lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAM_iQpVu6VwE8sKTdTk8FJDsoG+od8YEJfBEU7cp5tdN9rTaZQ@mail.gmail.com>
Date:   Mon, 30 Oct 2017 18:28:32 -0700
From:   Cong Wang <xiyou.wangcong@...il.com>
To:     Linus Torvalds <torvalds@...ux-foundation.org>
Cc:     Al Viro <viro@...iv.linux.org.uk>,
        Andrew Morton <akpm@...ux-foundation.org>,
        linux-fsdevel <linux-fsdevel@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: Kernel crash in free_pipe_info()

On Mon, Oct 30, 2017 at 3:14 PM, Linus Torvalds
<torvalds@...ux-foundation.org> wrote:
> On Mon, Oct 30, 2017 at 1:58 PM, Cong Wang <xiyou.wangcong@...il.com> wrote:
>>
>> We got more than a dozen of kernel crashes at free_pipe_info() on our
>> 4.1 kernel, they are all very similar to this one (with slightly
>> different faulty addresses):
>
> Were it not for the pointer to the much more recent powerpc version at
>
>     https://www.spinics.net/lists/kernel/msg2616441.html
>
> that you referenced, I'd be inclined to ignore this as much too old.
> Al fixed a number of issues with splice() some time ago.
>
> And honestly, splice() is pretty much the only thing that I can think
> of that can trigger issues wrt the pipe_inode_info structure.
>
> But as you say, we've had subtle races just due to the named pipes:


It is unlikely that we use splice() or named pipes, I highly suspect it
is caused by the pipe(), although stack traces can't tell.


>
>> Although it is too early to blame your commit b0d8d2292160 ("vfs: fix
>> subtle use-after-free of pipe_inode_info"), it is probably related.
>
> I do hate the games we play with the stupid pipe_inode_info. The way
> we have locking in the inode, instead of in the pipe_inode_info
> itself.
>
> There are hysterical raisins for that, and due to names piped we have
> to keep the reference to the pipe_inode_info in the inode, but it's
> still very very annoying.
>
> Al, do you see anything?
>
> Cong, do you have any way to trigger these? Is there any pattern to
> when they happen or what is going on when they do?
>

I have no idea how this was triggered, all of the stack traces are reported
by ABRT service on each host.

Note, since kdump is not properly config'ed, there could be even more
machines crashed silently in a corner without even an ABRT report.

I will try to gather more information.

Thanks!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ