lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 24 Aug 2009 15:34:25 -0700 (PDT)
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	"Eric W. Biederman" <ebiederm@...ssion.com>
cc:	linux-kernel@...r.kernel.org, x86@...nel.org,
	Thomas Gleixner <tglx@...utronix.de>,
	Ingo Molnar <mingo@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	Greg Kroah-Hartman <gregkh@...e.de>
Subject: Re: v2.6.31-rc6: BUG: unable to handle kernel NULL pointer dereference
 at 0000000000000008



On Wed, 19 Aug 2009, Eric W. Biederman wrote:
> 
> I was looking into a change in behavior on 2.6.31-rc6 where
> data was being lost, and it appears one variant of my test program
> kills the kernel.
> 
> The following program run as an unprivileged user causes a kernel
> panic in about a minute:
> 
> aka
> 
> while :; do ./KernelTtyTest ; done

Ok, so I got back to this one after having worked on other regressions, 
and I'm not seeing anything really obvious. But it does look like we may 
have a situation where we're resetting the ldisc due to hangup at the same 
time as the writer is still active in the flushing on another CPU.

When we halt the lfisc, we cancel the delayed work, but we do it without 
the "non-sync" version that only removes the timer. If the timer just 
triggered, the delayed work might be busy running on another CPU.

Does changing the "cancel_delayed_work()" to "cancel_delayed_work_sync()" 
as in the patch below help your case? Oh, and I noticed that there was a 
stale comment lying around, so the patch removes that one too.

Untested. VERY untested. Just going by "that looks odd".

		Linus

---

 drivers/char/tty_ldisc.c |    5 +----
 1 files changed, 1 insertions(+), 4 deletions(-)

diff --git a/drivers/char/tty_ldisc.c b/drivers/char/tty_ldisc.c
index 1733d34..658638f 100644
--- a/drivers/char/tty_ldisc.c
+++ b/drivers/char/tty_ldisc.c
@@ -507,15 +507,12 @@ static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old)
  *	The TTY_LDISC flag being cleared ensures no further references can
  *	be obtained while the delayed work queue halt ensures that no more
  *	data is fed to the ldisc.
- *
- *	In order to wait for any existing references to complete see
- *	tty_ldisc_wait_idle.
  */
 
 static int tty_ldisc_halt(struct tty_struct *tty)
 {
 	clear_bit(TTY_LDISC, &tty->flags);
-	return cancel_delayed_work(&tty->buf.work);
+	return cancel_delayed_work_sync(&tty->buf.work);
 }
 
 /**
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ