| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 17 Apr 2007 21:42:17 +0900 From: Tejun Heo <htejun@...il.com> To: maneesh@...ibm.com CC: gregkh@...e.de, dmitry.torokhov@...il.com, cornelia.huck@...ibm.com, oneukum@...e.de, rpurdie@...ys.net, James.Bottomley@...elEye.com, stern@...land.harvard.edu, linux-kernel@...r.kernel.org Subject: Re: [PATCHSET #master] sysfs: make sysfs disconnect immediately on deletion, take 2 Maneesh Soni wrote: > I started looking at these patches and parallely also did some testing on a > 8 CPU system. I am using the patches from Greg's tree at > http://www.kernel.org/pub/scm/linux/kernel/git/gregkh/patches.git/ > > I ran following loops parallelly > > # while true; do insmod drivers/net/dummy.ko; sleep 1;rmmod dummy; done > # while true; do find /sys/class/net/dummy0 | xargs cat; sleep 1; done > # while true; do umount /sys; sleep 1; mount -t sysfs none /sys; done > # while true; do find /sys | xargs cat > /dev/null; sleep 1; done > > and got the following oops > > Unable to handle kernel NULL pointer dereference at 000000000000004c RIP: > [<ffffffff802935b4>] simple_unlink+0x14/0x5c > PGD 21955c067 PUD 215b52067 PMD 0 > Oops: 0002 [1] SMP > CPU 6 > Modules linked in: dummy i2c_dev i2c_core > Pid: 21161, comm: rmmod Not tainted 2.6.21-rc6 #3 > RIP: 0010:[<ffffffff802935b4>] [<ffffffff802935b4>] simple_unlink+0x14/0x5c > RSP: 0000:ffff81021b38be28 EFLAGS: 00010292 Okay, got it. The problem here is the race between dcache shrinking triggered by umount and sysfs deletion. It seems to be introduced when dentries for attr and symlink nodes are made unpinned. sd->s_entry clearing is done without synchronization and sysfs_drop_entry() ends up deleting already deleted dentry (dentry->inode is NULL). sd->s_entry is broken in other ways too. Consider the following scenario. thread shrinking dcache thread looking up sysfs entry -------------------------------------------------------------------- 1. sysfs dentry for A is chosen as victim. 2. prune_one_dentry() drops the dentry and calls dentry_iput(). 3. dentry_iput() unlinks d_alias and releases spin locks. 4. looks up dentry for A which is not in dcache. 5. new dentry is created and sysfs_lookup() is invoked, which instantiates the dentry and set sd->s_dentry to it. 6. sysfs_d_iput() is called. BUG_ON(sd->s_dentry != dentry) triggers and sd->s_dentry is cleared. You're screwed. I think it can be fixed by making deletion more like conventional filesystem. Brewing a patch... -- tejun - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists