = fd ;
2005-04-17 02:20:36 +04:00
files = get_files_struct ( task ) ;
if ( ! files )
2006-10-02 13:18:49 +04:00
goto out_iput ;
2005-04-17 02:20:36 +04:00
inode - > i_mode = S_IFLNK ;
2006-04-19 09:21:46 +04:00
/*
* We are not taking a ref to the file structure , so we must
* hold - > file_lock .
*/
spin_lock ( & files - > file_lock ) ;
2005-04-17 02:20:36 +04:00
file = fcheck_files ( files , fd ) ;
if ( ! file )
2006-10-02 13:18:49 +04:00
goto out_unlock ;
2008-09-02 23:28:45 +04:00
if ( file - > f_mode & FMODE_READ )
2005-04-17 02:20:36 +04:00
inode - > i_mode | = S_IRUSR | S_IXUSR ;
2008-09-02 23:28:45 +04:00
if ( file - > f_mode & FMODE_WRITE )
2005-04-17 02:20:36 +04:00
inode - > i_mode | = S_IWUSR | S_IXUSR ;
2006-04-19 09:21:46 +04:00
spin_unlock ( & files - > file_lock ) ;
2005-04-17 02:20:36 +04:00
put_files_struct ( files ) ;
2006-10-02 13:18:49 +04:00
2011-11-10 03:16:00 +04:00
inode - > i_op = & proc_pid_link_inode_operations ;
2005-04-17 02:20:36 +04:00
inode - > i_size = 64 ;
ei - > op . proc_get_link = proc_fd_link ;
2011-01-07 09:49:55 +03:00
d_set_d_op ( dentry , & tid_fd_dentry_operations ) ;
2005-04-17 02:20:36 +04:00
d_add ( dentry , inode ) ;
2006-06-26 11:25:49 +04:00
/* Close the race of the process dying before we return the dentry */
if ( tid_fd_revalidate ( dentry , NULL ) )
2006-10-02 13:18:49 +04:00
error = NULL ;
2005-04-17 02:20:36 +04:00
2006-10-02 13:18:49 +04:00
out :
return error ;
out_unlock :
2006-04-19 09:21:46 +04:00
spin_unlock ( & files - > file_lock ) ;
2005-04-17 02:20:36 +04:00
put_files_struct ( files ) ;
2006-10-02 13:18:49 +04:00
out_iput :
2005-04-17 02:20:36 +04:00
iput ( inode ) ;
2006-06-26 11:25:49 +04:00
goto out ;
2005-04-17 02:20:36 +04:00
}
2007-05-08 11:26:17 +04:00
static struct dentry * proc_lookupfd_common ( struct inode * dir ,
struct dentry * dentry ,
instantiate_t instantiate )
2006-10-02 13:18:49 +04:00
{
struct task_struct * task = get_proc_task ( dir ) ;
unsigned fd = name_to_int ( dentry ) ;
struct dentry * result = ERR_PTR ( - ENOENT ) ;
if ( ! task )
goto out_no_task ;
if ( fd = = ~ 0U )
goto out ;
2007-05-08 11:26:17 +04:00
result = instantiate ( dir , dentry , task , & fd ) ;
2006-10-02 13:18:49 +04:00
out :
put_task_struct ( task ) ;
out_no_task :
return result ;
}
2007-05-08 11:26:17 +04:00
static int proc_readfd_common ( struct file * filp , void * dirent ,
filldir_t filldir , instantiate_t instantiate )
2006-10-02 13:17:05 +04:00
{
2006-12-08 13:36:36 +03:00
struct dentry * dentry = filp - > f_path . dentry ;
2006-10-02 13:17:05 +04:00
struct inode * inode = dentry - > d_inode ;
struct task_struct * p = get_proc_task ( inode ) ;
2007-10-19 10:40:43 +04:00
unsigned int fd , ino ;
2006-10-02 13:17:05 +04:00
int retval ;
struct files_struct * files ;
2005-04-17 02:20:36 +04:00
2006-10-02 13:17:05 +04:00
retval = - ENOENT ;
if ( ! p )
goto out_no_task ;
retval = 0 ;
fd = filp - > f_pos ;
switch ( fd ) {
case 0 :
if ( filldir ( dirent , " . " , 1 , 0 , inode - > i_ino , DT_DIR ) < 0 )
2011-11-10 03:16:00 +04:00
goto out ;
2006-10-02 13:17:05 +04:00
filp - > f_pos + + ;
case 1 :
ino = parent_ino ( dentry ) ;
if ( filldir ( dirent , " .. " , 2 , 1 , ino , DT_DIR ) < 0 )
2011-11-10 03:16:00 +04:00
goto out ;
2006-10-02 13:17:05 +04:00
filp - > f_pos + + ;
default :
files = get_files_struct ( p ) ;
if ( ! files )
2011-11-10 03:16:00 +04:00
goto out ;
2006-10-02 13:17:05 +04:00
rcu_read_lock ( ) ;
for ( fd = filp - > f_pos - 2 ;
2008-04-22 09:32:44 +04:00
fd < files_fdtable ( files ) - > max_fds ;
2006-10-02 13:17:05 +04:00
fd + + , filp - > f_pos + + ) {
2007-05-08 11:26:17 +04:00
char name [ PROC_NUMBUF ] ;
int len ;
2006-10-02 13:17:05 +04:00
if ( ! fcheck_files ( files , fd ) )
continue ;
rcu_read_unlock ( ) ;
2007-05-08 11:26:17 +04:00
len = snprintf ( name , sizeof ( name ) , " %d " , fd ) ;
if ( proc_fill_cache ( filp , dirent , filldir ,
name , len , instantiate ,
p , & fd ) < 0 ) {
2006-10-02 13:17:05 +04:00
rcu_read_lock ( ) ;
break ;
}
rcu_read_lock ( ) ;
}
rcu_read_unlock ( ) ;
put_files_struct ( files ) ;
}
out :
put_task_struct ( p ) ;
out_no_task :
return retval ;
}
2007-05-08 11:26:17 +04:00
static struct dentry * proc_lookupfd ( struct inode * dir , struct dentry * dentry ,
struct nameidata * nd )
{
return proc_lookupfd_common ( dir , dentry , proc_fd_instantiate ) ;
}
static int proc_readfd ( struct file * filp , void * dirent , filldir_t filldir )
{
return proc_readfd_common ( filp , dirent , filldir , proc_fd_instantiate ) ;
}
static ssize_t proc_fdinfo_read ( struct file * file , char __user * buf ,
size_t len , loff_t * ppos )
{
char tmp [ PROC_FDINFO_MAX ] ;
2008-02-15 06:38:35 +03:00
int err = proc_fd_info ( file - > f_path . dentry - > d_inode , NULL , tmp ) ;
2007-05-08 11:26:17 +04:00
if ( ! err )
err = simple_read_from_buffer ( buf , len , ppos , tmp , strlen ( tmp ) ) ;
return err ;
}
static const struct file_operations proc_fdinfo_file_operations = {
2010-03-18 01:06:02 +03:00
. open = nonseekable_open ,
2007-05-08 11:26:17 +04:00
. read = proc_fdinfo_read ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = no_llseek ,
2007-05-08 11:26:17 +04:00
} ;
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_fd_operations = {
2006-10-02 13:17:05 +04:00
. read = generic_read_dir ,
. readdir = proc_readfd ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
2005-04-17 02:20:36 +04:00
} ;
2012-01-11 03:11:23 +04:00
# ifdef CONFIG_CHECKPOINT_RESTORE
/*
* dname_to_vma_addr - maps a dentry name into two unsigned longs
* which represent vma start and end addresses .
*/
static int dname_to_vma_addr ( struct dentry * dentry ,
unsigned long * start , unsigned long * end )
{
if ( sscanf ( dentry - > d_name . name , " %lx-%lx " , start , end ) ! = 2 )
return - EINVAL ;
return 0 ;
}
static int map_files_d_revalidate ( struct dentry * dentry , struct nameidata * nd )
{
unsigned long vm_start , vm_end ;
bool exact_vma_exists = false ;
struct mm_struct * mm = NULL ;
struct task_struct * task ;
const struct cred * cred ;
struct inode * inode ;
int status = 0 ;
if ( nd & & nd - > flags & LOOKUP_RCU )
return - ECHILD ;
if ( ! capable ( CAP_SYS_ADMIN ) ) {
status = - EACCES ;
goto out_notask ;
}
inode = dentry - > d_inode ;
task = get_proc_task ( inode ) ;
if ( ! task )
goto out_notask ;
if ( ! ptrace_may_access ( task , PTRACE_MODE_READ ) )
goto out ;
mm = get_task_mm ( task ) ;
if ( ! mm )
goto out ;
if ( ! dname_to_vma_addr ( dentry , & vm_start , & vm_end ) ) {
down_read ( & mm - > mmap_sem ) ;
exact_vma_exists = ! ! find_exact_vma ( mm , vm_start , vm_end ) ;
up_read ( & mm - > mmap_sem ) ;
}
mmput ( mm ) ;
if ( exact_vma_exists ) {
if ( task_dumpable ( task ) ) {
rcu_read_lock ( ) ;
cred = __task_cred ( task ) ;
inode - > i_uid = cred - > euid ;
inode - > i_gid = cred - > egid ;
rcu_read_unlock ( ) ;
} else {
inode - > i_uid = 0 ;
inode - > i_gid = 0 ;
}
security_task_to_inode ( task , inode ) ;
status = 1 ;
}
out :
put_task_struct ( task ) ;
out_notask :
if ( status < = 0 )
d_drop ( dentry ) ;
return status ;
}
static const struct dentry_operations tid_map_files_dentry_operations = {
. d_revalidate = map_files_d_revalidate ,
. d_delete = pid_delete_dentry ,
} ;
static int proc_map_files_get_link ( struct dentry * dentry , struct path * path )
{
unsigned long vm_start , vm_end ;
struct vm_area_struct * vma ;
struct task_struct * task ;
struct mm_struct * mm ;
int rc ;
rc = - ENOENT ;
task = get_proc_task ( dentry - > d_inode ) ;
if ( ! task )
goto out ;
mm = get_task_mm ( task ) ;
put_task_struct ( task ) ;
if ( ! mm )
goto out ;
rc = dname_to_vma_addr ( dentry , & vm_start , & vm_end ) ;
if ( rc )
goto out_mmput ;
down_read ( & mm - > mmap_sem ) ;
vma = find_exact_vma ( mm , vm_start , vm_end ) ;
if ( vma & & vma - > vm_file ) {
* path = vma - > vm_file - > f_path ;
path_get ( path ) ;
rc = 0 ;
}
up_read ( & mm - > mmap_sem ) ;
out_mmput :
mmput ( mm ) ;
out :
return rc ;
}
struct map_files_info {
struct file * file ;
unsigned long len ;
unsigned char name [ 4 * sizeof ( long ) + 2 ] ; /* max: %lx-%lx\0 */
} ;
static struct dentry *
proc_map_files_instantiate ( struct inode * dir , struct dentry * dentry ,
struct task_struct * task , const void * ptr )
{
const struct file * file = ptr ;
struct proc_inode * ei ;
struct inode * inode ;
if ( ! file )
return ERR_PTR ( - ENOENT ) ;
inode = proc_pid_make_inode ( dir - > i_sb , task ) ;
if ( ! inode )
return ERR_PTR ( - ENOENT ) ;
ei = PROC_I ( inode ) ;
ei - > op . proc_get_link = proc_map_files_get_link ;
inode - > i_op = & proc_pid_link_inode_operations ;
inode - > i_size = 64 ;
inode - > i_mode = S_IFLNK ;
if ( file - > f_mode & FMODE_READ )
inode - > i_mode | = S_IRUSR ;
if ( file - > f_mode & FMODE_WRITE )
inode - > i_mode | = S_IWUSR ;
d_set_d_op ( dentry , & tid_map_files_dentry_operations ) ;
d_add ( dentry , inode ) ;
return NULL ;
}
static struct dentry * proc_map_files_lookup ( struct inode * dir ,
struct dentry * dentry , struct nameidata * nd )
{
unsigned long vm_start , vm_end ;
struct vm_area_struct * vma ;
struct task_struct * task ;
struct dentry * result ;
struct mm_struct * mm ;
result = ERR_PTR ( - EACCES ) ;
if ( ! capable ( CAP_SYS_ADMIN ) )
goto out ;
result = ERR_PTR ( - ENOENT ) ;
task = get_proc_task ( dir ) ;
if ( ! task )
goto out ;
result = ERR_PTR ( - EACCES ) ;
if ( lock_trace ( task ) )
goto out_put_task ;
result = ERR_PTR ( - ENOENT ) ;
if ( dname_to_vma_addr ( dentry , & vm_start , & vm_end ) )
goto out_unlock ;
mm = get_task_mm ( task ) ;
if ( ! mm )
goto out_unlock ;
down_read ( & mm - > mmap_sem ) ;
vma = find_exact_vma ( mm , vm_start , vm_end ) ;
if ( ! vma )
goto out_no_vma ;
result = proc_map_files_instantiate ( dir , dentry , task , vma - > vm_file ) ;
out_no_vma :
up_read ( & mm - > mmap_sem ) ;
mmput ( mm ) ;
out_unlock :
unlock_trace ( task ) ;
out_put_task :
put_task_struct ( task ) ;
out :
return result ;
}
static const struct inode_operations proc_map_files_inode_operations = {
. lookup = proc_map_files_lookup ,
. permission = proc_fd_permission ,
. setattr = proc_setattr ,
} ;
static int
proc_map_files_readdir ( struct file * filp , void * dirent , filldir_t filldir )
{
struct dentry * dentry = filp - > f_path . dentry ;
struct inode * inode = dentry - > d_inode ;
struct vm_area_struct * vma ;
struct task_struct * task ;
struct mm_struct * mm ;
ino_t ino ;
int ret ;
ret = - EACCES ;
if ( ! capable ( CAP_SYS_ADMIN ) )
goto out ;
ret = - ENOENT ;
task = get_proc_task ( inode ) ;
if ( ! task )
goto out ;
ret = - EACCES ;
if ( lock_trace ( task ) )
goto out_put_task ;
ret = 0 ;
switch ( filp - > f_pos ) {
case 0 :
ino = inode - > i_ino ;
if ( filldir ( dirent , " . " , 1 , 0 , ino , DT_DIR ) < 0 )
goto out_unlock ;
filp - > f_pos + + ;
case 1 :
ino = parent_ino ( dentry ) ;
if ( filldir ( dirent , " .. " , 2 , 1 , ino , DT_DIR ) < 0 )
goto out_unlock ;
filp - > f_pos + + ;
default :
{
unsigned long nr_files , pos , i ;
struct flex_array * fa = NULL ;
struct map_files_info info ;
struct map_files_info * p ;
mm = get_task_mm ( task ) ;
if ( ! mm )
goto out_unlock ;
down_read ( & mm - > mmap_sem ) ;
nr_files = 0 ;
/*
* We need two passes here :
*
* 1 ) Collect vmas of mapped files with mmap_sem taken
* 2 ) Release mmap_sem and instantiate entries
*
* otherwise we get lockdep complained , since filldir ( )
* routine might require mmap_sem taken in might_fault ( ) .
*/
for ( vma = mm - > mmap , pos = 2 ; vma ; vma = vma - > vm_next ) {
if ( vma - > vm_file & & + + pos > filp - > f_pos )
nr_files + + ;
}
if ( nr_files ) {
fa = flex_array_alloc ( sizeof ( info ) , nr_files ,
GFP_KERNEL ) ;
if ( ! fa | | flex_array_prealloc ( fa , 0 , nr_files ,
GFP_KERNEL ) ) {
ret = - ENOMEM ;
if ( fa )
flex_array_free ( fa ) ;
up_read ( & mm - > mmap_sem ) ;
mmput ( mm ) ;
goto out_unlock ;
}
for ( i = 0 , vma = mm - > mmap , pos = 2 ; vma ;
vma = vma - > vm_next ) {
if ( ! vma - > vm_file )
continue ;
if ( + + pos < = filp - > f_pos )
continue ;
get_file ( vma - > vm_file ) ;
info . file = vma - > vm_file ;
info . len = snprintf ( info . name ,
sizeof ( info . name ) , " %lx-%lx " ,
vma - > vm_start , vma - > vm_end ) ;
if ( flex_array_put ( fa , i + + , & info , GFP_KERNEL ) )
BUG ( ) ;
}
}
up_read ( & mm - > mmap_sem ) ;
for ( i = 0 ; i < nr_files ; i + + ) {
p = flex_array_get ( fa , i ) ;
ret = proc_fill_cache ( filp , dirent , filldir ,
p - > name , p - > len ,
proc_map_files_instantiate ,
task , p - > file ) ;
if ( ret )
break ;
filp - > f_pos + + ;
fput ( p - > file ) ;
}
for ( ; i < nr_files ; i + + ) {
/*
* In case of error don ' t forget
* to put rest of file refs .
*/
p = flex_array_get ( fa , i ) ;
fput ( p - > file ) ;
}
if ( fa )
flex_array_free ( fa ) ;
mmput ( mm ) ;
}
}
out_unlock :
unlock_trace ( task ) ;
out_put_task :
put_task_struct ( task ) ;
out :
return ret ;
}
static const struct file_operations proc_map_files_operations = {
. read = generic_read_dir ,
. readdir = proc_map_files_readdir ,
. llseek = default_llseek ,
} ;
# endif /* CONFIG_CHECKPOINT_RESTORE */
2007-05-08 11:23:35 +04:00
/*
* / proc / pid / fd needs a special permission handler so that a process can still
* access / proc / self / fd after it has executed a setuid ( ) .
*/
2011-06-21 03:28:19 +04:00
static int proc_fd_permission ( struct inode * inode , int mask )
2007-05-08 11:23:35 +04:00
{
2011-06-21 03:16:29 +04:00
int rv = generic_permission ( inode , mask ) ;
2007-05-08 11:23:35 +04:00
if ( rv = = 0 )
return 0 ;
if ( task_pid ( current ) = = proc_pid ( inode ) )
rv = 0 ;
return rv ;
}
2005-04-17 02:20:36 +04:00
/*
* proc directories can do almost nothing . .
*/
2007-02-12 11:55:40 +03:00
static const struct inode_operations proc_fd_inode_operations = {
2005-04-17 02:20:36 +04:00
. lookup = proc_lookupfd ,
2007-05-08 11:23:35 +04:00
. permission = proc_fd_permission ,
2006-07-15 23:26:45 +04:00
. setattr = proc_setattr ,
2005-04-17 02:20:36 +04:00
} ;
2007-05-08 11:26:17 +04:00
static struct dentry * proc_fdinfo_instantiate ( struct inode * dir ,
struct dentry * dentry , struct task_struct * task , const void * ptr )
{
unsigned fd = * ( unsigned * ) ptr ;
struct inode * inode ;
struct proc_inode * ei ;
struct dentry * error = ERR_PTR ( - ENOENT ) ;
inode = proc_pid_make_inode ( dir - > i_sb , task ) ;
if ( ! inode )
goto out ;
ei = PROC_I ( inode ) ;
ei - > fd = fd ;
inode - > i_mode = S_IFREG | S_IRUSR ;
inode - > i_fop = & proc_fdinfo_file_operations ;
2011-01-07 09:49:55 +03:00
d_set_d_op ( dentry , & tid_fd_dentry_operations ) ;
2007-05-08 11:26:17 +04:00
d_add ( dentry , inode ) ;
/* Close the race of the process dying before we return the dentry */
if ( tid_fd_revalidate ( dentry , NULL ) )
error = NULL ;
out :
return error ;
}
static struct dentry * proc_lookupfdinfo ( struct inode * dir ,
struct dentry * dentry ,
struct nameidata * nd )
{
return proc_lookupfd_common ( dir , dentry , proc_fdinfo_instantiate ) ;
}
static int proc_readfdinfo ( struct file * filp , void * dirent , filldir_t filldir )
{
return proc_readfd_common ( filp , dirent , filldir ,
proc_fdinfo_instantiate ) ;
}
static const struct file_operations proc_fdinfo_operations = {
. read = generic_read_dir ,
. readdir = proc_readfdinfo ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
2007-05-08 11:26:17 +04:00
} ;
/*
* proc directories can do almost nothing . .
*/
static const struct inode_operations proc_fdinfo_inode_operations = {
. lookup = proc_lookupfdinfo ,
. setattr = proc_setattr ,
} ;
2006-10-02 13:18:49 +04:00
static struct dentry * proc_pident_instantiate ( struct inode * dir ,
2007-05-08 11:26:15 +04:00
struct dentry * dentry , struct task_struct * task , const void * ptr )
2006-10-02 13:18:49 +04:00
{
2007-05-08 11:26:15 +04:00
const struct pid_entry * p = ptr ;
2006-10-02 13:18:49 +04:00
struct inode * inode ;
struct proc_inode * ei ;
2009-05-29 01:34:21 +04:00
struct dentry * error = ERR_PTR ( - ENOENT ) ;
2006-10-02 13:18:49 +04:00
2006-10-02 13:18:49 +04:00
inode = proc_pid_make_inode ( dir - > i_sb , task ) ;
2006-10-02 13:18:49 +04:00
if ( ! inode )
goto out ;
ei = PROC_I ( inode ) ;
inode - > i_mode = p - > mode ;
if ( S_ISDIR ( inode - > i_mode ) )
2011-10-28 16:13:29 +04:00
set_nlink ( inode , 2 ) ; /* Use getattr to fix if necessary */
2006-10-02 13:18:49 +04:00
if ( p - > iop )
inode - > i_op = p - > iop ;
if ( p - > fop )
inode - > i_fop = p - > fop ;
ei - > op = p - > op ;
2011-01-07 09:49:55 +03:00
d_set_d_op ( dentry , & pid_dentry_operations ) ;
2006-10-02 13:18:49 +04:00
d_add ( dentry , inode ) ;
/* Close the race of the process dying before we return the dentry */
if ( pid_revalidate ( dentry , NULL ) )
error = NULL ;
out :
return error ;
}
2005-04-17 02:20:36 +04:00
static struct dentry * proc_pident_lookup ( struct inode * dir ,
struct dentry * dentry ,
2007-05-08 11:26:15 +04:00
const struct pid_entry * ents ,
2006-10-02 13:18:56 +04:00
unsigned int nents )
2005-04-17 02:20:36 +04:00
{
2006-06-26 11:25:49 +04:00
struct dentry * error ;
2006-06-26 11:25:55 +04:00
struct task_struct * task = get_proc_task ( dir ) ;
2007-05-08 11:26:15 +04:00
const struct pid_entry * p , * last ;
2005-04-17 02:20:36 +04:00
2006-06-26 11:25:49 +04:00
error = ERR_PTR ( - ENOENT ) ;
2005-04-17 02:20:36 +04:00
2006-06-26 11:25:55 +04:00
if ( ! task )
goto out_no_task ;
2005-04-17 02:20:36 +04:00
2006-10-02 13:17:07 +04:00
/*
* Yes , it does not scale . And it should not . Don ' t add
* new entries into / proc / < tgid > / without very good reasons .
*/
2006-10-02 13:18:56 +04:00
last = & ents [ nents - 1 ] ;
for ( p = ents ; p < = last ; p + + ) {
2005-04-17 02:20:36 +04:00
if ( p - > len ! = dentry - > d_name . len )
continue ;
if ( ! memcmp ( dentry - > d_name . name , p - > name , p - > len ) )
break ;
}
2006-10-02 13:18:56 +04:00
if ( p > last )
2005-04-17 02:20:36 +04:00
goto out ;
2006-10-02 13:18:49 +04:00
error = proc_pident_instantiate ( dir , dentry , task , p ) ;
2005-04-17 02:20:36 +04:00
out :
2006-06-26 11:25:55 +04:00
put_task_struct ( task ) ;
out_no_task :
2006-06-26 11:25:49 +04:00
return error ;
2005-04-17 02:20:36 +04:00
}
2007-05-08 11:26:15 +04:00
static int proc_pident_fill_cache ( struct file * filp , void * dirent ,
filldir_t filldir , struct task_struct * task , const struct pid_entry * p )
2006-10-02 13:18:49 +04:00
{
return proc_fill_cache ( filp , dirent , filldir , p - > name , p - > len ,
proc_pident_instantiate , task , p ) ;
}
2006-10-02 13:17:05 +04:00
static int proc_pident_readdir ( struct file * filp ,
void * dirent , filldir_t filldir ,
2007-05-08 11:26:15 +04:00
const struct pid_entry * ents , unsigned int nents )
2006-10-02 13:17:05 +04:00
{
int i ;
2006-12-08 13:36:36 +03:00
struct dentry * dentry = filp - > f_path . dentry ;
2006-10-02 13:17:05 +04:00
struct inode * inode = dentry - > d_inode ;
struct task_struct * task = get_proc_task ( inode ) ;
2007-05-08 11:26:15 +04:00
const struct pid_entry * p , * last ;
2006-10-02 13:17:05 +04:00
ino_t ino ;
int ret ;
ret = - ENOENT ;
if ( ! task )
2006-10-02 13:18:49 +04:00
goto out_no_task ;
2006-10-02 13:17:05 +04:00
ret = 0 ;
i = filp - > f_pos ;
switch ( i ) {
case 0 :
ino = inode - > i_ino ;
if ( filldir ( dirent , " . " , 1 , i , ino , DT_DIR ) < 0 )
goto out ;
i + + ;
filp - > f_pos + + ;
/* fall through */
case 1 :
ino = parent_ino ( dentry ) ;
if ( filldir ( dirent , " .. " , 2 , i , ino , DT_DIR ) < 0 )
goto out ;
i + + ;
filp - > f_pos + + ;
/* fall through */
default :
i - = 2 ;
if ( i > = nents ) {
ret = 1 ;
goto out ;
}
p = ents + i ;
2006-10-02 13:18:56 +04:00
last = & ents [ nents - 1 ] ;
while ( p < = last ) {
2006-10-02 13:18:49 +04:00
if ( proc_pident_fill_cache ( filp , dirent , filldir , task , p ) < 0 )
2006-10-02 13:17:05 +04:00
goto out ;
filp - > f_pos + + ;
p + + ;
}
}
ret = 1 ;
out :
2006-10-02 13:18:49 +04:00
put_task_struct ( task ) ;
out_no_task :
2006-10-02 13:17:05 +04:00
return ret ;
2005-04-17 02:20:36 +04:00
}
2006-10-02 13:17:05 +04:00
# ifdef CONFIG_SECURITY
static ssize_t proc_pid_attr_read ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
2006-12-08 13:36:36 +03:00
struct inode * inode = file - > f_path . dentry - > d_inode ;
2007-03-12 19:17:58 +03:00
char * p = NULL ;
2006-10-02 13:17:05 +04:00
ssize_t length ;
struct task_struct * task = get_proc_task ( inode ) ;
if ( ! task )
2007-03-12 19:17:58 +03:00
return - ESRCH ;
2006-10-02 13:17:05 +04:00
length = security_getprocattr ( task ,
2006-12-08 13:36:36 +03:00
( char * ) file - > f_path . dentry - > d_name . name ,
2007-03-12 19:17:58 +03:00
& p ) ;
2006-10-02 13:17:05 +04:00
put_task_struct ( task ) ;
2007-03-12 19:17:58 +03:00
if ( length > 0 )
length = simple_read_from_buffer ( buf , count , ppos , p , length ) ;
kfree ( p ) ;
2006-10-02 13:17:05 +04:00
return length ;
2005-04-17 02:20:36 +04:00
}
2006-10-02 13:17:05 +04:00
static ssize_t proc_pid_attr_write ( struct file * file , const char __user * buf ,
size_t count , loff_t * ppos )
{
2006-12-08 13:36:36 +03:00
struct inode * inode = file - > f_path . dentry - > d_inode ;
2006-10-02 13:17:05 +04:00
char * page ;
ssize_t length ;
struct task_struct * task = get_proc_task ( inode ) ;
length = - ESRCH ;
if ( ! task )
goto out_no_task ;
if ( count > PAGE_SIZE )
count = PAGE_SIZE ;
/* No partial writes. */
length = - EINVAL ;
if ( * ppos ! = 0 )
goto out ;
length = - ENOMEM ;
2007-10-16 12:25:52 +04:00
page = ( char * ) __get_free_page ( GFP_TEMPORARY ) ;
2006-10-02 13:17:05 +04:00
if ( ! page )
goto out ;
length = - EFAULT ;
if ( copy_from_user ( page , buf , count ) )
goto out_free ;
2009-05-08 16:55:27 +04:00
/* Guard against adverse ptrace interaction */
2010-10-28 02:34:08 +04:00
length = mutex_lock_interruptible ( & task - > signal - > cred_guard_mutex ) ;
2009-05-08 16:55:27 +04:00
if ( length < 0 )
goto out_free ;
2006-10-02 13:17:05 +04:00
length = security_setprocattr ( task ,
2006-12-08 13:36:36 +03:00
( char * ) file - > f_path . dentry - > d_name . name ,
2006-10-02 13:17:05 +04:00
( void * ) page , count ) ;
2010-10-28 02:34:08 +04:00
mutex_unlock ( & task - > signal - > cred_guard_mutex ) ;
2006-10-02 13:17:05 +04:00
out_free :
free_page ( ( unsigned long ) page ) ;
out :
put_task_struct ( task ) ;
out_no_task :
return length ;
}
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_pid_attr_operations = {
2006-10-02 13:17:05 +04:00
. read = proc_pid_attr_read ,
. write = proc_pid_attr_write ,
2010-03-18 01:06:02 +03:00
. llseek = generic_file_llseek ,
2006-10-02 13:17:05 +04:00
} ;
2007-05-08 11:26:15 +04:00
static const struct pid_entry attr_dir_stuff [ ] = {
2008-11-10 01:32:52 +03:00
REG ( " current " , S_IRUGO | S_IWUGO , proc_pid_attr_operations ) ,
REG ( " prev " , S_IRUGO , proc_pid_attr_operations ) ,
REG ( " exec " , S_IRUGO | S_IWUGO , proc_pid_attr_operations ) ,
REG ( " fscreate " , S_IRUGO | S_IWUGO , proc_pid_attr_operations ) ,
REG ( " keycreate " , S_IRUGO | S_IWUGO , proc_pid_attr_operations ) ,
REG ( " sockcreate " , S_IRUGO | S_IWUGO , proc_pid_attr_operations ) ,
2006-10-02 13:17:05 +04:00
} ;
2006-10-02 13:18:50 +04:00
static int proc_attr_dir_readdir ( struct file * filp ,
2006-10-02 13:17:05 +04:00
void * dirent , filldir_t filldir )
{
return proc_pident_readdir ( filp , dirent , filldir ,
2006-10-02 13:18:50 +04:00
attr_dir_stuff , ARRAY_SIZE ( attr_dir_stuff ) ) ;
2006-10-02 13:17:05 +04:00
}
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_attr_dir_operations = {
2005-04-17 02:20:36 +04:00
. read = generic_read_dir ,
2006-10-02 13:18:50 +04:00
. readdir = proc_attr_dir_readdir ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
2005-04-17 02:20:36 +04:00
} ;
2006-10-02 13:18:50 +04:00
static struct dentry * proc_attr_dir_lookup ( struct inode * dir ,
2006-10-02 13:17:05 +04:00
struct dentry * dentry , struct nameidata * nd )
{
2006-10-02 13:18:56 +04:00
return proc_pident_lookup ( dir , dentry ,
attr_dir_stuff , ARRAY_SIZE ( attr_dir_stuff ) ) ;
2006-10-02 13:17:05 +04:00
}
2007-02-12 11:55:40 +03:00
static const struct inode_operations proc_attr_dir_inode_operations = {
2006-10-02 13:18:50 +04:00
. lookup = proc_attr_dir_lookup ,
2006-06-26 11:25:55 +04:00
. getattr = pid_getattr ,
2006-07-15 23:26:45 +04:00
. setattr = proc_setattr ,
2005-04-17 02:20:36 +04:00
} ;
2006-10-02 13:17:05 +04:00
# endif
2009-12-16 03:47:37 +03:00
# ifdef CONFIG_ELF_CORE
2007-07-19 12:48:28 +04:00
static ssize_t proc_coredump_filter_read ( struct file * file , char __user * buf ,
size_t count , loff_t * ppos )
{
struct task_struct * task = get_proc_task ( file - > f_dentry - > d_inode ) ;
struct mm_struct * mm ;
char buffer [ PROC_NUMBUF ] ;
size_t len ;
int ret ;
if ( ! task )
return - ESRCH ;
ret = 0 ;
mm = get_task_mm ( task ) ;
if ( mm ) {
len = snprintf ( buffer , sizeof ( buffer ) , " %08lx \n " ,
( ( mm - > flags & MMF_DUMP_FILTER_MASK ) > >
MMF_DUMP_FILTER_SHIFT ) ) ;
mmput ( mm ) ;
ret = simple_read_from_buffer ( buf , count , ppos , buffer , len ) ;
}
put_task_struct ( task ) ;
return ret ;
}
static ssize_t proc_coredump_filter_write ( struct file * file ,
const char __user * buf ,
size_t count ,
loff_t * ppos )
{
struct task_struct * task ;
struct mm_struct * mm ;
char buffer [ PROC_NUMBUF ] , * end ;
unsigned int val ;
int ret ;
int i ;
unsigned long mask ;
ret = - EFAULT ;
memset ( buffer , 0 , sizeof ( buffer ) ) ;
if ( count > sizeof ( buffer ) - 1 )
count = sizeof ( buffer ) - 1 ;
if ( copy_from_user ( buffer , buf , count ) )
goto out_no_task ;
ret = - EINVAL ;
val = ( unsigned int ) simple_strtoul ( buffer , & end , 0 ) ;
if ( * end = = ' \n ' )
end + + ;
if ( end - buffer = = 0 )
goto out_no_task ;
ret = - ESRCH ;
task = get_proc_task ( file - > f_dentry - > d_inode ) ;
if ( ! task )
goto out_no_task ;
ret = end - buffer ;
mm = get_task_mm ( task ) ;
if ( ! mm )
goto out_no_mm ;
for ( i = 0 , mask = 1 ; i < MMF_DUMP_FILTER_BITS ; i + + , mask < < = 1 ) {
if ( val & mask )
set_bit ( i + MMF_DUMP_FILTER_SHIFT , & mm - > flags ) ;
else
clear_bit ( i + MMF_DUMP_FILTER_SHIFT , & mm - > flags ) ;
}
mmput ( mm ) ;
out_no_mm :
put_task_struct ( task ) ;
out_no_task :
return ret ;
}
static const struct file_operations proc_coredump_filter_operations = {
. read = proc_coredump_filter_read ,
. write = proc_coredump_filter_write ,
2010-03-18 01:06:02 +03:00
. llseek = generic_file_llseek ,
2007-07-19 12:48:28 +04:00
} ;
# endif
2006-10-02 13:17:05 +04:00
/*
* / proc / self :
*/
static int proc_self_readlink ( struct dentry * dentry , char __user * buffer ,
int buflen )
{
2008-02-08 15:18:34 +03:00
struct pid_namespace * ns = dentry - > d_sb - > s_fs_info ;
2008-02-09 02:00:43 +03:00
pid_t tgid = task_tgid_nr_ns ( current , ns ) ;
2006-10-02 13:17:05 +04:00
char tmp [ PROC_NUMBUF ] ;
2008-02-09 02:00:43 +03:00
if ( ! tgid )
2008-02-08 15:18:34 +03:00
return - ENOENT ;
2008-02-09 02:00:43 +03:00
sprintf ( tmp , " %d " , tgid ) ;
2006-10-02 13:17:05 +04:00
return vfs_readlink ( dentry , buffer , buflen , tmp ) ;
}
static void * proc_self_follow_link ( struct dentry * dentry , struct nameidata * nd )
{
2008-02-08 15:18:34 +03:00
struct pid_namespace * ns = dentry - > d_sb - > s_fs_info ;
2008-02-09 02:00:43 +03:00
pid_t tgid = task_tgid_nr_ns ( current , ns ) ;
2010-01-14 09:03:28 +03:00
char * name = ERR_PTR ( - ENOENT ) ;
if ( tgid ) {
name = __getname ( ) ;
if ( ! name )
name = ERR_PTR ( - ENOMEM ) ;
else
sprintf ( name , " %d " , tgid ) ;
}
nd_set_link ( nd , name ) ;
return NULL ;
}
static void proc_self_put_link ( struct dentry * dentry , struct nameidata * nd ,
void * cookie )
{
char * s = nd_get_link ( nd ) ;
if ( ! IS_ERR ( s ) )
__putname ( s ) ;
2006-10-02 13:17:05 +04:00
}
2007-02-12 11:55:40 +03:00
static const struct inode_operations proc_self_inode_operations = {
2006-10-02 13:17:05 +04:00
. readlink = proc_self_readlink ,
. follow_link = proc_self_follow_link ,
2010-01-14 09:03:28 +03:00
. put_link = proc_self_put_link ,
2006-10-02 13:17:05 +04:00
} ;
2006-10-02 13:18:48 +04:00
/*
* proc base
*
* These are the directory entries in the root directory of / proc
* that properly belong to the / proc filesystem , as they describe
* describe something that is process related .
*/
2007-05-08 11:26:15 +04:00
static const struct pid_entry proc_base_stuff [ ] = {
2006-10-02 13:18:49 +04:00
NOD ( " self " , S_IFLNK | S_IRWXUGO ,
2006-10-02 13:18:48 +04:00
& proc_self_inode_operations , NULL , { } ) ,
} ;
2006-10-02 13:18:49 +04:00
static struct dentry * proc_base_instantiate ( struct inode * dir ,
2007-05-08 11:26:15 +04:00
struct dentry * dentry , struct task_struct * task , const void * ptr )
2006-10-02 13:18:48 +04:00
{
2007-05-08 11:26:15 +04:00
const struct pid_entry * p = ptr ;
2006-10-02 13:18:48 +04:00
struct inode * inode ;
struct proc_inode * ei ;
2010-05-27 01:43:25 +04:00
struct dentry * error ;
2006-10-02 13:18:48 +04:00
/* Allocate the inode */
error = ERR_PTR ( - ENOMEM ) ;
inode = new_inode ( dir - > i_sb ) ;
if ( ! inode )
goto out ;
/* Initialize the inode */
ei = PROC_I ( inode ) ;
2010-10-23 19:19:54 +04:00
inode - > i_ino = get_next_ino ( ) ;
2006-10-02 13:18:48 +04:00
inode - > i_mtime = inode - > i_atime = inode - > i_ctime = CURRENT_TIME ;
/*
* grab the reference to the task .
*/
2006-10-02 13:18:59 +04:00
ei - > pid = get_task_pid ( task , PIDTYPE_PID ) ;
2006-10-02 13:18:48 +04:00
if ( ! ei - > pid )
goto out_iput ;
inode - > i_mode = p - > mode ;
if ( S_ISDIR ( inode - > i_mode ) )
2011-10-28 16:13:29 +04:00
set_nlink ( inode , 2 ) ;
2006-10-02 13:18:48 +04:00
if ( S_ISLNK ( inode - > i_mode ) )
inode - > i_size = 64 ;
if ( p - > iop )
inode - > i_op = p - > iop ;
if ( p - > fop )
inode - > i_fop = p - > fop ;
ei - > op = p - > op ;
d_add ( dentry , inode ) ;
error = NULL ;
out :
return error ;
out_iput :
iput ( inode ) ;
goto out ;
}
2006-10-02 13:18:49 +04:00
static struct dentry * proc_base_lookup ( struct inode * dir , struct dentry * dentry )
{
struct dentry * error ;
struct task_struct * task = get_proc_task ( dir ) ;
2007-05-08 11:26:15 +04:00
const struct pid_entry * p , * last ;
2006-10-02 13:18:49 +04:00
error = ERR_PTR ( - ENOENT ) ;
if ( ! task )
goto out_no_task ;
/* Lookup the directory entry */
2006-10-02 13:18:56 +04:00
last = & proc_base_stuff [ ARRAY_SIZE ( proc_base_stuff ) - 1 ] ;
for ( p = proc_base_stuff ; p < = last ; p + + ) {
2006-10-02 13:18:49 +04:00
if ( p - > len ! = dentry - > d_name . len )
continue ;
if ( ! memcmp ( dentry - > d_name . name , p - > name , p - > len ) )
break ;
}
2006-10-02 13:18:56 +04:00
if ( p > last )
2006-10-02 13:18:49 +04:00
goto out ;
error = proc_base_instantiate ( dir , dentry , task , p ) ;
out :
put_task_struct ( task ) ;
out_no_task :
return error ;
}
2007-05-08 11:26:15 +04:00
static int proc_base_fill_cache ( struct file * filp , void * dirent ,
filldir_t filldir , struct task_struct * task , const struct pid_entry * p )
2006-10-02 13:18:49 +04:00
{
return proc_fill_cache ( filp , dirent , filldir , p - > name , p - > len ,
proc_base_instantiate , task , p ) ;
}
2006-12-10 13:19:48 +03:00
# ifdef CONFIG_TASK_IO_ACCOUNTING
2008-07-25 12:48:49 +04:00
static int do_io_accounting ( struct task_struct * task , char * buffer , int whole )
{
2008-07-28 02:48:12 +04:00
struct task_io_accounting acct = task - > ioac ;
2008-07-27 19:29:15 +04:00
unsigned long flags ;
2011-07-27 03:08:38 +04:00
int result ;
2008-07-27 19:29:15 +04:00
2011-07-27 03:08:38 +04:00
result = mutex_lock_killable ( & task - > signal - > cred_guard_mutex ) ;
if ( result )
return result ;
if ( ! ptrace_may_access ( task , PTRACE_MODE_READ ) ) {
result = - EACCES ;
goto out_unlock ;
}
2011-06-24 16:08:38 +04:00
2008-07-27 19:29:15 +04:00
if ( whole & & lock_task_sighand ( task , & flags ) ) {
struct task_struct * t = task ;
task_io_accounting_add ( & acct , & task - > signal - > ioac ) ;
while_each_thread ( task , t )
task_io_accounting_add ( & acct , & t - > ioac ) ;
unlock_task_sighand ( task , & flags ) ;
2008-07-25 12:48:49 +04:00
}
2011-07-27 03:08:38 +04:00
result = sprintf ( buffer ,
2006-12-10 13:19:48 +03:00
" rchar: %llu \n "
" wchar: %llu \n "
" syscr: %llu \n "
" syscw: %llu \n "
" read_bytes: %llu \n "
" write_bytes: %llu \n "
" cancelled_write_bytes: %llu \n " ,
2008-08-06 00:01:34 +04:00
( unsigned long long ) acct . rchar ,
( unsigned long long ) acct . wchar ,
( unsigned long long ) acct . syscr ,
( unsigned long long ) acct . syscw ,
( unsigned long long ) acct . read_bytes ,
( unsigned long long ) acct . write_bytes ,
( unsigned long long ) acct . cancelled_write_bytes ) ;
2011-07-27 03:08:38 +04:00
out_unlock :
mutex_unlock ( & task - > signal - > cred_guard_mutex ) ;
return result ;
2008-07-25 12:48:49 +04:00
}
static int proc_tid_io_accounting ( struct task_struct * task , char * buffer )
{
return do_io_accounting ( task , buffer , 0 ) ;
2006-12-10 13:19:48 +03:00
}
2008-07-25 12:48:49 +04:00
static int proc_tgid_io_accounting ( struct task_struct * task , char * buffer )
{
return do_io_accounting ( task , buffer , 1 ) ;
}
# endif /* CONFIG_TASK_IO_ACCOUNTING */
2006-12-10 13:19:48 +03:00
2008-10-06 03:11:58 +04:00
static int proc_pid_personality ( struct seq_file * m , struct pid_namespace * ns ,
struct pid * pid , struct task_struct * task )
{
2011-03-23 22:52:50 +03:00
int err = lock_trace ( task ) ;
if ( ! err ) {
seq_printf ( m , " %08x \n " , task - > personality ) ;
unlock_trace ( task ) ;
}
return err ;
2008-10-06 03:11:58 +04:00
}
2006-10-02 13:17:05 +04:00
/*
* Thread groups
*/
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_task_operations ;
2007-02-12 11:55:40 +03:00
static const struct inode_operations proc_task_inode_operations ;
2006-10-02 13:17:07 +04:00
2007-05-08 11:26:15 +04:00
static const struct pid_entry tgid_base_stuff [ ] = {
2008-11-10 01:32:52 +03:00
DIR ( " task " , S_IRUGO | S_IXUGO , proc_task_inode_operations , proc_task_operations ) ,
DIR ( " fd " , S_IRUSR | S_IXUSR , proc_fd_inode_operations , proc_fd_operations ) ,
2012-01-11 03:11:23 +04:00
# ifdef CONFIG_CHECKPOINT_RESTORE
DIR ( " map_files " , S_IRUSR | S_IXUSR , proc_map_files_inode_operations , proc_map_files_operations ) ,
# endif
2008-11-10 01:32:52 +03:00
DIR ( " fdinfo " , S_IRUSR | S_IXUSR , proc_fdinfo_inode_operations , proc_fdinfo_operations ) ,
2010-03-08 03:41:34 +03:00
DIR ( " ns " , S_IRUSR | S_IXUGO , proc_ns_dir_inode_operations , proc_ns_dir_operations ) ,
2008-03-12 04:03:35 +03:00
# ifdef CONFIG_NET
2008-11-10 01:32:52 +03:00
DIR ( " net " , S_IRUGO | S_IXUGO , proc_net_inode_operations , proc_net_operations ) ,
2008-03-12 04:03:35 +03:00
# endif
2008-11-10 01:32:52 +03:00
REG ( " environ " , S_IRUSR , proc_environ_operations ) ,
INF ( " auxv " , S_IRUSR , proc_pid_auxv ) ,
ONE ( " status " , S_IRUGO , proc_pid_status ) ,
2011-03-23 22:52:50 +03:00
ONE ( " personality " , S_IRUGO , proc_pid_personality ) ,
2010-10-01 02:15:33 +04:00
INF ( " limits " , S_IRUGO , proc_pid_limits ) ,
2007-07-09 20:52:00 +04:00
# ifdef CONFIG_SCHED_DEBUG
2008-11-10 01:32:52 +03:00
REG ( " sched " , S_IRUGO | S_IWUSR , proc_pid_sched_operations ) ,
sched: Add 'autogroup' scheduling feature: automated per session task groups
A recurring complaint from CFS users is that parallel kbuild has
a negative impact on desktop interactivity. This patch
implements an idea from Linus, to automatically create task
groups. Currently, only per session autogroups are implemented,
but the patch leaves the way open for enhancement.
Implementation: each task's signal struct contains an inherited
pointer to a refcounted autogroup struct containing a task group
pointer, the default for all tasks pointing to the
init_task_group. When a task calls setsid(), a new task group
is created, the process is moved into the new task group, and a
reference to the preveious task group is dropped. Child
processes inherit this task group thereafter, and increase it's
refcount. When the last thread of a process exits, the
process's reference is dropped, such that when the last process
referencing an autogroup exits, the autogroup is destroyed.
At runqueue selection time, IFF a task has no cgroup assignment,
its current autogroup is used.
Autogroup bandwidth is controllable via setting it's nice level
through the proc filesystem:
cat /proc/<pid>/autogroup
Displays the task's group and the group's nice level.
echo <nice level> > /proc/<pid>/autogroup
Sets the task group's shares to the weight of nice <level> task.
Setting nice level is rate limited for !admin users due to the
abuse risk of task group locking.
The feature is enabled from boot by default if
CONFIG_SCHED_AUTOGROUP=y is selected, but can be disabled via
the boot option noautogroup, and can also be turned on/off on
the fly via:
echo [01] > /proc/sys/kernel/sched_autogroup_enabled
... which will automatically move tasks to/from the root task group.
Signed-off-by: Mike Galbraith <efault@gmx.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Paul Turner <pjt@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
[ Removed the task_group_path() debug code, and fixed !EVENTFD build failure. ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
LKML-Reference: <1290281700.28711.9.camel@maggy.simson.net>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2010-11-30 16:18:03 +03:00
# endif
# ifdef CONFIG_SCHED_AUTOGROUP
REG ( " autogroup " , S_IRUGO | S_IWUSR , proc_pid_sched_autogroup_operations ) ,
2008-07-26 06:46:00 +04:00
# endif
2009-12-15 05:00:05 +03:00
REG ( " comm " , S_IRUGO | S_IWUSR , proc_pid_set_comm_operations ) ,
2008-07-26 06:46:00 +04:00
# ifdef CONFIG_HAVE_ARCH_TRACEHOOK
2011-03-23 22:52:50 +03:00
INF ( " syscall " , S_IRUGO , proc_pid_syscall ) ,
2007-07-09 20:52:00 +04:00
# endif
2008-11-10 01:32:52 +03:00
INF ( " cmdline " , S_IRUGO , proc_pid_cmdline ) ,
ONE ( " stat " , S_IRUGO , proc_tgid_stat ) ,
ONE ( " statm " , S_IRUGO , proc_pid_statm ) ,
REG ( " maps " , S_IRUGO , proc_maps_operations ) ,
2006-10-02 13:17:05 +04:00
# ifdef CONFIG_NUMA
2008-11-10 01:32:52 +03:00
REG ( " numa_maps " , S_IRUGO , proc_numa_maps_operations ) ,
2006-10-02 13:17:05 +04:00
# endif
2008-11-10 01:32:52 +03:00
REG ( " mem " , S_IRUSR | S_IWUSR , proc_mem_operations ) ,
LNK ( " cwd " , proc_cwd_link ) ,
LNK ( " root " , proc_root_link ) ,
LNK ( " exe " , proc_exe_link ) ,
REG ( " mounts " , S_IRUGO , proc_mounts_operations ) ,
REG ( " mountinfo " , S_IRUGO , proc_mountinfo_operations ) ,
REG ( " mountstats " , S_IRUSR , proc_mountstats_operations ) ,
2008-02-05 09:29:07 +03:00
# ifdef CONFIG_PROC_PAGE_MONITOR
2008-11-10 01:32:52 +03:00
REG ( " clear_refs " , S_IWUSR , proc_clear_refs_operations ) ,
REG ( " smaps " , S_IRUGO , proc_smaps_operations ) ,
2011-02-16 06:04:37 +03:00
REG ( " pagemap " , S_IRUGO , proc_pagemap_operations ) ,
2006-10-02 13:17:05 +04:00
# endif
# ifdef CONFIG_SECURITY
2008-11-10 01:32:52 +03:00
DIR ( " attr " , S_IRUGO | S_IXUGO , proc_attr_dir_inode_operations , proc_attr_dir_operations ) ,
2006-10-02 13:17:05 +04:00
# endif
# ifdef CONFIG_KALLSYMS
2008-11-10 01:32:52 +03:00
INF ( " wchan " , S_IRUGO , proc_pid_wchan ) ,
2006-10-02 13:17:05 +04:00
# endif
2008-11-10 11:26:08 +03:00
# ifdef CONFIG_STACKTRACE
2011-03-23 22:52:50 +03:00
ONE ( " stack " , S_IRUGO , proc_pid_stack ) ,
2006-10-02 13:17:05 +04:00
# endif
# ifdef CONFIG_SCHEDSTATS
2008-11-10 01:32:52 +03:00
INF ( " schedstat " , S_IRUGO , proc_pid_schedstat ) ,
2006-10-02 13:17:05 +04:00
# endif
2008-01-25 23:08:34 +03:00
# ifdef CONFIG_LATENCYTOP
2008-11-10 01:32:52 +03:00
REG ( " latency " , S_IRUGO , proc_lstats_operations ) ,
2008-01-25 23:08:34 +03:00
# endif
2007-10-19 10:39:39 +04:00
# ifdef CONFIG_PROC_PID_CPUSET
2008-11-10 01:32:52 +03:00
REG ( " cpuset " , S_IRUGO , proc_cpuset_operations ) ,
2007-10-19 10:39:35 +04:00
# endif
# ifdef CONFIG_CGROUPS
2008-11-10 01:32:52 +03:00
REG ( " cgroup " , S_IRUGO , proc_cgroup_operations ) ,
2006-10-02 13:17:05 +04:00
# endif
2008-11-10 01:32:52 +03:00
INF ( " oom_score " , S_IRUGO , proc_oom_score ) ,
REG ( " oom_adj " , S_IRUGO | S_IWUSR , proc_oom_adjust_operations ) ,
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
REG ( " oom_score_adj " , S_IRUGO | S_IWUSR , proc_oom_score_adj_operations ) ,
2006-10-02 13:17:05 +04:00
# ifdef CONFIG_AUDITSYSCALL
2008-11-10 01:32:52 +03:00
REG ( " loginuid " , S_IWUSR | S_IRUGO , proc_loginuid_operations ) ,
REG ( " sessionid " , S_IRUGO , proc_sessionid_operations ) ,
2006-10-02 13:17:05 +04:00
# endif
2006-12-08 13:39:47 +03:00
# ifdef CONFIG_FAULT_INJECTION
2008-11-10 01:32:52 +03:00
REG ( " make-it-fail " , S_IRUGO | S_IWUSR , proc_fault_inject_operations ) ,
2006-12-08 13:39:47 +03:00
# endif
2009-12-16 03:47:37 +03:00
# ifdef CONFIG_ELF_CORE
2008-11-10 01:32:52 +03:00
REG ( " coredump_filter " , S_IRUGO | S_IWUSR , proc_coredump_filter_operations ) ,
2007-07-19 12:48:28 +04:00
# endif
2006-12-10 13:19:48 +03:00
# ifdef CONFIG_TASK_IO_ACCOUNTING
2011-06-24 16:08:38 +04:00
INF ( " io " , S_IRUSR , proc_tgid_io_accounting ) ,
2006-12-10 13:19:48 +03:00
# endif
arch/tile: more /proc and /sys file support
This change introduces a few of the less controversial /proc and
/proc/sys interfaces for tile, along with sysfs attributes for
various things that were originally proposed as /proc/tile files.
It also adjusts the "hardwall" proc API.
Arnd Bergmann reviewed the initial arch/tile submission, which
included a complete set of all the /proc/tile and /proc/sys/tile
knobs that we had added in a somewhat ad hoc way during initial
development, and provided feedback on where most of them should go.
One knob turned out to be similar enough to the existing
/proc/sys/debug/exception-trace that it was re-implemented to use
that model instead.
Another knob was /proc/tile/grid, which reported the "grid" dimensions
of a tile chip (e.g. 8x8 processors = 64-core chip). Arnd suggested
looking at sysfs for that, so this change moves that information
to a pair of sysfs attributes (chip_width and chip_height) in the
/sys/devices/system/cpu directory. We also put the "chip_serial"
and "chip_revision" information from our old /proc/tile/board file
as attributes in /sys/devices/system/cpu.
Other information collected via hypervisor APIs is now placed in
/sys/hypervisor. We create a /sys/hypervisor/type file (holding the
constant string "tilera") to be parallel with the Xen use of
/sys/hypervisor/type holding "xen". We create three top-level files,
"version" (the hypervisor's own version), "config_version" (the
version of the configuration file), and "hvconfig" (the contents of
the configuration file). The remaining information from our old
/proc/tile/board and /proc/tile/switch files becomes an attribute
group appearing under /sys/hypervisor/board/.
Finally, after some feedback from Arnd Bergmann for the previous
version of this patch, the /proc/tile/hardwall file is split up into
two conceptual parts. First, a directory /proc/tile/hardwall/ which
contains one file per active hardwall, each file named after the
hardwall's ID and holding a cpulist that says which cpus are enclosed by
the hardwall. Second, a /proc/PID file "hardwall" that is either
empty (for non-hardwall-using processes) or contains the hardwall ID.
Finally, this change pushes the /proc/sys/tile/unaligned_fixup/
directory, with knobs controlling the kernel code for handling the
fixup of unaligned exceptions.
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2011-05-26 20:40:09 +04:00
# ifdef CONFIG_HARDWALL
INF ( " hardwall " , S_IRUGO , proc_pid_hardwall ) ,
# endif
2006-10-02 13:17:05 +04:00
} ;
2005-04-17 02:20:36 +04:00
2006-10-02 13:17:05 +04:00
static int proc_tgid_base_readdir ( struct file * filp ,
2005-04-17 02:20:36 +04:00
void * dirent , filldir_t filldir )
{
return proc_pident_readdir ( filp , dirent , filldir ,
2006-10-02 13:17:05 +04:00
tgid_base_stuff , ARRAY_SIZE ( tgid_base_stuff ) ) ;
2005-04-17 02:20:36 +04:00
}
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_tgid_base_operations = {
2005-04-17 02:20:36 +04:00
. read = generic_read_dir ,
2006-10-02 13:17:05 +04:00
. readdir = proc_tgid_base_readdir ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
2005-04-17 02:20:36 +04:00
} ;
2006-10-02 13:17:05 +04:00
static struct dentry * proc_tgid_base_lookup ( struct inode * dir , struct dentry * dentry , struct nameidata * nd ) {
2006-10-02 13:18:56 +04:00
return proc_pident_lookup ( dir , dentry ,
tgid_base_stuff , ARRAY_SIZE ( tgid_base_stuff ) ) ;
2005-04-17 02:20:36 +04:00
}
2007-02-12 11:55:40 +03:00
static const struct inode_operations proc_tgid_base_inode_operations = {
2006-10-02 13:17:05 +04:00
. lookup = proc_tgid_base_lookup ,
2006-06-26 11:25:55 +04:00
. getattr = pid_getattr ,
2006-07-15 23:26:45 +04:00
. setattr = proc_setattr ,
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 03:11:31 +04:00
. permission = proc_pid_permission ,
2005-04-17 02:20:36 +04:00
} ;
2007-10-19 10:40:03 +04:00
static void proc_flush_task_mnt ( struct vfsmount * mnt , pid_t pid , pid_t tgid )
2005-04-17 02:20:36 +04:00
{
2006-06-26 11:25:48 +04:00
struct dentry * dentry , * leader , * dir ;
2006-06-26 11:25:54 +04:00
char buf [ PROC_NUMBUF ] ;
2006-06-26 11:25:48 +04:00
struct qstr name ;
name . name = buf ;
2007-10-19 10:40:03 +04:00
name . len = snprintf ( buf , sizeof ( buf ) , " %d " , pid ) ;
dentry = d_hash_and_lookup ( mnt - > mnt_root , & name ) ;
2006-06-26 11:25:48 +04:00
if ( dentry ) {
pidns: fix a leak in /proc dentries and inodes with pid namespaces.
Daniel Lezcano reported a leak in 'struct pid' and 'struct pid_namespace'
that is discussed in:
http://lkml.org/lkml/2009/10/2/159.
To summarize the thread, when container-init is terminated, it sets the
PF_EXITING flag, zaps other processes in the container and waits to reap
them. As a part of reaping, the container-init should flush any /proc
dentries associated with the processes. But because the container-init is
itself exiting and the following PF_EXITING check, the dentries are not
flushed, resulting in leak in /proc inodes and dentries.
This fix reverts the commit 7766755a2f249e7e0 ("Fix /proc dcache deadlock
in do_exit") which introduced the check for PF_EXITING. At the time of
the commit, shrink_dcache_parent() flushed dentries from other filesystems
also and could have caused a deadlock which the commit fixed. But as
pointed out by Eric Biederman, after commit 0feae5c47aabdde59,
shrink_dcache_parent() no longer affects other filesystems. So reverting
the commit is now safe.
As pointed out by Jan Kara, the leak is not as critical since the
unclaimed space will be reclaimed under memory pressure or by:
echo 3 > /proc/sys/vm/drop_caches
But since this check is no longer required, its best to remove it.
Signed-off-by: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Reported-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: Jan Kara <jack@ucw.cz>
Cc: Andrea Arcangeli <andrea@cpushare.com>
Cc: Serge Hallyn <serue@us.ibm.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-11-12 01:26:32 +03:00
shrink_dcache_parent ( dentry ) ;
2006-06-26 11:25:48 +04:00
d_drop ( dentry ) ;
dput ( dentry ) ;
}
2005-04-17 02:20:36 +04:00
2006-06-26 11:25:48 +04:00
name . name = buf ;
2007-10-19 10:40:03 +04:00
name . len = snprintf ( buf , sizeof ( buf ) , " %d " , tgid ) ;
leader = d_hash_and_lookup ( mnt - > mnt_root , & name ) ;
2006-06-26 11:25:48 +04:00
if ( ! leader )
goto out ;
2005-04-17 02:20:36 +04:00
2006-06-26 11:25:48 +04:00
name . name = " task " ;
name . len = strlen ( name . name ) ;
dir = d_hash_and_lookup ( leader , & name ) ;
if ( ! dir )
goto out_put_leader ;
name . name = buf ;
2007-10-19 10:40:03 +04:00
name . len = snprintf ( buf , sizeof ( buf ) , " %d " , pid ) ;
2006-06-26 11:25:48 +04:00
dentry = d_hash_and_lookup ( dir , & name ) ;
if ( dentry ) {
shrink_dcache_parent ( dentry ) ;
d_drop ( dentry ) ;
dput ( dentry ) ;
2005-04-17 02:20:36 +04:00
}
2006-06-26 11:25:48 +04:00
dput ( dir ) ;
out_put_leader :
dput ( leader ) ;
out :
return ;
2005-04-17 02:20:36 +04:00
}
2007-10-22 08:00:10 +04:00
/**
* proc_flush_task - Remove dcache entries for @ task from the / proc dcache .
* @ task : task that should be flushed .
*
* When flushing dentries from proc , one needs to flush them from global
2007-10-19 10:40:03 +04:00
* proc ( proc_mnt ) and from all the namespaces ' procs this task was seen
2007-10-22 08:00:10 +04:00
* in . This call is supposed to do all of this job .
*
* Looks in the dcache for
* / proc / @ pid
* / proc / @ tgid / task / @ pid
* if either directory is present flushes it and all of it ' ts children
* from the dcache .
*
* It is safe and reasonable to cache / proc entries for a task until
* that task exits . After that they just clog up the dcache with
* useless entries , possibly causing useful dcache entries to be
* flushed instead . This routine is proved to flush those useless
* dcache entries at process exit time .
*
* NOTE : This routine is just an optimization so it does not guarantee
* that no dcache entries will exist at process exit time it
* just makes it very unlikely that any will persist .
2007-10-19 10:40:03 +04:00
*/
void proc_flush_task ( struct task_struct * task )
{
2007-11-15 04:00:07 +03:00
int i ;
proc_flush_task: flush /proc/tid/task/pid when a sub-thread exits
The exiting sub-thread flushes /proc/pid only, but this doesn't buy too
much: ps and friends mostly use /proc/tid/task/pid.
Remove "if (thread_group_leader())" checks from proc_flush_task() path,
this means we always remove /proc/tid/task/pid dentry on exit, and this
actually matches the comment above proc_flush_task().
The test-case:
static void* tfunc(void *arg)
{
char name[256];
sprintf(name, "/proc/%d/task/%ld/status", getpid(), gettid());
close(open(name, O_RDONLY));
return NULL;
}
int main(void)
{
pthread_t t;
for (;;) {
if (!pthread_create(&t, NULL, &tfunc, NULL))
pthread_join(t, NULL);
}
}
slabtop shows that pid/proc_inode_cache/etc grow quickly and
"indefinitely" until the task is killed or shrink_slab() is called, not
good. And the main thread needs a lot of time to exit.
The same can happen if something like "ps -efL" runs continuously, while
some application spawns short-living threads.
Reported-by: "James M. Leddy" <jleddy@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Dominic Duval <dduval@redhat.com>
Cc: Frank Hirtz <fhirtz@redhat.com>
Cc: "Fuller, Johnray" <Johnray.Fuller@gs.com>
Cc: Larry Woodman <lwoodman@redhat.com>
Cc: Paul Batkowski <pbatkowski@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-23 03:45:34 +04:00
struct pid * pid , * tgid ;
2007-10-19 10:40:11 +04:00
struct upid * upid ;
pid = task_pid ( task ) ;
proc_flush_task: flush /proc/tid/task/pid when a sub-thread exits
The exiting sub-thread flushes /proc/pid only, but this doesn't buy too
much: ps and friends mostly use /proc/tid/task/pid.
Remove "if (thread_group_leader())" checks from proc_flush_task() path,
this means we always remove /proc/tid/task/pid dentry on exit, and this
actually matches the comment above proc_flush_task().
The test-case:
static void* tfunc(void *arg)
{
char name[256];
sprintf(name, "/proc/%d/task/%ld/status", getpid(), gettid());
close(open(name, O_RDONLY));
return NULL;
}
int main(void)
{
pthread_t t;
for (;;) {
if (!pthread_create(&t, NULL, &tfunc, NULL))
pthread_join(t, NULL);
}
}
slabtop shows that pid/proc_inode_cache/etc grow quickly and
"indefinitely" until the task is killed or shrink_slab() is called, not
good. And the main thread needs a lot of time to exit.
The same can happen if something like "ps -efL" runs continuously, while
some application spawns short-living threads.
Reported-by: "James M. Leddy" <jleddy@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Dominic Duval <dduval@redhat.com>
Cc: Frank Hirtz <fhirtz@redhat.com>
Cc: "Fuller, Johnray" <Johnray.Fuller@gs.com>
Cc: Larry Woodman <lwoodman@redhat.com>
Cc: Paul Batkowski <pbatkowski@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-23 03:45:34 +04:00
tgid = task_tgid ( task ) ;
2007-10-19 10:40:11 +04:00
2007-11-15 04:00:07 +03:00
for ( i = 0 ; i < = pid - > level ; i + + ) {
2007-10-19 10:40:11 +04:00
upid = & pid - > numbers [ i ] ;
proc_flush_task_mnt ( upid - > ns - > proc_mnt , upid - > nr ,
proc_flush_task: flush /proc/tid/task/pid when a sub-thread exits
The exiting sub-thread flushes /proc/pid only, but this doesn't buy too
much: ps and friends mostly use /proc/tid/task/pid.
Remove "if (thread_group_leader())" checks from proc_flush_task() path,
this means we always remove /proc/tid/task/pid dentry on exit, and this
actually matches the comment above proc_flush_task().
The test-case:
static void* tfunc(void *arg)
{
char name[256];
sprintf(name, "/proc/%d/task/%ld/status", getpid(), gettid());
close(open(name, O_RDONLY));
return NULL;
}
int main(void)
{
pthread_t t;
for (;;) {
if (!pthread_create(&t, NULL, &tfunc, NULL))
pthread_join(t, NULL);
}
}
slabtop shows that pid/proc_inode_cache/etc grow quickly and
"indefinitely" until the task is killed or shrink_slab() is called, not
good. And the main thread needs a lot of time to exit.
The same can happen if something like "ps -efL" runs continuously, while
some application spawns short-living threads.
Reported-by: "James M. Leddy" <jleddy@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Dominic Duval <dduval@redhat.com>
Cc: Frank Hirtz <fhirtz@redhat.com>
Cc: "Fuller, Johnray" <Johnray.Fuller@gs.com>
Cc: Larry Woodman <lwoodman@redhat.com>
Cc: Paul Batkowski <pbatkowski@redhat.com>
Cc: Roland McGrath <roland@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-09-23 03:45:34 +04:00
tgid - > numbers [ i ] . nr ) ;
2007-10-19 10:40:11 +04:00
}
2007-10-19 10:40:11 +04:00
upid = & pid - > numbers [ pid - > level ] ;
if ( upid - > nr = = 1 )
pid_ns_release_proc ( upid - > ns ) ;
2007-10-19 10:40:03 +04:00
}
2006-12-07 07:38:31 +03:00
static struct dentry * proc_pid_instantiate ( struct inode * dir ,
struct dentry * dentry ,
2007-05-08 11:26:15 +04:00
struct task_struct * task , const void * ptr )
2006-10-02 13:18:49 +04:00
{
struct dentry * error = ERR_PTR ( - ENOENT ) ;
struct inode * inode ;
2006-10-02 13:18:49 +04:00
inode = proc_pid_make_inode ( dir - > i_sb , task ) ;
2006-10-02 13:18:49 +04:00
if ( ! inode )
goto out ;
inode - > i_mode = S_IFDIR | S_IRUGO | S_IXUGO ;
inode - > i_op = & proc_tgid_base_inode_operations ;
inode - > i_fop = & proc_tgid_base_operations ;
inode - > i_flags | = S_IMMUTABLE ;
2008-06-06 09:46:53 +04:00
2011-10-28 16:13:29 +04:00
set_nlink ( inode , 2 + pid_entry_count_dirs ( tgid_base_stuff ,
ARRAY_SIZE ( tgid_base_stuff ) ) ) ;
2006-10-02 13:18:49 +04:00
2011-01-07 09:49:55 +03:00
d_set_d_op ( dentry , & pid_dentry_operations ) ;
2006-10-02 13:18:49 +04:00
d_add ( dentry , inode ) ;
/* Close the race of the process dying before we return the dentry */
if ( pid_revalidate ( dentry , NULL ) )
error = NULL ;
out :
return error ;
}
2005-04-17 02:20:36 +04:00
struct dentry * proc_pid_lookup ( struct inode * dir , struct dentry * dentry , struct nameidata * nd )
{
2010-05-27 01:43:25 +04:00
struct dentry * result ;
2005-04-17 02:20:36 +04:00
struct task_struct * task ;
unsigned tgid ;
2007-10-19 10:40:14 +04:00
struct pid_namespace * ns ;
2005-04-17 02:20:36 +04:00
2006-10-02 13:18:48 +04:00
result = proc_base_lookup ( dir , dentry ) ;
if ( ! IS_ERR ( result ) | | PTR_ERR ( result ) ! = - ENOENT )
goto out ;
2005-04-17 02:20:36 +04:00
tgid = name_to_int ( dentry ) ;
if ( tgid = = ~ 0U )
goto out ;
2007-10-19 10:40:14 +04:00
ns = dentry - > d_sb - > s_fs_info ;
2006-06-26 11:25:51 +04:00
rcu_read_lock ( ) ;
2007-10-19 10:40:14 +04:00
task = find_task_by_pid_ns ( tgid , ns ) ;
2005-04-17 02:20:36 +04:00
if ( task )
get_task_struct ( task ) ;
2006-06-26 11:25:51 +04:00
rcu_read_unlock ( ) ;
2005-04-17 02:20:36 +04:00
if ( ! task )
goto out ;
2006-10-02 13:18:49 +04:00
result = proc_pid_instantiate ( dir , dentry , task , NULL ) ;
2005-04-17 02:20:36 +04:00
put_task_struct ( task ) ;
out :
2006-06-26 11:25:49 +04:00
return result ;
2005-04-17 02:20:36 +04:00
}
/*
[PATCH] proc: readdir race fix (take 3)
The problem: An opendir, readdir, closedir sequence can fail to report
process ids that are continually in use throughout the sequence of system
calls. For this race to trigger the process that proc_pid_readdir stops at
must exit before readdir is called again.
This can cause ps to fail to report processes, and it is in violation of
posix guarantees and normal application expectations with respect to
readdir.
Currently there is no way to work around this problem in user space short
of providing a gargantuan buffer to user space so the directory read all
happens in on system call.
This patch implements the normal directory semantics for proc, that
guarantee that a directory entry that is neither created nor destroyed
while reading the directory entry will be returned. For directory that are
either created or destroyed during the readdir you may or may not see them.
Furthermore you may seek to a directory offset you have previously seen.
These are the guarantee that ext[23] provides and that posix requires, and
more importantly that user space expects. Plus it is a simple semantic to
implement reliable service. It is just a matter of calling readdir a
second time if you are wondering if something new has show up.
These better semantics are implemented by scanning through the pids in
numerical order and by making the file offset a pid plus a fixed offset.
The pid scan happens on the pid bitmap, which when you look at it is
remarkably efficient for a brute force algorithm. Given that a typical
cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There
are only 40 cache lines for the entire 32K pid space. A typical system
will have 100 pids or more so this is actually fewer cache lines we have to
look at to scan a linked list, and the worst case of having to scan the
entire pid bitmap is pretty reasonable.
If we need something more efficient we can go to a more efficient data
structure for indexing the pids, but for now what we have should be
sufficient.
In addition this takes no additional locks and is actually less code than
what we are doing now.
Also another very subtle bug in this area has been fixed. It is possible
to catch a task in the middle of de_thread where a thread is assuming the
thread of it's thread group leader. This patch carefully handles that case
so if we hit it we don't fail to return the pid, that is undergoing the
de_thread dance.
Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> for
providing the first fix, pointing this out and working on it.
[oleg@tv-sign.ru: fix it]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 13:17:04 +04:00
* Find the first task with tgid > = tgid
2006-06-26 11:25:50 +04:00
*
2005-04-17 02:20:36 +04:00
*/
2007-11-29 03:21:26 +03:00
struct tgid_iter {
unsigned int tgid ;
[PATCH] proc: readdir race fix (take 3)
The problem: An opendir, readdir, closedir sequence can fail to report
process ids that are continually in use throughout the sequence of system
calls. For this race to trigger the process that proc_pid_readdir stops at
must exit before readdir is called again.
This can cause ps to fail to report processes, and it is in violation of
posix guarantees and normal application expectations with respect to
readdir.
Currently there is no way to work around this problem in user space short
of providing a gargantuan buffer to user space so the directory read all
happens in on system call.
This patch implements the normal directory semantics for proc, that
guarantee that a directory entry that is neither created nor destroyed
while reading the directory entry will be returned. For directory that are
either created or destroyed during the readdir you may or may not see them.
Furthermore you may seek to a directory offset you have previously seen.
These are the guarantee that ext[23] provides and that posix requires, and
more importantly that user space expects. Plus it is a simple semantic to
implement reliable service. It is just a matter of calling readdir a
second time if you are wondering if something new has show up.
These better semantics are implemented by scanning through the pids in
numerical order and by making the file offset a pid plus a fixed offset.
The pid scan happens on the pid bitmap, which when you look at it is
remarkably efficient for a brute force algorithm. Given that a typical
cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There
are only 40 cache lines for the entire 32K pid space. A typical system
will have 100 pids or more so this is actually fewer cache lines we have to
look at to scan a linked list, and the worst case of having to scan the
entire pid bitmap is pretty reasonable.
If we need something more efficient we can go to a more efficient data
structure for indexing the pids, but for now what we have should be
sufficient.
In addition this takes no additional locks and is actually less code than
what we are doing now.
Also another very subtle bug in this area has been fixed. It is possible
to catch a task in the middle of de_thread where a thread is assuming the
thread of it's thread group leader. This patch carefully handles that case
so if we hit it we don't fail to return the pid, that is undergoing the
de_thread dance.
Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> for
providing the first fix, pointing this out and working on it.
[oleg@tv-sign.ru: fix it]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 13:17:04 +04:00
struct task_struct * task ;
2007-11-29 03:21:26 +03:00
} ;
static struct tgid_iter next_tgid ( struct pid_namespace * ns , struct tgid_iter iter )
{
[PATCH] proc: readdir race fix (take 3)
The problem: An opendir, readdir, closedir sequence can fail to report
process ids that are continually in use throughout the sequence of system
calls. For this race to trigger the process that proc_pid_readdir stops at
must exit before readdir is called again.
This can cause ps to fail to report processes, and it is in violation of
posix guarantees and normal application expectations with respect to
readdir.
Currently there is no way to work around this problem in user space short
of providing a gargantuan buffer to user space so the directory read all
happens in on system call.
This patch implements the normal directory semantics for proc, that
guarantee that a directory entry that is neither created nor destroyed
while reading the directory entry will be returned. For directory that are
either created or destroyed during the readdir you may or may not see them.
Furthermore you may seek to a directory offset you have previously seen.
These are the guarantee that ext[23] provides and that posix requires, and
more importantly that user space expects. Plus it is a simple semantic to
implement reliable service. It is just a matter of calling readdir a
second time if you are wondering if something new has show up.
These better semantics are implemented by scanning through the pids in
numerical order and by making the file offset a pid plus a fixed offset.
The pid scan happens on the pid bitmap, which when you look at it is
remarkably efficient for a brute force algorithm. Given that a typical
cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There
are only 40 cache lines for the entire 32K pid space. A typical system
will have 100 pids or more so this is actually fewer cache lines we have to
look at to scan a linked list, and the worst case of having to scan the
entire pid bitmap is pretty reasonable.
If we need something more efficient we can go to a more efficient data
structure for indexing the pids, but for now what we have should be
sufficient.
In addition this takes no additional locks and is actually less code than
what we are doing now.
Also another very subtle bug in this area has been fixed. It is possible
to catch a task in the middle of de_thread where a thread is assuming the
thread of it's thread group leader. This patch carefully handles that case
so if we hit it we don't fail to return the pid, that is undergoing the
de_thread dance.
Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> for
providing the first fix, pointing this out and working on it.
[oleg@tv-sign.ru: fix it]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 13:17:04 +04:00
struct pid * pid ;
2005-04-17 02:20:36 +04:00
2007-11-29 03:21:26 +03:00
if ( iter . task )
put_task_struct ( iter . task ) ;
2006-06-26 11:25:51 +04:00
rcu_read_lock ( ) ;
[PATCH] proc: readdir race fix (take 3)
The problem: An opendir, readdir, closedir sequence can fail to report
process ids that are continually in use throughout the sequence of system
calls. For this race to trigger the process that proc_pid_readdir stops at
must exit before readdir is called again.
This can cause ps to fail to report processes, and it is in violation of
posix guarantees and normal application expectations with respect to
readdir.
Currently there is no way to work around this problem in user space short
of providing a gargantuan buffer to user space so the directory read all
happens in on system call.
This patch implements the normal directory semantics for proc, that
guarantee that a directory entry that is neither created nor destroyed
while reading the directory entry will be returned. For directory that are
either created or destroyed during the readdir you may or may not see them.
Furthermore you may seek to a directory offset you have previously seen.
These are the guarantee that ext[23] provides and that posix requires, and
more importantly that user space expects. Plus it is a simple semantic to
implement reliable service. It is just a matter of calling readdir a
second time if you are wondering if something new has show up.
These better semantics are implemented by scanning through the pids in
numerical order and by making the file offset a pid plus a fixed offset.
The pid scan happens on the pid bitmap, which when you look at it is
remarkably efficient for a brute force algorithm. Given that a typical
cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There
are only 40 cache lines for the entire 32K pid space. A typical system
will have 100 pids or more so this is actually fewer cache lines we have to
look at to scan a linked list, and the worst case of having to scan the
entire pid bitmap is pretty reasonable.
If we need something more efficient we can go to a more efficient data
structure for indexing the pids, but for now what we have should be
sufficient.
In addition this takes no additional locks and is actually less code than
what we are doing now.
Also another very subtle bug in this area has been fixed. It is possible
to catch a task in the middle of de_thread where a thread is assuming the
thread of it's thread group leader. This patch carefully handles that case
so if we hit it we don't fail to return the pid, that is undergoing the
de_thread dance.
Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> for
providing the first fix, pointing this out and working on it.
[oleg@tv-sign.ru: fix it]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 13:17:04 +04:00
retry :
2007-11-29 03:21:26 +03:00
iter . task = NULL ;
pid = find_ge_pid ( iter . tgid , ns ) ;
[PATCH] proc: readdir race fix (take 3)
The problem: An opendir, readdir, closedir sequence can fail to report
process ids that are continually in use throughout the sequence of system
calls. For this race to trigger the process that proc_pid_readdir stops at
must exit before readdir is called again.
This can cause ps to fail to report processes, and it is in violation of
posix guarantees and normal application expectations with respect to
readdir.
Currently there is no way to work around this problem in user space short
of providing a gargantuan buffer to user space so the directory read all
happens in on system call.
This patch implements the normal directory semantics for proc, that
guarantee that a directory entry that is neither created nor destroyed
while reading the directory entry will be returned. For directory that are
either created or destroyed during the readdir you may or may not see them.
Furthermore you may seek to a directory offset you have previously seen.
These are the guarantee that ext[23] provides and that posix requires, and
more importantly that user space expects. Plus it is a simple semantic to
implement reliable service. It is just a matter of calling readdir a
second time if you are wondering if something new has show up.
These better semantics are implemented by scanning through the pids in
numerical order and by making the file offset a pid plus a fixed offset.
The pid scan happens on the pid bitmap, which when you look at it is
remarkably efficient for a brute force algorithm. Given that a typical
cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There
are only 40 cache lines for the entire 32K pid space. A typical system
will have 100 pids or more so this is actually fewer cache lines we have to
look at to scan a linked list, and the worst case of having to scan the
entire pid bitmap is pretty reasonable.
If we need something more efficient we can go to a more efficient data
structure for indexing the pids, but for now what we have should be
sufficient.
In addition this takes no additional locks and is actually less code than
what we are doing now.
Also another very subtle bug in this area has been fixed. It is possible
to catch a task in the middle of de_thread where a thread is assuming the
thread of it's thread group leader. This patch carefully handles that case
so if we hit it we don't fail to return the pid, that is undergoing the
de_thread dance.
Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> for
providing the first fix, pointing this out and working on it.
[oleg@tv-sign.ru: fix it]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 13:17:04 +04:00
if ( pid ) {
2007-11-29 03:21:26 +03:00
iter . tgid = pid_nr_ns ( pid , ns ) ;
iter . task = pid_task ( pid , PIDTYPE_PID ) ;
[PATCH] proc: readdir race fix (take 3)
The problem: An opendir, readdir, closedir sequence can fail to report
process ids that are continually in use throughout the sequence of system
calls. For this race to trigger the process that proc_pid_readdir stops at
must exit before readdir is called again.
This can cause ps to fail to report processes, and it is in violation of
posix guarantees and normal application expectations with respect to
readdir.
Currently there is no way to work around this problem in user space short
of providing a gargantuan buffer to user space so the directory read all
happens in on system call.
This patch implements the normal directory semantics for proc, that
guarantee that a directory entry that is neither created nor destroyed
while reading the directory entry will be returned. For directory that are
either created or destroyed during the readdir you may or may not see them.
Furthermore you may seek to a directory offset you have previously seen.
These are the guarantee that ext[23] provides and that posix requires, and
more importantly that user space expects. Plus it is a simple semantic to
implement reliable service. It is just a matter of calling readdir a
second time if you are wondering if something new has show up.
These better semantics are implemented by scanning through the pids in
numerical order and by making the file offset a pid plus a fixed offset.
The pid scan happens on the pid bitmap, which when you look at it is
remarkably efficient for a brute force algorithm. Given that a typical
cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There
are only 40 cache lines for the entire 32K pid space. A typical system
will have 100 pids or more so this is actually fewer cache lines we have to
look at to scan a linked list, and the worst case of having to scan the
entire pid bitmap is pretty reasonable.
If we need something more efficient we can go to a more efficient data
structure for indexing the pids, but for now what we have should be
sufficient.
In addition this takes no additional locks and is actually less code than
what we are doing now.
Also another very subtle bug in this area has been fixed. It is possible
to catch a task in the middle of de_thread where a thread is assuming the
thread of it's thread group leader. This patch carefully handles that case
so if we hit it we don't fail to return the pid, that is undergoing the
de_thread dance.
Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> for
providing the first fix, pointing this out and working on it.
[oleg@tv-sign.ru: fix it]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 13:17:04 +04:00
/* What we to know is if the pid we have find is the
* pid of a thread_group_leader . Testing for task
* being a thread_group_leader is the obvious thing
* todo but there is a window when it fails , due to
* the pid transfer logic in de_thread .
*
* So we perform the straight forward test of seeing
* if the pid we have found is the pid of a thread
* group leader , and don ' t worry if the task we have
* found doesn ' t happen to be a thread group leader .
* As we don ' t care in the case of readdir .
*/
2007-11-29 03:21:26 +03:00
if ( ! iter . task | | ! has_group_leader_pid ( iter . task ) ) {
iter . tgid + = 1 ;
[PATCH] proc: readdir race fix (take 3)
The problem: An opendir, readdir, closedir sequence can fail to report
process ids that are continually in use throughout the sequence of system
calls. For this race to trigger the process that proc_pid_readdir stops at
must exit before readdir is called again.
This can cause ps to fail to report processes, and it is in violation of
posix guarantees and normal application expectations with respect to
readdir.
Currently there is no way to work around this problem in user space short
of providing a gargantuan buffer to user space so the directory read all
happens in on system call.
This patch implements the normal directory semantics for proc, that
guarantee that a directory entry that is neither created nor destroyed
while reading the directory entry will be returned. For directory that are
either created or destroyed during the readdir you may or may not see them.
Furthermore you may seek to a directory offset you have previously seen.
These are the guarantee that ext[23] provides and that posix requires, and
more importantly that user space expects. Plus it is a simple semantic to
implement reliable service. It is just a matter of calling readdir a
second time if you are wondering if something new has show up.
These better semantics are implemented by scanning through the pids in
numerical order and by making the file offset a pid plus a fixed offset.
The pid scan happens on the pid bitmap, which when you look at it is
remarkably efficient for a brute force algorithm. Given that a typical
cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There
are only 40 cache lines for the entire 32K pid space. A typical system
will have 100 pids or more so this is actually fewer cache lines we have to
look at to scan a linked list, and the worst case of having to scan the
entire pid bitmap is pretty reasonable.
If we need something more efficient we can go to a more efficient data
structure for indexing the pids, but for now what we have should be
sufficient.
In addition this takes no additional locks and is actually less code than
what we are doing now.
Also another very subtle bug in this area has been fixed. It is possible
to catch a task in the middle of de_thread where a thread is assuming the
thread of it's thread group leader. This patch carefully handles that case
so if we hit it we don't fail to return the pid, that is undergoing the
de_thread dance.
Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> for
providing the first fix, pointing this out and working on it.
[oleg@tv-sign.ru: fix it]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 13:17:04 +04:00
goto retry ;
2007-11-29 03:21:26 +03:00
}
get_task_struct ( iter . task ) ;
2006-06-26 11:25:50 +04:00
}
2006-06-26 11:25:51 +04:00
rcu_read_unlock ( ) ;
2007-11-29 03:21:26 +03:00
return iter ;
2005-04-17 02:20:36 +04:00
}
2006-10-02 13:18:56 +04:00
# define TGID_OFFSET (FIRST_PROCESS_ENTRY + ARRAY_SIZE(proc_base_stuff))
[PATCH] proc: readdir race fix (take 3)
The problem: An opendir, readdir, closedir sequence can fail to report
process ids that are continually in use throughout the sequence of system
calls. For this race to trigger the process that proc_pid_readdir stops at
must exit before readdir is called again.
This can cause ps to fail to report processes, and it is in violation of
posix guarantees and normal application expectations with respect to
readdir.
Currently there is no way to work around this problem in user space short
of providing a gargantuan buffer to user space so the directory read all
happens in on system call.
This patch implements the normal directory semantics for proc, that
guarantee that a directory entry that is neither created nor destroyed
while reading the directory entry will be returned. For directory that are
either created or destroyed during the readdir you may or may not see them.
Furthermore you may seek to a directory offset you have previously seen.
These are the guarantee that ext[23] provides and that posix requires, and
more importantly that user space expects. Plus it is a simple semantic to
implement reliable service. It is just a matter of calling readdir a
second time if you are wondering if something new has show up.
These better semantics are implemented by scanning through the pids in
numerical order and by making the file offset a pid plus a fixed offset.
The pid scan happens on the pid bitmap, which when you look at it is
remarkably efficient for a brute force algorithm. Given that a typical
cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There
are only 40 cache lines for the entire 32K pid space. A typical system
will have 100 pids or more so this is actually fewer cache lines we have to
look at to scan a linked list, and the worst case of having to scan the
entire pid bitmap is pretty reasonable.
If we need something more efficient we can go to a more efficient data
structure for indexing the pids, but for now what we have should be
sufficient.
In addition this takes no additional locks and is actually less code than
what we are doing now.
Also another very subtle bug in this area has been fixed. It is possible
to catch a task in the middle of de_thread where a thread is assuming the
thread of it's thread group leader. This patch carefully handles that case
so if we hit it we don't fail to return the pid, that is undergoing the
de_thread dance.
Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> for
providing the first fix, pointing this out and working on it.
[oleg@tv-sign.ru: fix it]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 13:17:04 +04:00
2006-10-02 13:18:49 +04:00
static int proc_pid_fill_cache ( struct file * filp , void * dirent , filldir_t filldir ,
2007-11-29 03:21:26 +03:00
struct tgid_iter iter )
2006-10-02 13:18:49 +04:00
{
char name [ PROC_NUMBUF ] ;
2007-11-29 03:21:26 +03:00
int len = snprintf ( name , sizeof ( name ) , " %d " , iter . tgid ) ;
2006-10-02 13:18:49 +04:00
return proc_fill_cache ( filp , dirent , filldir , name , len ,
2007-11-29 03:21:26 +03:00
proc_pid_instantiate , iter . task , NULL ) ;
2006-10-02 13:18:49 +04:00
}
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 03:11:31 +04:00
static int fake_filldir ( void * buf , const char * name , int namelen ,
loff_t offset , u64 ino , unsigned d_type )
{
return 0 ;
}
2005-04-17 02:20:36 +04:00
/* for the /proc/ directory itself, after non-process stuff has been done */
int proc_pid_readdir ( struct file * filp , void * dirent , filldir_t filldir )
{
2011-04-18 21:36:54 +04:00
unsigned int nr ;
struct task_struct * reaper ;
2007-11-29 03:21:26 +03:00
struct tgid_iter iter ;
2007-10-19 10:40:14 +04:00
struct pid_namespace * ns ;
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 03:11:31 +04:00
filldir_t __filldir ;
2005-04-17 02:20:36 +04:00
2011-04-18 21:36:54 +04:00
if ( filp - > f_pos > = PID_MAX_LIMIT + TGID_OFFSET )
goto out_no_task ;
nr = filp - > f_pos - FIRST_PROCESS_ENTRY ;
reaper = get_proc_task ( filp - > f_path . dentry - > d_inode ) ;
2006-10-02 13:18:49 +04:00
if ( ! reaper )
goto out_no_task ;
2006-10-02 13:18:56 +04:00
for ( ; nr < ARRAY_SIZE ( proc_base_stuff ) ; filp - > f_pos + + , nr + + ) {
2007-05-08 11:26:15 +04:00
const struct pid_entry * p = & proc_base_stuff [ nr ] ;
2006-10-02 13:18:49 +04:00
if ( proc_base_fill_cache ( filp , dirent , filldir , reaper , p ) < 0 )
2006-10-02 13:18:48 +04:00
goto out ;
2005-04-17 02:20:36 +04:00
}
2007-10-19 10:40:14 +04:00
ns = filp - > f_dentry - > d_sb - > s_fs_info ;
2007-11-29 03:21:26 +03:00
iter . task = NULL ;
iter . tgid = filp - > f_pos - TGID_OFFSET ;
for ( iter = next_tgid ( ns , iter ) ;
iter . task ;
iter . tgid + = 1 , iter = next_tgid ( ns , iter ) ) {
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 03:11:31 +04:00
if ( has_pid_permissions ( ns , iter . task , 2 ) )
__filldir = filldir ;
else
__filldir = fake_filldir ;
2007-11-29 03:21:26 +03:00
filp - > f_pos = iter . tgid + TGID_OFFSET ;
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 03:11:31 +04:00
if ( proc_pid_fill_cache ( filp , dirent , __filldir , iter ) < 0 ) {
2007-11-29 03:21:26 +03:00
put_task_struct ( iter . task ) ;
[PATCH] proc: readdir race fix (take 3)
The problem: An opendir, readdir, closedir sequence can fail to report
process ids that are continually in use throughout the sequence of system
calls. For this race to trigger the process that proc_pid_readdir stops at
must exit before readdir is called again.
This can cause ps to fail to report processes, and it is in violation of
posix guarantees and normal application expectations with respect to
readdir.
Currently there is no way to work around this problem in user space short
of providing a gargantuan buffer to user space so the directory read all
happens in on system call.
This patch implements the normal directory semantics for proc, that
guarantee that a directory entry that is neither created nor destroyed
while reading the directory entry will be returned. For directory that are
either created or destroyed during the readdir you may or may not see them.
Furthermore you may seek to a directory offset you have previously seen.
These are the guarantee that ext[23] provides and that posix requires, and
more importantly that user space expects. Plus it is a simple semantic to
implement reliable service. It is just a matter of calling readdir a
second time if you are wondering if something new has show up.
These better semantics are implemented by scanning through the pids in
numerical order and by making the file offset a pid plus a fixed offset.
The pid scan happens on the pid bitmap, which when you look at it is
remarkably efficient for a brute force algorithm. Given that a typical
cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There
are only 40 cache lines for the entire 32K pid space. A typical system
will have 100 pids or more so this is actually fewer cache lines we have to
look at to scan a linked list, and the worst case of having to scan the
entire pid bitmap is pretty reasonable.
If we need something more efficient we can go to a more efficient data
structure for indexing the pids, but for now what we have should be
sufficient.
In addition this takes no additional locks and is actually less code than
what we are doing now.
Also another very subtle bug in this area has been fixed. It is possible
to catch a task in the middle of de_thread where a thread is assuming the
thread of it's thread group leader. This patch carefully handles that case
so if we hit it we don't fail to return the pid, that is undergoing the
de_thread dance.
Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> for
providing the first fix, pointing this out and working on it.
[oleg@tv-sign.ru: fix it]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 13:17:04 +04:00
goto out ;
2005-04-17 02:20:36 +04:00
}
2006-06-26 11:25:50 +04:00
}
[PATCH] proc: readdir race fix (take 3)
The problem: An opendir, readdir, closedir sequence can fail to report
process ids that are continually in use throughout the sequence of system
calls. For this race to trigger the process that proc_pid_readdir stops at
must exit before readdir is called again.
This can cause ps to fail to report processes, and it is in violation of
posix guarantees and normal application expectations with respect to
readdir.
Currently there is no way to work around this problem in user space short
of providing a gargantuan buffer to user space so the directory read all
happens in on system call.
This patch implements the normal directory semantics for proc, that
guarantee that a directory entry that is neither created nor destroyed
while reading the directory entry will be returned. For directory that are
either created or destroyed during the readdir you may or may not see them.
Furthermore you may seek to a directory offset you have previously seen.
These are the guarantee that ext[23] provides and that posix requires, and
more importantly that user space expects. Plus it is a simple semantic to
implement reliable service. It is just a matter of calling readdir a
second time if you are wondering if something new has show up.
These better semantics are implemented by scanning through the pids in
numerical order and by making the file offset a pid plus a fixed offset.
The pid scan happens on the pid bitmap, which when you look at it is
remarkably efficient for a brute force algorithm. Given that a typical
cache line is 64 bytes and thus covers space for 64*8 == 200 pids. There
are only 40 cache lines for the entire 32K pid space. A typical system
will have 100 pids or more so this is actually fewer cache lines we have to
look at to scan a linked list, and the worst case of having to scan the
entire pid bitmap is pretty reasonable.
If we need something more efficient we can go to a more efficient data
structure for indexing the pids, but for now what we have should be
sufficient.
In addition this takes no additional locks and is actually less code than
what we are doing now.
Also another very subtle bug in this area has been fixed. It is possible
to catch a task in the middle of de_thread where a thread is assuming the
thread of it's thread group leader. This patch carefully handles that case
so if we hit it we don't fail to return the pid, that is undergoing the
de_thread dance.
Thanks to KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> for
providing the first fix, pointing this out and working on it.
[oleg@tv-sign.ru: fix it]
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-10-02 13:17:04 +04:00
filp - > f_pos = PID_MAX_LIMIT + TGID_OFFSET ;
out :
2006-10-02 13:18:49 +04:00
put_task_struct ( reaper ) ;
out_no_task :
2006-06-26 11:25:50 +04:00
return 0 ;
}
2005-04-17 02:20:36 +04:00
2006-10-02 13:17:05 +04:00
/*
* Tasks
*/
2007-05-08 11:26:15 +04:00
static const struct pid_entry tid_base_stuff [ ] = {
2008-11-10 01:32:52 +03:00
DIR ( " fd " , S_IRUSR | S_IXUSR , proc_fd_inode_operations , proc_fd_operations ) ,
2010-04-28 00:13:06 +04:00
DIR ( " fdinfo " , S_IRUSR | S_IXUSR , proc_fdinfo_inode_operations , proc_fdinfo_operations ) ,
2010-03-08 03:41:34 +03:00
DIR ( " ns " , S_IRUSR | S_IXUGO , proc_ns_dir_inode_operations , proc_ns_dir_operations ) ,
2008-11-10 01:32:52 +03:00
REG ( " environ " , S_IRUSR , proc_environ_operations ) ,
INF ( " auxv " , S_IRUSR , proc_pid_auxv ) ,
ONE ( " status " , S_IRUGO , proc_pid_status ) ,
2011-03-23 22:52:50 +03:00
ONE ( " personality " , S_IRUGO , proc_pid_personality ) ,
2010-10-01 02:15:33 +04:00
INF ( " limits " , S_IRUGO , proc_pid_limits ) ,
2007-07-09 20:52:00 +04:00
# ifdef CONFIG_SCHED_DEBUG
2008-11-10 01:32:52 +03:00
REG ( " sched " , S_IRUGO | S_IWUSR , proc_pid_sched_operations ) ,
2008-07-26 06:46:00 +04:00
# endif
2009-12-15 05:00:05 +03:00
REG ( " comm " , S_IRUGO | S_IWUSR , proc_pid_set_comm_operations ) ,
2008-07-26 06:46:00 +04:00
# ifdef CONFIG_HAVE_ARCH_TRACEHOOK
2011-03-23 22:52:50 +03:00
INF ( " syscall " , S_IRUGO , proc_pid_syscall ) ,
2007-07-09 20:52:00 +04:00
# endif
2008-11-10 01:32:52 +03:00
INF ( " cmdline " , S_IRUGO , proc_pid_cmdline ) ,
ONE ( " stat " , S_IRUGO , proc_tid_stat ) ,
ONE ( " statm " , S_IRUGO , proc_pid_statm ) ,
REG ( " maps " , S_IRUGO , proc_maps_operations ) ,
2006-10-02 13:17:05 +04:00
# ifdef CONFIG_NUMA
2008-11-10 01:32:52 +03:00
REG ( " numa_maps " , S_IRUGO , proc_numa_maps_operations ) ,
2006-10-02 13:17:05 +04:00
# endif
2008-11-10 01:32:52 +03:00
REG ( " mem " , S_IRUSR | S_IWUSR , proc_mem_operations ) ,
LNK ( " cwd " , proc_cwd_link ) ,
LNK ( " root " , proc_root_link ) ,
LNK ( " exe " , proc_exe_link ) ,
REG ( " mounts " , S_IRUGO , proc_mounts_operations ) ,
REG ( " mountinfo " , S_IRUGO , proc_mountinfo_operations ) ,
2008-02-05 09:29:07 +03:00
# ifdef CONFIG_PROC_PAGE_MONITOR
2008-11-10 01:32:52 +03:00
REG ( " clear_refs " , S_IWUSR , proc_clear_refs_operations ) ,
REG ( " smaps " , S_IRUGO , proc_smaps_operations ) ,
2011-02-16 06:04:37 +03:00
REG ( " pagemap " , S_IRUGO , proc_pagemap_operations ) ,
2006-10-02 13:17:05 +04:00
# endif
# ifdef CONFIG_SECURITY
2008-11-10 01:32:52 +03:00
DIR ( " attr " , S_IRUGO | S_IXUGO , proc_attr_dir_inode_operations , proc_attr_dir_operations ) ,
2006-10-02 13:17:05 +04:00
# endif
# ifdef CONFIG_KALLSYMS
2008-11-10 01:32:52 +03:00
INF ( " wchan " , S_IRUGO , proc_pid_wchan ) ,
2006-10-02 13:17:05 +04:00
# endif
2008-11-10 11:26:08 +03:00
# ifdef CONFIG_STACKTRACE
2011-03-23 22:52:50 +03:00
ONE ( " stack " , S_IRUGO , proc_pid_stack ) ,
2006-10-02 13:17:05 +04:00
# endif
# ifdef CONFIG_SCHEDSTATS
2008-11-10 01:32:52 +03:00
INF ( " schedstat " , S_IRUGO , proc_pid_schedstat ) ,
2006-10-02 13:17:05 +04:00
# endif
2008-01-25 23:08:34 +03:00
# ifdef CONFIG_LATENCYTOP
2008-11-10 01:32:52 +03:00
REG ( " latency " , S_IRUGO , proc_lstats_operations ) ,
2008-01-25 23:08:34 +03:00
# endif
2007-10-19 10:39:39 +04:00
# ifdef CONFIG_PROC_PID_CPUSET
2008-11-10 01:32:52 +03:00
REG ( " cpuset " , S_IRUGO , proc_cpuset_operations ) ,
2007-10-19 10:39:35 +04:00
# endif
# ifdef CONFIG_CGROUPS
2008-11-10 01:32:52 +03:00
REG ( " cgroup " , S_IRUGO , proc_cgroup_operations ) ,
2006-10-02 13:17:05 +04:00
# endif
2008-11-10 01:32:52 +03:00
INF ( " oom_score " , S_IRUGO , proc_oom_score ) ,
REG ( " oom_adj " , S_IRUGO | S_IWUSR , proc_oom_adjust_operations ) ,
oom: badness heuristic rewrite
This a complete rewrite of the oom killer's badness() heuristic which is
used to determine which task to kill in oom conditions. The goal is to
make it as simple and predictable as possible so the results are better
understood and we end up killing the task which will lead to the most
memory freeing while still respecting the fine-tuning from userspace.
Instead of basing the heuristic on mm->total_vm for each task, the task's
rss and swap space is used instead. This is a better indication of the
amount of memory that will be freeable if the oom killed task is chosen
and subsequently exits. This helps specifically in cases where KDE or
GNOME is chosen for oom kill on desktop systems instead of a memory
hogging task.
The baseline for the heuristic is a proportion of memory that each task is
currently using in memory plus swap compared to the amount of "allowable"
memory. "Allowable," in this sense, means the system-wide resources for
unconstrained oom conditions, the set of mempolicy nodes, the mems
attached to current's cpuset, or a memory controller's limit. The
proportion is given on a scale of 0 (never kill) to 1000 (always kill),
roughly meaning that if a task has a badness() score of 500 that the task
consumes approximately 50% of allowable memory resident in RAM or in swap
space.
The proportion is always relative to the amount of "allowable" memory and
not the total amount of RAM systemwide so that mempolicies and cpusets may
operate in isolation; they shall not need to know the true size of the
machine on which they are running if they are bound to a specific set of
nodes or mems, respectively.
Root tasks are given 3% extra memory just like __vm_enough_memory()
provides in LSMs. In the event of two tasks consuming similar amounts of
memory, it is generally better to save root's task.
Because of the change in the badness() heuristic's baseline, it is also
necessary to introduce a new user interface to tune it. It's not possible
to redefine the meaning of /proc/pid/oom_adj with a new scale since the
ABI cannot be changed for backward compatability. Instead, a new tunable,
/proc/pid/oom_score_adj, is added that ranges from -1000 to +1000. It may
be used to polarize the heuristic such that certain tasks are never
considered for oom kill while others may always be considered. The value
is added directly into the badness() score so a value of -500, for
example, means to discount 50% of its memory consumption in comparison to
other tasks either on the system, bound to the mempolicy, in the cpuset,
or sharing the same memory controller.
/proc/pid/oom_adj is changed so that its meaning is rescaled into the
units used by /proc/pid/oom_score_adj, and vice versa. Changing one of
these per-task tunables will rescale the value of the other to an
equivalent meaning. Although /proc/pid/oom_adj was originally defined as
a bitshift on the badness score, it now shares the same linear growth as
/proc/pid/oom_score_adj but with different granularity. This is required
so the ABI is not broken with userspace applications and allows oom_adj to
be deprecated for future removal.
Signed-off-by: David Rientjes <rientjes@google.com>
Cc: Nick Piggin <npiggin@suse.de>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-08-10 04:19:46 +04:00
REG ( " oom_score_adj " , S_IRUGO | S_IWUSR , proc_oom_score_adj_operations ) ,
2006-10-02 13:17:05 +04:00
# ifdef CONFIG_AUDITSYSCALL
2008-11-10 01:32:52 +03:00
REG ( " loginuid " , S_IWUSR | S_IRUGO , proc_loginuid_operations ) ,
2011-02-16 05:24:05 +03:00
REG ( " sessionid " , S_IRUGO , proc_sessionid_operations ) ,
2006-10-02 13:17:05 +04:00
# endif
2006-12-08 13:39:47 +03:00
# ifdef CONFIG_FAULT_INJECTION
2008-11-10 01:32:52 +03:00
REG ( " make-it-fail " , S_IRUGO | S_IWUSR , proc_fault_inject_operations ) ,
2006-12-08 13:39:47 +03:00
# endif
2008-07-25 12:48:49 +04:00
# ifdef CONFIG_TASK_IO_ACCOUNTING
2011-06-24 16:08:38 +04:00
INF ( " io " , S_IRUSR , proc_tid_io_accounting ) ,
2008-07-25 12:48:49 +04:00
# endif
arch/tile: more /proc and /sys file support
This change introduces a few of the less controversial /proc and
/proc/sys interfaces for tile, along with sysfs attributes for
various things that were originally proposed as /proc/tile files.
It also adjusts the "hardwall" proc API.
Arnd Bergmann reviewed the initial arch/tile submission, which
included a complete set of all the /proc/tile and /proc/sys/tile
knobs that we had added in a somewhat ad hoc way during initial
development, and provided feedback on where most of them should go.
One knob turned out to be similar enough to the existing
/proc/sys/debug/exception-trace that it was re-implemented to use
that model instead.
Another knob was /proc/tile/grid, which reported the "grid" dimensions
of a tile chip (e.g. 8x8 processors = 64-core chip). Arnd suggested
looking at sysfs for that, so this change moves that information
to a pair of sysfs attributes (chip_width and chip_height) in the
/sys/devices/system/cpu directory. We also put the "chip_serial"
and "chip_revision" information from our old /proc/tile/board file
as attributes in /sys/devices/system/cpu.
Other information collected via hypervisor APIs is now placed in
/sys/hypervisor. We create a /sys/hypervisor/type file (holding the
constant string "tilera") to be parallel with the Xen use of
/sys/hypervisor/type holding "xen". We create three top-level files,
"version" (the hypervisor's own version), "config_version" (the
version of the configuration file), and "hvconfig" (the contents of
the configuration file). The remaining information from our old
/proc/tile/board and /proc/tile/switch files becomes an attribute
group appearing under /sys/hypervisor/board/.
Finally, after some feedback from Arnd Bergmann for the previous
version of this patch, the /proc/tile/hardwall file is split up into
two conceptual parts. First, a directory /proc/tile/hardwall/ which
contains one file per active hardwall, each file named after the
hardwall's ID and holding a cpulist that says which cpus are enclosed by
the hardwall. Second, a /proc/PID file "hardwall" that is either
empty (for non-hardwall-using processes) or contains the hardwall ID.
Finally, this change pushes the /proc/sys/tile/unaligned_fixup/
directory, with knobs controlling the kernel code for handling the
fixup of unaligned exceptions.
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
2011-05-26 20:40:09 +04:00
# ifdef CONFIG_HARDWALL
INF ( " hardwall " , S_IRUGO , proc_pid_hardwall ) ,
# endif
2006-10-02 13:17:05 +04:00
} ;
static int proc_tid_base_readdir ( struct file * filp ,
void * dirent , filldir_t filldir )
{
return proc_pident_readdir ( filp , dirent , filldir ,
tid_base_stuff , ARRAY_SIZE ( tid_base_stuff ) ) ;
}
static struct dentry * proc_tid_base_lookup ( struct inode * dir , struct dentry * dentry , struct nameidata * nd ) {
2006-10-02 13:18:56 +04:00
return proc_pident_lookup ( dir , dentry ,
tid_base_stuff , ARRAY_SIZE ( tid_base_stuff ) ) ;
2006-10-02 13:17:05 +04:00
}
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_tid_base_operations = {
2006-10-02 13:17:05 +04:00
. read = generic_read_dir ,
. readdir = proc_tid_base_readdir ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
2006-10-02 13:17:05 +04:00
} ;
2007-02-12 11:55:40 +03:00
static const struct inode_operations proc_tid_base_inode_operations = {
2006-10-02 13:17:05 +04:00
. lookup = proc_tid_base_lookup ,
. getattr = pid_getattr ,
. setattr = proc_setattr ,
} ;
2006-10-02 13:18:49 +04:00
static struct dentry * proc_task_instantiate ( struct inode * dir ,
2007-05-08 11:26:15 +04:00
struct dentry * dentry , struct task_struct * task , const void * ptr )
2006-10-02 13:18:49 +04:00
{
struct dentry * error = ERR_PTR ( - ENOENT ) ;
struct inode * inode ;
2006-10-02 13:18:49 +04:00
inode = proc_pid_make_inode ( dir - > i_sb , task ) ;
2006-10-02 13:18:49 +04:00
if ( ! inode )
goto out ;
inode - > i_mode = S_IFDIR | S_IRUGO | S_IXUGO ;
inode - > i_op = & proc_tid_base_inode_operations ;
inode - > i_fop = & proc_tid_base_operations ;
inode - > i_flags | = S_IMMUTABLE ;
2008-06-06 09:46:53 +04:00
2011-10-28 16:13:29 +04:00
set_nlink ( inode , 2 + pid_entry_count_dirs ( tid_base_stuff ,
ARRAY_SIZE ( tid_base_stuff ) ) ) ;
2006-10-02 13:18:49 +04:00
2011-01-07 09:49:55 +03:00
d_set_d_op ( dentry , & pid_dentry_operations ) ;
2006-10-02 13:18:49 +04:00
d_add ( dentry , inode ) ;
/* Close the race of the process dying before we return the dentry */
if ( pid_revalidate ( dentry , NULL ) )
error = NULL ;
out :
return error ;
}
2006-10-02 13:17:05 +04:00
static struct dentry * proc_task_lookup ( struct inode * dir , struct dentry * dentry , struct nameidata * nd )
{
struct dentry * result = ERR_PTR ( - ENOENT ) ;
struct task_struct * task ;
struct task_struct * leader = get_proc_task ( dir ) ;
unsigned tid ;
2007-10-19 10:40:14 +04:00
struct pid_namespace * ns ;
2006-10-02 13:17:05 +04:00
if ( ! leader )
goto out_no_task ;
tid = name_to_int ( dentry ) ;
if ( tid = = ~ 0U )
goto out ;
2007-10-19 10:40:14 +04:00
ns = dentry - > d_sb - > s_fs_info ;
2006-10-02 13:17:05 +04:00
rcu_read_lock ( ) ;
2007-10-19 10:40:14 +04:00
task = find_task_by_pid_ns ( tid , ns ) ;
2006-10-02 13:17:05 +04:00
if ( task )
get_task_struct ( task ) ;
rcu_read_unlock ( ) ;
if ( ! task )
goto out ;
2007-10-19 10:40:18 +04:00
if ( ! same_thread_group ( leader , task ) )
2006-10-02 13:17:05 +04:00
goto out_drop_task ;
2006-10-02 13:18:49 +04:00
result = proc_task_instantiate ( dir , dentry , task , NULL ) ;
2006-10-02 13:17:05 +04:00
out_drop_task :
put_task_struct ( task ) ;
out :
put_task_struct ( leader ) ;
out_no_task :
return result ;
}
2006-06-26 11:25:50 +04:00
/*
* Find the first tid of a thread group to return to user space .
*
* Usually this is just the thread group leader , but if the users
* buffer was too small or there was a seek into the middle of the
* directory we have more work todo .
*
* In the case of a short read we start with find_task_by_pid .
*
* In the case of a seek we start with the leader and walk nr
* threads past it .
*/
2006-06-26 11:26:01 +04:00
static struct task_struct * first_tid ( struct task_struct * leader ,
2007-10-19 10:40:14 +04:00
int tid , int nr , struct pid_namespace * ns )
2006-06-26 11:25:50 +04:00
{
2006-06-26 11:26:01 +04:00
struct task_struct * pos ;
2005-04-17 02:20:36 +04:00
2006-06-26 11:26:01 +04:00
rcu_read_lock ( ) ;
2006-06-26 11:25:50 +04:00
/* Attempt to start with the pid of a thread */
if ( tid & & ( nr > 0 ) ) {
2007-10-19 10:40:14 +04:00
pos = find_task_by_pid_ns ( tid , ns ) ;
2006-06-26 11:26:01 +04:00
if ( pos & & ( pos - > group_leader = = leader ) )
goto found ;
2006-06-26 11:25:50 +04:00
}
2005-04-17 02:20:36 +04:00
2006-06-26 11:25:50 +04:00
/* If nr exceeds the number of threads there is nothing todo */
2006-06-26 11:26:01 +04:00
pos = NULL ;
if ( nr & & nr > = get_nr_threads ( leader ) )
goto out ;
2005-04-17 02:20:36 +04:00
2006-06-26 11:26:01 +04:00
/* If we haven't found our starting place yet start
* with the leader and walk nr threads forward .
2006-06-26 11:25:50 +04:00
*/
2006-06-26 11:26:01 +04:00
for ( pos = leader ; nr > 0 ; - - nr ) {
pos = next_thread ( pos ) ;
if ( pos = = leader ) {
pos = NULL ;
goto out ;
}
2005-04-17 02:20:36 +04:00
}
2006-06-26 11:26:01 +04:00
found :
get_task_struct ( pos ) ;
out :
2006-06-26 11:26:01 +04:00
rcu_read_unlock ( ) ;
2006-06-26 11:25:50 +04:00
return pos ;
}
/*
* Find the next thread in the thread list .
* Return NULL if there is an error or no next thread .
*
* The reference to the input task_struct is released .
*/
static struct task_struct * next_tid ( struct task_struct * start )
{
2006-06-26 11:26:02 +04:00
struct task_struct * pos = NULL ;
2006-06-26 11:26:01 +04:00
rcu_read_lock ( ) ;
2006-06-26 11:26:02 +04:00
if ( pid_alive ( start ) ) {
2006-06-26 11:25:50 +04:00
pos = next_thread ( start ) ;
2006-06-26 11:26:02 +04:00
if ( thread_group_leader ( pos ) )
pos = NULL ;
else
get_task_struct ( pos ) ;
}
2006-06-26 11:26:01 +04:00
rcu_read_unlock ( ) ;
2006-06-26 11:25:50 +04:00
put_task_struct ( start ) ;
return pos ;
2005-04-17 02:20:36 +04:00
}
2006-10-02 13:18:49 +04:00
static int proc_task_fill_cache ( struct file * filp , void * dirent , filldir_t filldir ,
struct task_struct * task , int tid )
{
char name [ PROC_NUMBUF ] ;
int len = snprintf ( name , sizeof ( name ) , " %d " , tid ) ;
return proc_fill_cache ( filp , dirent , filldir , name , len ,
proc_task_instantiate , task , NULL ) ;
}
2005-04-17 02:20:36 +04:00
/* for the /proc/TGID/task/ directories */
static int proc_task_readdir ( struct file * filp , void * dirent , filldir_t filldir )
{
2006-12-08 13:36:36 +03:00
struct dentry * dentry = filp - > f_path . dentry ;
2005-04-17 02:20:36 +04:00
struct inode * inode = dentry - > d_inode ;
2007-02-01 10:48:14 +03:00
struct task_struct * leader = NULL ;
2006-06-26 11:25:50 +04:00
struct task_struct * task ;
2005-04-17 02:20:36 +04:00
int retval = - ENOENT ;
ino_t ino ;
2006-06-26 11:25:50 +04:00
int tid ;
2007-10-19 10:40:14 +04:00
struct pid_namespace * ns ;
2005-04-17 02:20:36 +04:00
2007-02-01 10:48:14 +03:00
task = get_proc_task ( inode ) ;
if ( ! task )
goto out_no_task ;
rcu_read_lock ( ) ;
if ( pid_alive ( task ) ) {
leader = task - > group_leader ;
get_task_struct ( leader ) ;
}
rcu_read_unlock ( ) ;
put_task_struct ( task ) ;
2006-06-26 11:25:55 +04:00
if ( ! leader )
goto out_no_task ;
2005-04-17 02:20:36 +04:00
retval = 0 ;
2009-03-17 20:02:35 +03:00
switch ( ( unsigned long ) filp - > f_pos ) {
2005-04-17 02:20:36 +04:00
case 0 :
ino = inode - > i_ino ;
2009-03-16 09:44:31 +03:00
if ( filldir ( dirent , " . " , 1 , filp - > f_pos , ino , DT_DIR ) < 0 )
2005-04-17 02:20:36 +04:00
goto out ;
2009-03-16 09:44:31 +03:00
filp - > f_pos + + ;
2005-04-17 02:20:36 +04:00
/* fall through */
case 1 :
ino = parent_ino ( dentry ) ;
2009-03-16 09:44:31 +03:00
if ( filldir ( dirent , " .. " , 2 , filp - > f_pos , ino , DT_DIR ) < 0 )
2005-04-17 02:20:36 +04:00
goto out ;
2009-03-16 09:44:31 +03:00
filp - > f_pos + + ;
2005-04-17 02:20:36 +04:00
/* fall through */
}
2006-06-26 11:25:50 +04:00
/* f_version caches the tgid value that the last readdir call couldn't
* return . lseek aka telldir automagically resets f_version to 0.
*/
2007-10-19 10:40:14 +04:00
ns = filp - > f_dentry - > d_sb - > s_fs_info ;
2007-10-17 10:27:21 +04:00
tid = ( int ) filp - > f_version ;
2006-06-26 11:25:50 +04:00
filp - > f_version = 0 ;
2009-03-16 09:44:31 +03:00
for ( task = first_tid ( leader , tid , filp - > f_pos - 2 , ns ) ;
2006-06-26 11:25:50 +04:00
task ;
2009-03-16 09:44:31 +03:00
task = next_tid ( task ) , filp - > f_pos + + ) {
2007-10-19 10:40:14 +04:00
tid = task_pid_nr_ns ( task , ns ) ;
2006-10-02 13:18:49 +04:00
if ( proc_task_fill_cache ( filp , dirent , filldir , task , tid ) < 0 ) {
2006-06-26 11:25:50 +04:00
/* returning this tgid failed, save it as the first
* pid for the next readir call */
2007-10-17 10:27:21 +04:00
filp - > f_version = ( u64 ) tid ;
2006-06-26 11:25:50 +04:00
put_task_struct ( task ) ;
2005-04-17 02:20:36 +04:00
break ;
2006-06-26 11:25:50 +04:00
}
2005-04-17 02:20:36 +04:00
}
out :
2006-06-26 11:25:55 +04:00
put_task_struct ( leader ) ;
out_no_task :
2005-04-17 02:20:36 +04:00
return retval ;
}
2006-06-26 11:25:47 +04:00
static int proc_task_getattr ( struct vfsmount * mnt , struct dentry * dentry , struct kstat * stat )
{
struct inode * inode = dentry - > d_inode ;
2006-06-26 11:25:55 +04:00
struct task_struct * p = get_proc_task ( inode ) ;
2006-06-26 11:25:47 +04:00
generic_fillattr ( inode , stat ) ;
2006-06-26 11:25:55 +04:00
if ( p ) {
stat - > nlink + = get_nr_threads ( p ) ;
put_task_struct ( p ) ;
2006-06-26 11:25:47 +04:00
}
return 0 ;
}
2006-10-02 13:17:05 +04:00
2007-02-12 11:55:40 +03:00
static const struct inode_operations proc_task_inode_operations = {
2006-10-02 13:17:05 +04:00
. lookup = proc_task_lookup ,
. getattr = proc_task_getattr ,
. setattr = proc_setattr ,
procfs: add hidepid= and gid= mount options
Add support for mount options to restrict access to /proc/PID/
directories. The default backward-compatible "relaxed" behaviour is left
untouched.
The first mount option is called "hidepid" and its value defines how much
info about processes we want to be available for non-owners:
hidepid=0 (default) means the old behavior - anybody may read all
world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc/<pid>/ directories, but
their own. Sensitive files like cmdline, sched*, status are now protected
against other users. As permission checking done in proc_pid_permission()
and files' permissions are left untouched, programs expecting specific
files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other
users. It doesn't mean that it hides whether a process exists (it can be
learned by other means, e.g. by kill -0 $PID), but it hides process' euid
and egid. It compicates intruder's task of gathering info about running
processes, whether some daemon runs with elevated privileges, whether
another user runs some sensitive program, whether other users run any
program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info
(as in hidepid=0 mode). This group should be used instead of putting
nonroot user in sudoers file or something. However, untrusted users (like
daemons, etc.) which are not supposed to monitor the tasks in the whole
system should not be added to the group.
hidepid=1 or higher is designed to restrict access to procfs files, which
might reveal some sensitive private information like precise keystrokes
timings:
http://www.openwall.com/lists/oss-security/2011/11/05/3
hidepid=1/2 doesn't break monitoring userspace tools. ps, top, pgrep, and
conky gracefully handle EPERM/ENOENT and behave as if the current user is
the only user running processes. pstree shows the process subtree which
contains "pstree" process.
Note: the patch doesn't deal with setuid/setgid issues of keeping
preopened descriptors of procfs files (like
https://lkml.org/lkml/2011/2/7/368). We rely on that the leaked
information like the scheduling counters of setuid apps doesn't threaten
anybody's privacy - only the user started the setuid program may read the
counters.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Randy Dunlap <rdunlap@xenotime.net>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Greg KH <greg@kroah.com>
Cc: Theodore Tso <tytso@MIT.EDU>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: James Morris <jmorris@namei.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-11 03:11:31 +04:00
. permission = proc_pid_permission ,
2006-10-02 13:17:05 +04:00
} ;
2007-02-12 11:55:34 +03:00
static const struct file_operations proc_task_operations = {
2006-10-02 13:17:05 +04:00
. read = generic_read_dir ,
. readdir = proc_task_readdir ,
llseek: automatically add .llseek fop
All file_operations should get a .llseek operation so we can make
nonseekable_open the default for future file operations without a
.llseek pointer.
The three cases that we can automatically detect are no_llseek, seq_lseek
and default_llseek. For cases where we can we can automatically prove that
the file offset is always ignored, we use noop_llseek, which maintains
the current behavior of not returning an error from a seek.
New drivers should normally not use noop_llseek but instead use no_llseek
and call nonseekable_open at open time. Existing drivers can be converted
to do the same when the maintainer knows for certain that no user code
relies on calling seek on the device file.
The generated code is often incorrectly indented and right now contains
comments that clarify for each added line why a specific variant was
chosen. In the version that gets submitted upstream, the comments will
be gone and I will manually fix the indentation, because there does not
seem to be a way to do that using coccinelle.
Some amount of new code is currently sitting in linux-next that should get
the same modifications, which I will do at the end of the merge window.
Many thanks to Julia Lawall for helping me learn to write a semantic
patch that does all this.
===== begin semantic patch =====
// This adds an llseek= method to all file operations,
// as a preparation for making no_llseek the default.
//
// The rules are
// - use no_llseek explicitly if we do nonseekable_open
// - use seq_lseek for sequential files
// - use default_llseek if we know we access f_pos
// - use noop_llseek if we know we don't access f_pos,
// but we still want to allow users to call lseek
//
@ open1 exists @
identifier nested_open;
@@
nested_open(...)
{
<+...
nonseekable_open(...)
...+>
}
@ open exists@
identifier open_f;
identifier i, f;
identifier open1.nested_open;
@@
int open_f(struct inode *i, struct file *f)
{
<+...
(
nonseekable_open(...)
|
nested_open(...)
)
...+>
}
@ read disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ read_no_fpos disable optional_qualifier exists @
identifier read_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t read_f(struct file *f, char *p, size_t s, loff_t *off)
{
... when != off
}
@ write @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
expression E;
identifier func;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
<+...
(
*off = E
|
*off += E
|
func(..., off, ...)
|
E = *off
)
...+>
}
@ write_no_fpos @
identifier write_f;
identifier f, p, s, off;
type ssize_t, size_t, loff_t;
@@
ssize_t write_f(struct file *f, const char *p, size_t s, loff_t *off)
{
... when != off
}
@ fops0 @
identifier fops;
@@
struct file_operations fops = {
...
};
@ has_llseek depends on fops0 @
identifier fops0.fops;
identifier llseek_f;
@@
struct file_operations fops = {
...
.llseek = llseek_f,
...
};
@ has_read depends on fops0 @
identifier fops0.fops;
identifier read_f;
@@
struct file_operations fops = {
...
.read = read_f,
...
};
@ has_write depends on fops0 @
identifier fops0.fops;
identifier write_f;
@@
struct file_operations fops = {
...
.write = write_f,
...
};
@ has_open depends on fops0 @
identifier fops0.fops;
identifier open_f;
@@
struct file_operations fops = {
...
.open = open_f,
...
};
// use no_llseek if we call nonseekable_open
////////////////////////////////////////////
@ nonseekable1 depends on !has_llseek && has_open @
identifier fops0.fops;
identifier nso ~= "nonseekable_open";
@@
struct file_operations fops = {
... .open = nso, ...
+.llseek = no_llseek, /* nonseekable */
};
@ nonseekable2 depends on !has_llseek @
identifier fops0.fops;
identifier open.open_f;
@@
struct file_operations fops = {
... .open = open_f, ...
+.llseek = no_llseek, /* open uses nonseekable */
};
// use seq_lseek for sequential files
/////////////////////////////////////
@ seq depends on !has_llseek @
identifier fops0.fops;
identifier sr ~= "seq_read";
@@
struct file_operations fops = {
... .read = sr, ...
+.llseek = seq_lseek, /* we have seq_read */
};
// use default_llseek if there is a readdir
///////////////////////////////////////////
@ fops1 depends on !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier readdir_e;
@@
// any other fop is used that changes pos
struct file_operations fops = {
... .readdir = readdir_e, ...
+.llseek = default_llseek, /* readdir is present */
};
// use default_llseek if at least one of read/write touches f_pos
/////////////////////////////////////////////////////////////////
@ fops2 depends on !fops1 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read.read_f;
@@
// read fops use offset
struct file_operations fops = {
... .read = read_f, ...
+.llseek = default_llseek, /* read accesses f_pos */
};
@ fops3 depends on !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write.write_f;
@@
// write fops use offset
struct file_operations fops = {
... .write = write_f, ...
+ .llseek = default_llseek, /* write accesses f_pos */
};
// Use noop_llseek if neither read nor write accesses f_pos
///////////////////////////////////////////////////////////
@ fops4 depends on !fops1 && !fops2 && !fops3 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
identifier write_no_fpos.write_f;
@@
// write fops use offset
struct file_operations fops = {
...
.write = write_f,
.read = read_f,
...
+.llseek = noop_llseek, /* read and write both use no f_pos */
};
@ depends on has_write && !has_read && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier write_no_fpos.write_f;
@@
struct file_operations fops = {
... .write = write_f, ...
+.llseek = noop_llseek, /* write uses no f_pos */
};
@ depends on has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
identifier read_no_fpos.read_f;
@@
struct file_operations fops = {
... .read = read_f, ...
+.llseek = noop_llseek, /* read uses no f_pos */
};
@ depends on !has_read && !has_write && !fops1 && !fops2 && !has_llseek && !nonseekable1 && !nonseekable2 && !seq @
identifier fops0.fops;
@@
struct file_operations fops = {
...
+.llseek = noop_llseek, /* no read or write fn */
};
===== End semantic patch =====
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Julia Lawall <julia@diku.dk>
Cc: Christoph Hellwig <hch@infradead.org>
2010-08-15 20:52:59 +04:00
. llseek = default_llseek ,
2006-10-02 13:17:05 +04:00
} ;