| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120103044933.GA31778@localhost>
Date: Tue, 3 Jan 2012 12:49:33 +0800
From: Wu Fengguang <fengguang.wu@...el.com>
To: Chanho Min <chanho.min@....com>
Cc: linux-mm@...ck.org, linux-kernel@...r.kernel.org,
'Jens Axboe' <axboe@...nel.dk>,
'Andrew Morton' <akpm@...ux-foundation.org>,
Rabin Vincent <rabin.vincent@...ricsson.com>,
Linus Walleij <linus.walleij@...aro.org>
Subject: Re: [PATCH] mm/backing-dev.c: fix crash when USB/SCSI device is
detached
On Tue, Jan 03, 2012 at 12:23:44PM +0900, Chanho Min wrote:
> >On Mon, Jan 02, 2012 at 06:38:21PM +0900, ����ȣ wrote:
> >> from Chanho Min <chanho.min@....com>
> >>
> >> System may crash in backing-dev.c when removal SCSI device is detached.
> >> bdi task is killed by bdi_unregister()/'khubd', but task's point remains.
> >> Shortly afterward, If 'wb->wakeup_timer' is expired before
> >> del_timer()/bdi_forker_thread,
> >> wakeup_timer_fn() may wake up the dead thread which cause the crash.
> >> 'bdi->wb.task' should be NULL as this patch.
> >
> >Is it some race condition between del_timer() and del_timer_sync()?
> >
> >bdi_unregister() calls
> >
> > del_timer_sync
> > bdi_wb_shutdown
> > kthread_stop
> >
> >in turn, and del_timer_sync() should guarantee wakeup_timer_fn() is
> >no longer called to access the stopped task.
> >
>
> It is not race condition. This happens when USB is removed during write-access.
> bdi_wakeup_thread_delayed is called after kthread_stop, and timer is activated again.
>
> bdi_unregister
> kthread_stop
> bdi_wakeup_thread_delayed (sys_write mostly calls this)
> timer fires
Ah OK, the timer could be restarted in the mean while, which breaks
the synchronization rule in del_timer_sync().
I noticed a related fix is merged recently, does your test kernel
contain this commit?
commit 7a401a972df8e184b3d1a3fc958c0a4ddee8d312
Author: Rabin Vincent <rabin.vincent@...ricsson.com>
Date: Fri Nov 11 13:29:04 2011 +0100
backing-dev: ensure wakeup_timer is deleted
> Anyway,Is this safeguard to prevent from waking up killed thread?
This patch makes no guarantee wakeup_timer_fn() will see NULL
bdi->wb.task before the task is stopped, so there is still race
conditions. And still, the complete fix would be to prevent
wakeup_timer_fn() from being called at all.
Thanks,
Fengguang
> >> Signed-off-by: Chanho Min <chanho.min@....com>
> >> ---
> >> mm/backing-dev.c | 1 +
> >> 1 files changed, 1 insertions(+), 0 deletions(-)
> >>
> >> diff --git a/mm/backing-dev.c b/mm/backing-dev.c
> >> index 71034f4..4378a5e 100644
> >> --- a/mm/backing-dev.c
> >> +++ b/mm/backing-dev.c
> >> @@ -607,6 +607,7 @@ static void bdi_wb_shutdown(struct backing_dev_info
> >> *bdi)
> >> if (bdi->wb.task) {
> >> thaw_process(bdi->wb.task);
> >> kthread_stop(bdi->wb.task);
> >> + bdi->wb.task = NULL;
> >> }
> >> }
> >>
> >> --
> >> 1.7.0.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists