From: Oleg Nesterov <oleg@tv-sign.ru>
To: Valdis.Kletnieks@vt.edu
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
roland@redhat.com, linux-kernel@vger.kernel.org,
Pavel Emelyanov <xemul@openvz.org>,
Kamalesh Babulal <kamalesh@linux.vnet.ibm.com>,
Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject: Re: tty && pid problems
Date: Wed, 20 Feb 2008 19:28:58 +0300 [thread overview]
Message-ID: <20080220162858.GC146@tv-sign.ru> (raw)
In-Reply-To: <20080220161823.GB146@tv-sign.ru>
(sorry, the previous message was not finished)
On 02/20, Oleg Nesterov wrote:
>
> (Change the subject, cc Alan)
>
> On 02/19, Valdis.Kletnieks@vt.edu wrote:
> >
> > On Sun, 17 Feb 2008 21:11:14 MST, Eric W. Biederman said:
> > > Oleg Nesterov <oleg@tv-sign.ru> writes:
> > > > On 02/16, Oleg Nesterov wrote:
> > > >> On 02/15, Andrew Morton wrote:
> > > >> > : BUG: unable to handle kernel paging request at 0000000000200200
> >
> > > >> > : Call Trace:
> > > >> > : [<ffffffff80237727>] ? release_task+0x152/0x2e5
> > > >> > : [<ffffffff80237f81>] ? do_wait+0x6c7/0xa1c
> > > >> > : [<ffffffff8022f4cc>] ? default_wake_function+0x0/0xe
> > > >> > : [<ffffffff8023e670>] ? sys_rt_sigaction+0x7a/0x98
> > > >> > : [<ffffffff80238360>] ? sys_wait4+0x8a/0xa1
> > > >> > : [<ffffffff8020be4b>] ? system_call_after_swapgs+0x7b/0x80
> >
> > > Thanks. Looks like we need to grab a lock there.
> > > At a quick skim I think we need the tty lock.
> >
> > *ping* - Any further activity on this one? I got bit by it as well on
> > the very first attempted boot of 25-rc2-mm1, the instant it tried to leave
> > single-user and go multi-user.
>
> Valdis, any chance you can try the
> "[PATCH] (for -mm only) put_pid: make sure we don't free the live pid"
> I sent? just to make sure we don't have other problems here.
I think you can revert the tty-bkl-pushdown.patch. Or, as Eric suggested, just
revert this
@@ -1222,7 +1221,7 @@ static const struct file_operations tty_
.read = tty_read,
.write = tty_write,
.poll = tty_poll,
- .ioctl = tty_ioctl,
+ .unlocked_ioctl = tty_ioctl,
.compat_ioctl = tty_compat_ioctl,
.open = tty_open,
.release = tty_release,
@@ -1235,7 +1234,7 @@ static const struct file_operations ptmx
.read = tty_read,
.write = tty_write,
.poll = tty_poll,
- .ioctl = tty_ioctl,
+ .unlocked_ioctl = tty_ioctl,
.compat_ioctl = tty_compat_ioctl,
.open = ptmx_open,
.release = tty_release,
@@ -1248,7 +1247,7 @@ static const struct file_operations cons
.read = tty_read,
.write = redirected_tty_write,
.poll = tty_poll,
- .ioctl = tty_ioctl,
+ .unlocked_ioctl = tty_ioctl,
.compat_ioctl = tty_compat_ioctl,
.open = tty_open,
.release = tty_release,
@@ -1260,7 +1259,7 @@ static const struct file_operations hung
.read = hung_up_tty_read,
.write = hung_up_tty_write,
.poll = hung_up_tty_poll,
- .ioctl = hung_up_tty_ioctl,
+ .unlocked_ioctl = hung_up_tty_ioctl,
.compat_ioctl = hung_up_tty_compat_ioctl,
.release = tty_release,
};
chunk. I'd prefer to know what Alan's opinion.
HOWEVER. We have another bug here, and this bug is old.
When tiocspgrp() does put_pid(real_tty->pgrp), it is possible that real_tty
has the last reference, and the pid will be actually freed. This means that
tiocgpgrp() and do_task_stat() are not safe (rcu_read_lock() can't help).
We can read the freed/reused memory, and since pid_nr_ns() is not trivial
the kernel can crash. Unlikely, but possible. We need the lock.
Oleg.
next prev parent reply other threads:[~2008-02-20 16:39 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-15 18:02 [PATCH] do_signal_stop: use signal_group_exit() Oleg Nesterov
2008-02-16 3:37 ` Andrew Morton
2008-02-16 14:02 ` Oleg Nesterov
2008-02-17 23:10 ` Oleg Nesterov
2008-02-18 4:11 ` Eric W. Biederman
2008-02-19 23:39 ` Valdis.Kletnieks
2008-02-20 16:14 ` [PATCH] (for -mm only) put_pid: make sure we don't free the live pid Oleg Nesterov
2008-02-20 16:18 ` tty && pid problems Oleg Nesterov
2008-02-20 16:19 ` Alan Cox
2008-02-22 1:39 ` Eric W. Biederman
2008-02-22 9:37 ` Alan Cox
2008-02-20 16:28 ` Oleg Nesterov [this message]
2008-02-20 19:00 ` Jiri Slaby
2008-02-20 2:32 ` [PATCH] do_signal_stop: use signal_group_exit() Eric W. Biederman
2008-02-16 15:09 ` [PATCH] free_pidmap: turn it into free_pidmap(struct upid *) Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080220162858.GC146@tv-sign.ru \
--to=oleg@tv-sign.ru \
--cc=Valdis.Kletnieks@vt.edu \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ebiederm@xmission.com \
--cc=kamalesh@linux.vnet.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=roland@redhat.com \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.