| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080220162858.GC146@tv-sign.ru> Date: Wed, 20 Feb 2008 19:28:58 +0300 From: Oleg Nesterov <oleg@...sign.ru> To: Valdis.Kletnieks@...edu Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, Andrew Morton <akpm@...ux-foundation.org>, roland@...hat.com, linux-kernel@...r.kernel.org, Pavel Emelyanov <xemul@...nvz.org>, Kamalesh Babulal <kamalesh@...ux.vnet.ibm.com>, Alan Cox <alan@...rguk.ukuu.org.uk> Subject: Re: tty && pid problems (sorry, the previous message was not finished) On 02/20, Oleg Nesterov wrote: > > (Change the subject, cc Alan) > > On 02/19, Valdis.Kletnieks@...edu wrote: > > > > On Sun, 17 Feb 2008 21:11:14 MST, Eric W. Biederman said: > > > Oleg Nesterov <oleg@...sign.ru> writes: > > > > On 02/16, Oleg Nesterov wrote: > > > >> On 02/15, Andrew Morton wrote: > > > >> > : BUG: unable to handle kernel paging request at 0000000000200200 > > > > > >> > : Call Trace: > > > >> > : [<ffffffff80237727>] ? release_task+0x152/0x2e5 > > > >> > : [<ffffffff80237f81>] ? do_wait+0x6c7/0xa1c > > > >> > : [<ffffffff8022f4cc>] ? default_wake_function+0x0/0xe > > > >> > : [<ffffffff8023e670>] ? sys_rt_sigaction+0x7a/0x98 > > > >> > : [<ffffffff80238360>] ? sys_wait4+0x8a/0xa1 > > > >> > : [<ffffffff8020be4b>] ? system_call_after_swapgs+0x7b/0x80 > > > > > Thanks. Looks like we need to grab a lock there. > > > At a quick skim I think we need the tty lock. > > > > *ping* - Any further activity on this one? I got bit by it as well on > > the very first attempted boot of 25-rc2-mm1, the instant it tried to leave > > single-user and go multi-user. > > Valdis, any chance you can try the > "[PATCH] (for -mm only) put_pid: make sure we don't free the live pid" > I sent? just to make sure we don't have other problems here. I think you can revert the tty-bkl-pushdown.patch. Or, as Eric suggested, just revert this @@ -1222,7 +1221,7 @@ static const struct file_operations tty_ .read = tty_read, .write = tty_write, .poll = tty_poll, - .ioctl = tty_ioctl, + .unlocked_ioctl = tty_ioctl, .compat_ioctl = tty_compat_ioctl, .open = tty_open, .release = tty_release, @@ -1235,7 +1234,7 @@ static const struct file_operations ptmx .read = tty_read, .write = tty_write, .poll = tty_poll, - .ioctl = tty_ioctl, + .unlocked_ioctl = tty_ioctl, .compat_ioctl = tty_compat_ioctl, .open = ptmx_open, .release = tty_release, @@ -1248,7 +1247,7 @@ static const struct file_operations cons .read = tty_read, .write = redirected_tty_write, .poll = tty_poll, - .ioctl = tty_ioctl, + .unlocked_ioctl = tty_ioctl, .compat_ioctl = tty_compat_ioctl, .open = tty_open, .release = tty_release, @@ -1260,7 +1259,7 @@ static const struct file_operations hung .read = hung_up_tty_read, .write = hung_up_tty_write, .poll = hung_up_tty_poll, - .ioctl = hung_up_tty_ioctl, + .unlocked_ioctl = hung_up_tty_ioctl, .compat_ioctl = hung_up_tty_compat_ioctl, .release = tty_release, }; chunk. I'd prefer to know what Alan's opinion. HOWEVER. We have another bug here, and this bug is old. When tiocspgrp() does put_pid(real_tty->pgrp), it is possible that real_tty has the last reference, and the pid will be actually freed. This means that tiocgpgrp() and do_task_stat() are not safe (rcu_read_lock() can't help). We can read the freed/reused memory, and since pid_nr_ns() is not trivial the kernel can crash. Unlikely, but possible. We need the lock. Oleg. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists