From: Peter Hurley <peter@hurleysoftware.com>
To: Linus Torvalds <torvalds@linux-foundation.org>,
Dave Jones <davej@redhat.com>, Al Viro <viro@zeniv.linux.org.uk>,
Oleg Nesterov <oleg@redhat.com>
Cc: Linux Kernel <linux-kernel@vger.kernel.org>,
Davide Libenzi <davidel@xmailserver.org>,
Eric Wong <normalperson@yhbt.net>,
Pekka Enberg <penberg@cs.helsinki.fi>
Subject: Re: epoll oops.
Date: Wed, 23 Oct 2013 09:43:39 -0400 [thread overview]
Message-ID: <5267D28B.5020805@hurleysoftware.com> (raw)
In-Reply-To: <CA+55aFxOpT9YLf7WLM+SOsp5U2R1-Px0LiEsdqV0Adr897dOqQ@mail.gmail.com>
On 10/14/2013 04:57 PM, Linus Torvalds wrote:
> [ Adding Pekka to verify the SLAB_DESTROY_BY_RCU semantics, and Peter
> Hurley due to the possible tty association ]
> And I see a few worrisome cases. For example, look at "tty_poll()". It
> ends up doing something very similar, except it uses the tty instead
> of sighand. And exactly like the sighand struct, the tty allocation
> lifespan can - thanks to hangup() - be shorter than the file
> allocation lifespan.
>
> Peter? Does a tty hangup end up actually possibly freeing the tty
> struct? Looking at it, I'm starting to think that it only affects
> f_op, and the "struct tty" stays around, in which case this is all
> fine.
The tty_struct is only freed at the completion of the tty's
file_operations .release method (tty_release()). Further, it should
not be possible to advance past the tty_ldisc_release() call in
tty_release() while file operations such as tty_poll() -> poll_wait()
or a tty hangup are in-progress.
[Notwithstanding the above, if some kernel driver failed to acquire
a tty reference, either directly or via tty_port_tty_hangup(), before
hanging up, then the hangup could be racing with the .release(). But
I don't think that's what's happening here.]
On 10/15/2013 11:48 AM, Oleg Nesterov wrote:>> Hmm? There might be other cases..
>
> Yes.
>
> Dave, perhaps you have vmcore? I have no idea if this is possible or
> not, but perhaps you can look at eventpoll_release_file's frame and
> print file->f_op ?
I think Oleg's suggestion is the next diagnostic step.
Regards,
Peter Hurley
prev parent reply other threads:[~2013-10-23 13:43 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-14 15:46 epoll oops Dave Jones
2013-10-14 17:31 ` Linus Torvalds
2013-10-14 19:17 ` Oleg Nesterov
2013-10-14 20:57 ` Linus Torvalds
2013-10-15 15:48 ` Oleg Nesterov
2013-10-15 19:28 ` Dave Jones
2013-10-16 22:39 ` Eric Wong
2013-10-17 13:53 ` Oleg Nesterov
2013-10-23 9:08 ` Pekka Enberg
2013-10-23 13:43 ` Peter Hurley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5267D28B.5020805@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=davej@redhat.com \
--cc=davidel@xmailserver.org \
--cc=linux-kernel@vger.kernel.org \
--cc=normalperson@yhbt.net \
--cc=oleg@redhat.com \
--cc=penberg@cs.helsinki.fi \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.