From: Greg KH <gregkh@suse.de>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
linux-kernel@vger.kernel.org, stable@kernel.org,
stable-review@kernel.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Al Viro <viro@ZenIV.linux.org.uk>,
Tavis Ormandy <taviso@google.com>, Jeff Dike <jdike@addtoit.com>,
Julien Tinnes <jln@google.com>, Matt Mackall <mpm@selenic.com>
Subject: Re: [06/11] tty: fix race in tty_fasync
Date: Tue, 26 Jan 2010 15:04:02 -0800 [thread overview]
Message-ID: <20100126230402.GB24281@suse.de> (raw)
In-Reply-To: <alpine.LFD.2.00.1001261357390.3574@localhost.localdomain>
On Tue, Jan 26, 2010 at 02:11:28PM -0800, Linus Torvalds wrote:
>
>
> On Tue, 26 Jan 2010, Eric W. Biederman wrote:
>
> > Greg KH <gregkh@suse.de> writes:
> >
> > > 2.6.27-stable review patch. If anyone has any objections, please let us know.
> >
> > Only that __f_setown by way of f_modown unconditionally enables interrupts. So
> > without touching f_modown as well in mainline we have nasty sounding lockdep warnings.
>
> Hmm. That seems to be true in mainline too, isn't it?
>
> So now we have:
> - tty_fasync() gets tty->ctrl_lock, with spin_lock_irqsave()
>
> - it then calls __f_setown()
>
> - which calls f_modown(),
>
> - which does
>
> write_lock_irq(&filp->f_owner.lock);
> ..
> write_unlock_irq(&filp->f_owner.lock);
>
> which in turn enables interrupts while we still hold ctrl_lock.
>
> so that whole commit 70362511806 was/is buggy in mainline too.
>
> The minimal fix is likely to just make f_modown() use
> write_lock_irqsave/restore. Greg?
Yes, that looks correct.
Here's a patch that does just that:
---------
From: Greg Kroah-Hartman <gregkh@suse.de>
Subject: fnctl: f_modown should call write_lock_irqsave/restore
Commit 703625118069f9f8960d356676662d3db5a9d116 exposed that f_modown()
should call write_lock_irqsave instead of just write_lock_irq so that
because a caller could have a spinlock held and it would not be good to
renable interrupts.
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Tavis Ormandy <taviso@google.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
diff --git a/fs/fcntl.c b/fs/fcntl.c
index 97e01dc..5ef953e 100644
--- a/fs/fcntl.c
+++ b/fs/fcntl.c
@@ -199,7 +199,9 @@ static int setfl(int fd, struct file * filp, unsigned long arg)
static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
int force)
{
- write_lock_irq(&filp->f_owner.lock);
+ unsigned long flags;
+
+ write_lock_irqsave(&filp->f_owner.lock, flags);
if (force || !filp->f_owner.pid) {
put_pid(filp->f_owner.pid);
filp->f_owner.pid = get_pid(pid);
@@ -211,7 +213,7 @@ static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
filp->f_owner.euid = cred->euid;
}
}
- write_unlock_irq(&filp->f_owner.lock);
+ write_unlock_irqrestore(&filp->f_owner.lock, flags);
}
int __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
next prev parent reply other threads:[~2010-01-26 23:05 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-26 19:17 [00/11] 2.6.27.45 review Greg KH
2010-01-26 19:14 ` [01/11] edac: i5000_edac critical fix panic out of bounds Greg KH
2010-01-26 19:14 ` [02/11] [SCSI] megaraid_sas: remove sysfs poll_mode_io world writeable permissions Greg KH
2010-01-26 19:14 ` [03/11] reiserfs: truncate blocks not used by a write Greg KH
2010-01-26 19:14 ` [04/11] ecryptfs: initialize private persistent file before dereferencing pointer Greg KH
2010-01-26 19:14 ` [05/11] ecryptfs: use after free Greg KH
2010-01-26 19:14 ` [06/11] tty: fix race in tty_fasync Greg KH
2010-01-26 19:49 ` Eric W. Biederman
2010-01-26 22:11 ` Linus Torvalds
2010-01-26 23:02 ` Eric W. Biederman
2010-01-26 23:04 ` Greg KH [this message]
2010-01-27 1:30 ` Linus Torvalds
2010-01-27 1:47 ` Greg KH
2010-01-26 19:14 ` [07/11] USB: add missing delay during remote wakeup Greg KH
2010-01-26 19:14 ` [08/11] USB: EHCI: fix handling of unusual interrupt intervals Greg KH
2010-01-26 19:14 ` [09/11] USB: EHCI & UHCI: fix race between root-hub suspend and port resume Greg KH
2010-01-26 19:14 ` [10/11] ipc ns: fix memory leak (idr) Greg KH
2010-01-26 19:14 ` [11/11] KVM: S390: fix potential array overrun in intercept handling Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100126230402.GB24281@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=ebiederm@xmission.com \
--cc=jdike@addtoit.com \
--cc=jln@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mpm@selenic.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=taviso@google.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.