From: Akinobu Mita <mita@miraclelinux.com>
To: linux-kernel@vger.kernel.org
Subject: [BUG 2.4] NFS unlocking operation accesses invalid file struct
Date: Tue, 25 Nov 2003 20:00:32 +0900 [thread overview]
Message-ID: <200311252000.32094.mita@miraclelinux.com> (raw)
Hi,
I'm investigating the reliabiblity of the NFS locking.
I noticed that possible NFS locking related crash in the following situation:
process A
process B
-- A and B are sharing task's fd array.
(clone()d with CLONE_FILES)
file F
-- The file on NFS
file descriptor p (equivalent to file struct P)
file descriptor q (equivalent to file struct Q)
-- p and q are individual file descriptors for the file F
(not dup()-ed)
file lock L
-- The file lock L has been locked via fcntl() for the file descriptor q by
the process B (connects with file struct Q)
1. The process A closes the file descriptor p.
In filp_close(), the process A closes file struct P, it unlocks all the
file locks related to the i-node of the file F, which are held by the
processes sharing the same fd array process A refers to. (locks_remove_posix)
2. The process A unlocks the file lock L.
First of all, the process A removes the file lock L from the list of the
file locks related to the i-node of the file F. Then, it calls the `nfs_lock'
to do the unlocking operation for its file-system dependent operation.
3. While executing the `nfs_lock' with RPC procedure, the process A
sleep on there for a while.
On the other side.
4. The process B closes the file descriptor q.
Because process A has already remove the entry of the file lock from the list,
process B cannot find the entry so it just exit without doing anything about
the list.
System treats the closing operation carried out by the process B is done,
while the process A is sleeping.
The process B invalidates the file struct Q because it is no longer needed.
But, the process A has not finished the operation of the unlocking
for file lock L yet.
5. When the process A wakes up, it attempts to execute remaining unlocking
works, and accesses the file struct Q.
Because the file struct Q is no longer valid, it is likely to cause NULL
pointer dereference.
Also, the file struct Q might be used by other files. in this case, the data
contradiction would happen.
Does anyone have a idea of how to fix it ?
Regards,
--
Akinobu Mita
next reply other threads:[~2003-11-25 11:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-11-25 11:00 Akinobu Mita [this message]
2003-11-26 0:35 ` [BUG 2.4] NFS unlocking operation accesses invalid file struct Trond Myklebust
2003-11-27 11:54 ` Akinobu Mita
2003-11-27 15:15 ` Gene Heskett
2003-11-27 16:23 ` Trond Myklebust
2003-12-10 1:06 ` Akinobu Mita
2003-12-10 1:27 ` hanasaki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200311252000.32094.mita@miraclelinux.com \
--to=mita@miraclelinux.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.