Re: 2.6.23-rc6-mm1: IPC: sleeping function called ...

[Nadia Derbey <Nadia.Derbey@bull.net>]

Jarek Poplawski wrote:
> On Fri, Sep 21, 2007 at 01:03:47PM +0200, Jarek Poplawski wrote:
> ...
> 
>>I hope not! But, then it would be probably another logical trick:
>>ipc_rcu_getref/putref() seems to prevent kfreeing of a structure, so
>>if it's used in do_msgsnd() there should be a risk something can do
>>this kfree at this moment, and it seems freeque() is the only one,
>>which both: can do this and cares for this refcount. Then, e.g., if
>>any of them does ipc_rcu_getref() a bit later and sees old (cached)
>>value - kfree can be skipped forever. [...]
> 
> 
> After rethinking, this scenario seems to be wrong or very unprobable
> (I'm not sure of all ways "if (--container...)" could be compiled),
> so there should be no such risk - double kfree/vfree is more probable,
> so no danger. More likely is such refcount abuse: ipc_rcu_getref() in
> do_msgsnd() done a bit after ipc_rcu_putref() in freeque() (msq
> pointer acquired by do_msgsend() before freeque() started); then,
> after schedule(), do_msgsnd() can work with kfreed msq_queue structure
> (at least considering classic RCU).
> 

If msgsnd() acquires the pointer first, it does it under lock + 
rcu_getref(). ==> refcount = 2
When schedule() is called if freeque() takes the pointer it will call 
msg_rmid() that sets the deleted field in the msg queue. When the lock 
is released by freeque(), we have either 1) or 2):
1) freeque()'s putref called 1st ==> refocunt = 1
    Then msgsnd()'s lock_by_ptr() is called ==> rcu lock
    Then msgsnd()'s putref is called ==> refcount = 0
    But this is done under RCU lock, so should be no problem
    Then the deleted field is checked ==> return
2) msgsnd()'s lock_by_ptr() is called ==> rcu lock
    Then we don't mind in which order are done the other operations
    since we under rcu_lock: the structure won't disappear till we test
    the deleted field.

Regards,
Nadia