lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 2 Jun 2012 11:38:06 -0700
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Eric Dumazet <eric.dumazet@...il.com>
Cc:	Alan Cox <alan@...rguk.ukuu.org.uk>,
	Alan Cox <alan@...ux.intel.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	Jens Axboe <jaxboe@...ionio.com>
Subject: Re: [PATCH] tty: add lockdep annotations

On Sat, Jun 2, 2012 at 5:30 AM, Eric Dumazet <eric.dumazet@...il.com> wrote:
>
> With following debugging patch I now have crashes at every boot, so it
> might be more easy to find the bug :

I'm seeing *something* odd.

We call tty_shutdown() without holding the tty_mutex as far as I can
tell. Which means that we remove the tty from the tty lists with *no*
serialization with looking them up.

The fact that we lock the tty *after* we have found it is kind of
irrelevant. By then it's too late.

And I think this is the fundamental bug that was introduced in commit
d29f3ef39be4 ("tty_lock: Localise the lock"). We *used* to do
tty_lock() before the lookup - early in tty_open(). And we held it
until the very end of tty_release(), so the tty lock actually
protected the lookup of the tty.

That's simply not true any more. The comments for
tty_driver_remove_tty() say "Locking: tty_mutex for now", but that's
just garbage and wishful thinking. The callers don't actually hold
tty_mutex, and never have. Sure, some of them may do so (there's a lot
of potential callers through tty_kref_put()) but most of them
definitely don't. Look at tty_release(), most of the final refcounts
will be dropped after the mutex_unlock(&tty_mutex) afaik.

I'm pretty sure this is the bug. And there's no way we can make
'tty_mutex' protect every tty_kref_put(). So I think we have two
options:

 - revert all the tty locking changes

 - make a new global lock that protects just driver->ops->lookup(),
driver->ttys[idx], and driver->ops->remove()

Hmm?

         Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ