lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:	Tue, 25 Jun 2013 13:33:34 -0700
From:	Davidlohr Bueso <davidlohr.bueso@...com>
To:	sedat.dilek@...il.com
Cc:	linux-next@...r.kernel.org, linux-kernel@...r.kernel.org,
	Stephen Rothwell <sfr@...b.auug.org.au>,
	Andrew Morton <akpm@...ux-foundation.org>,
	linux-mm <linux-mm@...ck.org>, Andi Kleen <andi@...stfloor.org>,
	Rik van Riel <riel@...hat.com>,
	Manfred Spraul <manfred@...orfullife.com>,
	Jonathan Gonzalez <jgonzalez@...ets.cl>
Subject: Re: linux-next: Tree for Jun 21 [ BROKEN ipc/ipc-msg ]

On Tue, 2013-06-25 at 18:10 +0200, Sedat Dilek wrote:
[...]

> I did some more testing with Linux-Testing-Project (release:
> ltp-full-20130503) and next-20130624 (Monday) which has still the
> issue, here.
> 
> If I revert the mentioned two commits from my local
> revert-ipc-next20130624-5089fd1c6a6a-ab9efc2d0db5 GIT repo, everything
> is fine.
> 
> I have tested the LTP ***IPC*** and ***SYSCALLS*** testcases.
> 
>    root# ./runltp -f ipc
> 
>    root# ./runltp -f syscalls

These are nice test cases!

So I was able to reproduce the issue with LTP and manually running
msgctl08. We seemed to be racing at find_msg(), so take to q_perm lock
before calling it. The following changes fixes the issue and passes all
'runltp -f syscall' tests, could you give it a try?

Thanks,
Davidlohr

diff --git a/ipc/msg.c b/ipc/msg.c
index a1cf70e..a1f7d84 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -895,6 +895,7 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, int msgfl
                if (ipcperms(ns, &msq->q_perm, S_IRUGO))
                        goto out_unlock1;
 
+               ipc_lock_object(&msq->q_perm);
                msg = find_msg(msq, &msgtyp, mode);
                if (!IS_ERR(msg)) {
                        /*
@@ -903,7 +904,7 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, int msgfl
                         */
                        if ((bufsz < msg->m_ts) && !(msgflg & MSG_NOERROR)) {
                                msg = ERR_PTR(-E2BIG);
-                               goto out_unlock1;
+                               goto out_unlock0;
                        }
                        /*
                         * If we are copying, then do not unlink message and do
@@ -911,10 +912,9 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, int msgfl
                         */
                        if (msgflg & MSG_COPY) {
                                msg = copy_msg(msg, copy);
-                               goto out_unlock1;
+                               goto out_unlock0;
                        }
 
-                       ipc_lock_object(&msq->q_perm);
                        list_del(&msg->m_list);
                        msq->q_qnum--;
                        msq->q_rtime = get_seconds();
@@ -930,10 +930,9 @@ long do_msgrcv(int msqid, void __user *buf, size_t bufsz, long msgtyp, int msgfl
                /* No message waiting. Wait for a message */
                if (msgflg & IPC_NOWAIT) {
                        msg = ERR_PTR(-ENOMSG);
-                       goto out_unlock1;
+                       goto out_unlock0;
                }
 
-               ipc_lock_object(&msq->q_perm);
                list_add_tail(&msr_d.r_list, &msq->q_receivers);
                msr_d.r_tsk = current;
                msr_d.r_msgtype = msgtyp;


Thanks,
Davidlohr
> 
> IPC seems to be fine for both -1 (UNPATCHED) and -2 (with attached two
> REVERTED patches) kernel, but -1 hangs in the SYSCALLS/msgctl08 test.
> 
> Previous msgctl07 is OK, but ***msgctl08*** produces this:
> ...
> <<<test_start>>>
> tag=msgctl07 stime=1372174934
> cmdline="msgctl07"
> contacts=""
> analysis=exit
> <<<test_output>>>
> msgctl07    1  TPASS  :  msgctl07 ran successfully!
> <<<execution_status>>>
> initiation_status="ok"
> duration=20 termination_type=exited termination_id=0 corefile=no
> cutime=1995 cstime=3
> <<<test_end>>>
> <<<test_start>>>
> tag=msgctl08 stime=1372174954
> cmdline="msgctl08"
> contacts=""
> analysis=exit
> <<<test_output>>>
> msgctl08    0  TWARN  :  Verify error in child 0, *buf = 28, val = 27, size = 8
> msgctl08    1  TFAIL  :  in child 0 read # = 73,key =  127
> msgctl08    0  TWARN  :  Verify error in child 3, *buf = ffffff8a, val
> = ffffff89, size = 52
> msgctl08    1  TFAIL  :  in child 3 read # = 157,key =  189
> msgctl08    0  TWARN  :  Verify error in child 2, *buf = ffffff87, val
> = ffffff86, size = 71
> msgctl08    1  TFAIL  :  in child 2 read # = 15954,key =  3e86
> msgctl08    0  TWARN  :  Verify error in child 12, *buf = ffffffa9,
> val = ffffffa8, size = 22
> msgctl08    1  TFAIL  :  in child 12 read # = 12904,key =  32a8
> msgctl08    0  TWARN  :  Verify error in child 13, *buf = 36, val =
> 35, size = 27
> msgctl08    1  TFAIL  :  in child 13 read # = 10442,key =  2935
> msgctl08    0  TWARN  :  Verify error in child 10, *buf = ffffff86,
> val = ffffff85, size = 63
> msgctl08    1  TFAIL  :  in child 10 read # = 19713,key =  4d85
> msgctl08    0  TWARN  :  Verify error in child 4, *buf = 4c, val = 4b, size = 83
> msgctl08    1  TFAIL  :  in child 4 read # = 23082,key =  5a4b
> msgctl08    0  TWARN  :  Verify error in child 15, *buf = 61, val =
> 60, size = 94
> msgctl08    1  TFAIL  :  in child 15 read # = 23554,key =  5c60
> msgctl08    0  TWARN  :  Verify error in child 11, *buf = 3b, val =
> 3a, size = 22
> msgctl08    1  TFAIL  :  in child 11 read # = 26468,key =  683a
> msgctl08    0  TWARN  :  Verify error in child 5, *buf = ffffffb5, val
> = ffffffb4, size = 41
> msgctl08    1  TFAIL  :  in child 5 read # = 31867,key =  7cb4
> msgctl08    0  TWARN  :  Verify error in child 1, *buf = 7d, val = 7c, size = 59
> msgctl08    1  TFAIL  :  in child 1 read # = 41063,key =  a07c
> msgctl08    0  TWARN  :  Verify error in child 7, *buf = fffffff2, val
> = fffffff1, size = 83
> msgctl08    1  TFAIL  :  in child 7 read # = 38476,key =  96f1
> msgctl08    0  TWARN  :  Verify error in child 9, *buf = ffffff8b, val
> = ffffff8a, size = 40
> msgctl08    1  TFAIL  :  in child 9 read # = 90438,key =  1618a
> msgctl08    0  TWARN  :  Verify error in child 8, *buf = ffffffcd, val
> = ffffffcc, size = 38
> msgctl08    1  TFAIL  :  in child 8 read # = 88712,key =  15acc
> msgctl08    0  TWARN  :  Verify error in child 6, *buf = 6, val = 5, size = 1
> msgctl08    1  TFAIL  :  in child 6 read # = 83297,key =  14605
> ***** STOPPED *****
> 
> See "ltp-full-20130503.git/testcases/kernel/syscalls/ipc/msgctl/msgctl08.c" [1].
> 
> NOTE: Debian/Ubuntu users with dash as default shell require the patch from [2].
> 
> - Sedat -
> 
> P.S.: Unfortunately, fakeroot DEBUG doc file is outdated.
> 
> [1] https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/ipc/msgctl/msgctl08.c
> [2] https://github.com/linux-test-project/ltp/commit/b88fa5b6ec5a29834a0e52df7b22b9bb47fe0379


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ