From: Andrew Morton <akpm@linux-foundation.org>
To: Vasiliy Kulikov <segoon@openwall.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Manuel Lauss <manuel.lauss@googlemail.com>,
linux-kernel@vger.kernel.org, Richard Weinberger <richard@nod.at>,
Marc Zyngier <maz@misterjones.org>, Ingo Molnar <mingo@elte.hu>,
kernel-hardening@lists.openwall.com,
"Paul E. McKenney" <paul.mckenney@linaro.org>
Subject: Re: [PATCH] shm: fix a race between shm_exit() and shm_init()
Date: Tue, 2 Aug 2011 13:33:56 -0700 [thread overview]
Message-ID: <20110802133356.79e80b91.akpm@linux-foundation.org> (raw)
In-Reply-To: <20110802124530.GA2543@albatros>
On Tue, 2 Aug 2011 16:45:30 +0400
Vasiliy Kulikov <segoon@openwall.com> wrote:
> On thread exit shm_exit() is called, it uses shm_ids(ns).rw_mutex.
You meant shm_exit_ns().
> It is initialized in shm_init(), but it is not called yet at the moment
> of kernel threads exit. Some kernel threads are created in
> do_pre_smp_initcalls(), and shm_init() is called in do_initcalls().
>
> Static initialization of shm_ids(init_ipc_ns).rw_mutex fixes the race.
>
> It fixes a kernel oops:
>
> Unable to handle kernel NULL pointer dereference at virtual address 00000000
> ...
> [<c0320090>] (__down_write_nested+0x88/0xe0) from [<c015da08>] (exit_shm+0x28/0x48)
> [<c015da08>] (exit_shm+0x28/0x48) from [<c002e550>] (do_exit+0x59c/0x750)
> [<c002e550>] (do_exit+0x59c/0x750) from [<c003eaac>] (____call_usermodehelper+0x13c/0x154)
> [<c003eaac>] (____call_usermodehelper+0x13c/0x154) from [<c000f630>] (kernel_thread_exit+0x0/0x8)
> Code: 1afffffa e597c00c e58d0000 e587d00c (e58cd000)
>
> ...
>
> --- a/ipc/msgutil.c
> +++ b/ipc/msgutil.c
> @@ -20,6 +20,9 @@
>
> DEFINE_SPINLOCK(mq_lock);
>
> +#define INIT_IPC_SHM_IDS(name) \
> + { .rw_mutex = __RWSEM_INITIALIZER(name.rw_mutex), }
> +
> /*
> * The next 2 defines are here bc this is the only file
> * compiled when either CONFIG_SYSVIPC and CONFIG_POSIX_MQUEUE
> @@ -27,6 +30,9 @@ DEFINE_SPINLOCK(mq_lock);
> */
> struct ipc_namespace init_ipc_ns = {
> .count = ATOMIC_INIT(1),
> + .ids = {
> + [IPC_SHM_IDS] = INIT_IPC_SHM_IDS(init_ipc_ns.ids[IPC_SHM_IDS]),
> + },
That's what I meant by "nasty". We initialise one field because we
happen to use that one at the wrong time, and leave everything else
uninitialised. eww.
But in this case it's not as bad as it might be -
shm_exit_ns()->free_ipcs() is a no-op because ids[2].inuse is zero, so
we kinda _did_ initialise that. otoh we left ids[0].rw_mutex and
ids[1].rw_mutex uninitialised, so it's still nasty ;)
We could perhaps have fixed the bug by testing ids->inuse before taking
the mutex, which would also have been a speedup for that function.
That would need some thought.
next prev parent reply other threads:[~2011-08-02 20:34 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-01 18:01 initcall dependency problem (ns vs. threads) Vasiliy Kulikov
2011-08-01 18:20 ` Andrew Morton
2011-08-01 18:34 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-01 19:03 ` Vasiliy Kulikov
2011-08-01 19:07 ` Andrew Morton
2011-08-01 19:22 ` Vasiliy Kulikov
2011-08-02 0:01 ` Linus Torvalds
2011-08-02 12:45 ` [PATCH] shm: fix a race between shm_exit() and shm_init() Vasiliy Kulikov
2011-08-02 12:51 ` Manuel Lauss
2011-08-02 13:23 ` Richard Weinberger
2011-08-02 13:29 ` Marc Zyngier
2011-08-02 20:33 ` Andrew Morton [this message]
2011-08-02 20:55 ` Andrew Morton
2011-08-03 5:30 ` Manuel Lauss
2011-08-03 8:05 ` Marc Zyngier
2011-08-03 8:19 ` Linus Torvalds
2011-08-03 10:04 ` Manuel Lauss
2011-08-03 10:30 ` Marc Zyngier
2011-08-03 13:13 ` Thadeu Lima de Souza Cascardo
2011-08-03 13:33 ` Kay Sievers
2011-08-03 13:45 ` Richard Weinberger
2011-08-04 0:35 ` Linus Torvalds
2011-08-04 0:50 ` Andrew Morton
2011-08-04 1:01 ` Linus Torvalds
2011-08-04 1:15 ` Kay Sievers
2011-08-04 8:26 ` Marc Zyngier
2011-08-03 7:43 ` Linus Torvalds
2011-08-03 7:50 ` Manuel Lauss
2011-08-03 8:00 ` Manuel Lauss
2011-08-03 19:33 ` Andrew Morton
2011-08-03 19:52 ` [kernel-hardening] " Vasiliy Kulikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110802133356.79e80b91.akpm@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=manuel.lauss@googlemail.com \
--cc=maz@misterjones.org \
--cc=mingo@elte.hu \
--cc=paul.mckenney@linaro.org \
--cc=richard@nod.at \
--cc=segoon@openwall.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox