[PATCH v1 1/1]: fs: pipe.c null pointer dereference

[PATCH v1 1/1]: fs: pipe.c null pointer dereference

[Earl Chew]

This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:


 > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
 >  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
 >  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
 >  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
 >  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
 >  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67

This defect is also described in:
   http://lkml.org/lkml/2009/10/14/184
   http://bugzilla.kernel.org/show_bug.cgi?id=14416


The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:

=============================================================
#!/bin/sh
while : ; do
    { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
    PID=$!
    OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
         { read PID REST ; echo $PID; } )
    OUT="${OUT%% *}"
    DELAY=$((RANDOM * 1000 / 32768))
    usleep $((DELAY * 1000 + RANDOM % 1000 ))
    echo n > /proc/$OUT/fd/1                 # Trigger defect
done
=============================================================

Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:

  static int
  pipe_rdwr_open(struct inode *inode, struct file *filp)
  {
        msleep(100);
        mutex_lock(&inode->i_mutex);


Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.

The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.

The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.



--- linux-2.6.21_mvlcge500/fs/pipe.c.orig	2009-10-15 20:33:53.000000000 
-0700
+++ linux-2.6.21_mvlcge500/fs/pipe.c	2009-10-15 21:21:25.000000000 -0700
@@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
  static int
  pipe_read_open(struct inode *inode, struct file *filp)
  {
-	/* We could have perhaps used atomic_t, but this and friends
-	   below are the only places.  So it doesn't seem worthwhile.  */
+	int ret = -ENOENT;
+
  	mutex_lock(&inode->i_mutex);
-	inode->i_pipe->readers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		inode->i_pipe->readers++;
+	}
+
  	mutex_unlock(&inode->i_mutex);

-	return 0;
+	return ret;
  }

  static int
  pipe_write_open(struct inode *inode, struct file *filp)
  {
+	int ret = -ENOENT;
+
  	mutex_lock(&inode->i_mutex);
-	inode->i_pipe->writers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		inode->i_pipe->writers++;
+	}
+
  	mutex_unlock(&inode->i_mutex);

-	return 0;
+	return ret;
  }

  static int
  pipe_rdwr_open(struct inode *inode, struct file *filp)
  {
+	int ret = -ENOENT;
+
  	mutex_lock(&inode->i_mutex);
-	if (filp->f_mode & FMODE_READ)
-		inode->i_pipe->readers++;
-	if (filp->f_mode & FMODE_WRITE)
-		inode->i_pipe->writers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		if (filp->f_mode & FMODE_READ)
+			inode->i_pipe->readers++;
+		if (filp->f_mode & FMODE_WRITE)
+			inode->i_pipe->writers++;
+	}
+
  	mutex_unlock(&inode->i_mutex);

-	return 0;
+	return ret;
  }

  /*

Re: [PATCH v1 1/1]: fs: pipe.c null pointer dereference

[Jiri Kosina]

[ adding some CCs, so that this userspace-triggerable NULL pointer 
  dereference doesn't get lost in the deep dark waters of LKML ]

On Fri, 16 Oct 2009, Earl Chew wrote:

> This patch fixes a null pointer exception in pipe_rdwr_open() which
> generates the stack trace:
> 
> 
> > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> >  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
> >  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
> >  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
> >  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
> >  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
> 
> This defect is also described in:
>   http://lkml.org/lkml/2009/10/14/184
>   http://bugzilla.kernel.org/show_bug.cgi?id=14416
> 
> 
> The failure mode is triggered by an attempt to open an anonymous
> pipe via /proc/pid/fd/* as exemplified by this script:
> 
> =============================================================
> #!/bin/sh
> while : ; do
>    { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
>    PID=$!
>    OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
>         { read PID REST ; echo $PID; } )
>    OUT="${OUT%% *}"
>    DELAY=$((RANDOM * 1000 / 32768))
>    usleep $((DELAY * 1000 + RANDOM % 1000 ))
>    echo n > /proc/$OUT/fd/1                 # Trigger defect
> done
> =============================================================
> 
> Note that the failure window is quite small and I could only
> reliably reproduce the defect by inserting a small delay
> in pipe_rdwr_open(). For example:
> 
>  static int
>  pipe_rdwr_open(struct inode *inode, struct file *filp)
>  {
>        msleep(100);
>        mutex_lock(&inode->i_mutex);
> 
> 
> Although the defect was observed in pipe_rdwr_open(), I think it
> makes sense to replicate the change through all the pipe_*_open()
> functions.
> 
> The core of the change is to verify that inode->i_pipe has not
> been released before attempting to manipulate it. If inode->i_pipe
> is no longer present, return ENOENT to indicate so.
> 
> The comment about potentially using atomic_t for i_pipe->readers
> and i_pipe->writers has also been removed because it is no longer
> relevant in this context. The inode->i_mutex lock must be used so
> that inode->i_pipe can be dealt with correctly.
> 
> 
> 
> --- linux-2.6.21_mvlcge500/fs/pipe.c.orig	2009-10-15 20:33:53.000000000
> -0700
> +++ linux-2.6.21_mvlcge500/fs/pipe.c	2009-10-15 21:21:25.000000000 -0700
> @@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
>  static int
>  pipe_read_open(struct inode *inode, struct file *filp)
>  {
> -	/* We could have perhaps used atomic_t, but this and friends
> -	   below are the only places.  So it doesn't seem worthwhile.  */
> +	int ret = -ENOENT;
> +
>  	mutex_lock(&inode->i_mutex);
> -	inode->i_pipe->readers++;
> +
> +	if (inode->i_pipe) {
> +		ret = 0;
> +		inode->i_pipe->readers++;
> +	}
> +
>  	mutex_unlock(&inode->i_mutex);
> 
> -	return 0;
> +	return ret;
>  }
> 
>  static int
>  pipe_write_open(struct inode *inode, struct file *filp)
>  {
> +	int ret = -ENOENT;
> +
>  	mutex_lock(&inode->i_mutex);
> -	inode->i_pipe->writers++;
> +
> +	if (inode->i_pipe) {
> +		ret = 0;
> +		inode->i_pipe->writers++;
> +	}
> +
>  	mutex_unlock(&inode->i_mutex);
> 
> -	return 0;
> +	return ret;
>  }
> 
>  static int
>  pipe_rdwr_open(struct inode *inode, struct file *filp)
>  {
> +	int ret = -ENOENT;
> +
>  	mutex_lock(&inode->i_mutex);
> -	if (filp->f_mode & FMODE_READ)
> -		inode->i_pipe->readers++;
> -	if (filp->f_mode & FMODE_WRITE)
> -		inode->i_pipe->writers++;
> +
> +	if (inode->i_pipe) {
> +		ret = 0;
> +		if (filp->f_mode & FMODE_READ)
> +			inode->i_pipe->readers++;
> +		if (filp->f_mode & FMODE_WRITE)
> +			inode->i_pipe->writers++;
> +	}
> +
>  	mutex_unlock(&inode->i_mutex);
> 
> -	return 0;
> +	return ret;
>  }
> 
>  /*
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

-- 
Jiri Kosina
SUSE Labs, Novell Inc.

[PATCH v2 1/1]: fs: pipe.c null pointer dereference + sign off

[Earl Chew]

[ Exactly as before, but with sign off ]


This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:


 > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
 >  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
 >  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
 >  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
 >  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
 >  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67

This defect is also described in:
   http://lkml.org/lkml/2009/10/14/184
   http://bugzilla.kernel.org/show_bug.cgi?id=14416


The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:

=============================================================
#!/bin/sh
while : ; do
    { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
    PID=$!
    OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
         { read PID REST ; echo $PID; } )
    OUT="${OUT%% *}"
    DELAY=$((RANDOM * 1000 / 32768))
    usleep $((DELAY * 1000 + RANDOM % 1000 ))
    echo n > /proc/$OUT/fd/1                 # Trigger defect
done
=============================================================

Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:

  static int
  pipe_rdwr_open(struct inode *inode, struct file *filp)
  {
        msleep(100);
        mutex_lock(&inode->i_mutex);


Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.

The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.

The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.


Signed-off-by: Earl Chew <earl_chew@agilent.com>


--- linux-2.6.21_mvlcge500/fs/pipe.c.orig    2009-10-15 
20:33:53.000000000 -0700
+++ linux-2.6.21_mvlcge500/fs/pipe.c    2009-10-15 21:21:25.000000000 -0700
@@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
  static int
  pipe_read_open(struct inode *inode, struct file *filp)
  {
-    /* We could have perhaps used atomic_t, but this and friends
-       below are the only places.  So it doesn't seem worthwhile.  */
+    int ret = -ENOENT;
+
      mutex_lock(&inode->i_mutex);
-    inode->i_pipe->readers++;
+
+    if (inode->i_pipe) {
+        ret = 0;
+        inode->i_pipe->readers++;
+    }
+
      mutex_unlock(&inode->i_mutex);

-    return 0;
+    return ret;
  }

  static int
  pipe_write_open(struct inode *inode, struct file *filp)
  {
+    int ret = -ENOENT;
+
      mutex_lock(&inode->i_mutex);
-    inode->i_pipe->writers++;
+
+    if (inode->i_pipe) {
+        ret = 0;
+        inode->i_pipe->writers++;
+    }
+
      mutex_unlock(&inode->i_mutex);

-    return 0;
+    return ret;
  }

  static int
  pipe_rdwr_open(struct inode *inode, struct file *filp)
  {
+    int ret = -ENOENT;
+
      mutex_lock(&inode->i_mutex);
-    if (filp->f_mode & FMODE_READ)
-        inode->i_pipe->readers++;
-    if (filp->f_mode & FMODE_WRITE)
-        inode->i_pipe->writers++;
+
+    if (inode->i_pipe) {
+        ret = 0;
+        if (filp->f_mode & FMODE_READ)
+            inode->i_pipe->readers++;
+        if (filp->f_mode & FMODE_WRITE)
+            inode->i_pipe->writers++;
+    }
+
      mutex_unlock(&inode->i_mutex);

-    return 0;
+    return ret;
  }

  /*

Re: [PATCH v2 1/1]: fs: pipe.c null pointer dereference + sign off

[Daniel Walker]

On Mon, 2009-10-19 at 11:13 -0700, Earl Chew wrote:
> [ Exactly as before, but with sign off ]
> 

You've got a few more submission related issues, see below.

> This patch fixes a null pointer exception in pipe_rdwr_open() which
> generates the stack trace:
> 
> 
>  > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
>  >  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
>  >  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
>  >  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
>  >  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
>  >  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
> 
> This defect is also described in:
>    http://lkml.org/lkml/2009/10/14/184
>    http://bugzilla.kernel.org/show_bug.cgi?id=14416
> 
> 
> The failure mode is triggered by an attempt to open an anonymous
> pipe via /proc/pid/fd/* as exemplified by this script:
> 
> =============================================================
> #!/bin/sh
> while : ; do
>     { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
>     PID=$!
>     OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
>          { read PID REST ; echo $PID; } )
>     OUT="${OUT%% *}"
>     DELAY=$((RANDOM * 1000 / 32768))
>     usleep $((DELAY * 1000 + RANDOM % 1000 ))
>     echo n > /proc/$OUT/fd/1                 # Trigger defect
> done
> =============================================================
> 
> Note that the failure window is quite small and I could only
> reliably reproduce the defect by inserting a small delay
> in pipe_rdwr_open(). For example:
> 
>   static int
>   pipe_rdwr_open(struct inode *inode, struct file *filp)
>   {
>         msleep(100);
>         mutex_lock(&inode->i_mutex);
> 
> 
> Although the defect was observed in pipe_rdwr_open(), I think it
> makes sense to replicate the change through all the pipe_*_open()
> functions.
> 
> The core of the change is to verify that inode->i_pipe has not
> been released before attempting to manipulate it. If inode->i_pipe
> is no longer present, return ENOENT to indicate so.
> 
> The comment about potentially using atomic_t for i_pipe->readers
> and i_pipe->writers has also been removed because it is no longer
> relevant in this context. The inode->i_mutex lock must be used so
> that inode->i_pipe can be dealt with correctly.
> 
> 
> Signed-off-by: Earl Chew <earl_chew@agilent.com>
> 
> 
> --- linux-2.6.21_mvlcge500/fs/pipe.c.orig    2009-10-15 
> 20:33:53.000000000 -0700
> +++ linux-2.6.21_mvlcge500/fs/pipe.c    2009-10-15 21:21:25.000000000 -0700
> @@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
>   static int

You patch looks like it might be line wrapped .. Sometimes mailers will
do that if you don't tell them the content is already formatted.

Also I see your using a MontaVista kernel, which is older than current
mainline .. I would assume you tested this on a recent kernel also?

>   pipe_read_open(struct inode *inode, struct file *filp)
>   {
> -    /* We could have perhaps used atomic_t, but this and friends
> -       below are the only places.  So it doesn't seem worthwhile.  */
> +    int ret = -ENOENT;

>From checkpatch,

ERROR: code indent should use tabs where possible
#125: FILE: fs/pipe.c:720:
+        ret = 0;$

It looks like maybe your mailer (or copy and paste) may have stripped
all the tabs off your patch. This makes is very difficult to apply.


Daniel

Re: [PATCH v2 1/1]: fs: pipe.c null pointer dereference + sign off

[Earl Chew]

Daniel Walker wrote:
> You patch looks like it might be line wrapped .. Sometimes mailers will
> do that if you don't tell them the content is already formatted.

Arghhh ... struck by Thunderbirditis.

Apparently mailnews.send_plaintext_flowed=false is the key to
preserving tabs, and the Toggle Word Wrap extension is useful
for to avoid inserting additional newlines:

https://addons.mozilla.org/en-US/thunderbird/addon/2351

As you can see, I'm new to this game. Your patience is appreciated.

I'll repost.

> Also I see your using a MontaVista kernel, which is older than current
> mainline .. I would assume you tested this on a recent kernel also?

I don't have immediate access to a more recent kernel.

The changes are fairly straightforward and I have added extensive
documentation on how to reproduce and verify the defect.

Is anyone interested in helping out here by verifying on a
more recent kernel?

Earl

[PATCH v3 1/1]: fs: pipe.c null pointer dereference + sign off + unmangled diffs

[Earl Chew]

[ Exactly as before, but with sign off and tabs preserved ]

This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:


> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
>  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
>  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
>  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
>  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
>  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67


The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:

=============================================================
#!/bin/sh
while : ; do
   { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
   PID=$!
   OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
        { read PID REST ; echo $PID; } )
   OUT="${OUT%% *}"
   DELAY=$((RANDOM * 1000 / 32768))
   usleep $((DELAY * 1000 + RANDOM % 1000 ))
   echo n > /proc/$OUT/fd/1                 # Trigger defect
done
=============================================================

Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:

 static int
 pipe_rdwr_open(struct inode *inode, struct file *filp)
 {
       msleep(100);
       mutex_lock(&inode->i_mutex);


Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.

The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.

The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.



--- linux-2.6.21_mvlcge500/fs/pipe.c.orig	2009-10-15 20:33:53.000000000 -0700
+++ linux-2.6.21_mvlcge500/fs/pipe.c	2009-10-15 21:21:25.000000000 -0700
@@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
 static int
 pipe_read_open(struct inode *inode, struct file *filp)
 {
-	/* We could have perhaps used atomic_t, but this and friends
-	   below are the only places.  So it doesn't seem worthwhile.  */
+	int ret = -ENOENT;
+
 	mutex_lock(&inode->i_mutex);
-	inode->i_pipe->readers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		inode->i_pipe->readers++;
+	}
+
 	mutex_unlock(&inode->i_mutex);
 
-	return 0;
+	return ret;
 }
 
 static int
 pipe_write_open(struct inode *inode, struct file *filp)
 {
+	int ret = -ENOENT;
+
 	mutex_lock(&inode->i_mutex);
-	inode->i_pipe->writers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		inode->i_pipe->writers++;
+	}
+
 	mutex_unlock(&inode->i_mutex);
 
-	return 0;
+	return ret;
 }
 
 static int
 pipe_rdwr_open(struct inode *inode, struct file *filp)
 {
+	int ret = -ENOENT;
+
 	mutex_lock(&inode->i_mutex);
-	if (filp->f_mode & FMODE_READ)
-		inode->i_pipe->readers++;
-	if (filp->f_mode & FMODE_WRITE)
-		inode->i_pipe->writers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		if (filp->f_mode & FMODE_READ)
+			inode->i_pipe->readers++;
+		if (filp->f_mode & FMODE_WRITE)
+			inode->i_pipe->writers++;
+	}
+
 	mutex_unlock(&inode->i_mutex);
 
-	return 0;
+	return ret;
 }
 
 /*

[PATCH v4 1/1]: fs: pipe.c null pointer dereference + really sign off + unmangled diffs

[Earl Chew]

[ Exactly as before, but really sign off and tabs preserved ]


This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:


> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
>  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
>  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
>  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
>  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
>  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67


The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:

=============================================================
#!/bin/sh
while : ; do
   { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
   PID=$!
   OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
        { read PID REST ; echo $PID; } )
   OUT="${OUT%% *}"
   DELAY=$((RANDOM * 1000 / 32768))
   usleep $((DELAY * 1000 + RANDOM % 1000 ))
   echo n > /proc/$OUT/fd/1                 # Trigger defect
done
=============================================================

Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:

 static int
 pipe_rdwr_open(struct inode *inode, struct file *filp)
 {
       msleep(100);
       mutex_lock(&inode->i_mutex);


Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.

The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.

The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.


Signed-off-by: Earl Chew <earl_chew@agilent.com>


--- linux-2.6.21_mvlcge500/fs/pipe.c.orig	2009-10-15 20:33:53.000000000 -0700
+++ linux-2.6.21_mvlcge500/fs/pipe.c	2009-10-15 21:21:25.000000000 -0700
@@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
 static int
 pipe_read_open(struct inode *inode, struct file *filp)
 {
-	/* We could have perhaps used atomic_t, but this and friends
-	   below are the only places.  So it doesn't seem worthwhile.  */
+	int ret = -ENOENT;
+
 	mutex_lock(&inode->i_mutex);
-	inode->i_pipe->readers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		inode->i_pipe->readers++;
+	}
+
 	mutex_unlock(&inode->i_mutex);
 
-	return 0;
+	return ret;
 }
 
 static int
 pipe_write_open(struct inode *inode, struct file *filp)
 {
+	int ret = -ENOENT;
+
 	mutex_lock(&inode->i_mutex);
-	inode->i_pipe->writers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		inode->i_pipe->writers++;
+	}
+
 	mutex_unlock(&inode->i_mutex);
 
-	return 0;
+	return ret;
 }
 
 static int
 pipe_rdwr_open(struct inode *inode, struct file *filp)
 {
+	int ret = -ENOENT;
+
 	mutex_lock(&inode->i_mutex);
-	if (filp->f_mode & FMODE_READ)
-		inode->i_pipe->readers++;
-	if (filp->f_mode & FMODE_WRITE)
-		inode->i_pipe->writers++;
+
+	if (inode->i_pipe) {
+		ret = 0;
+		if (filp->f_mode & FMODE_READ)
+			inode->i_pipe->readers++;
+		if (filp->f_mode & FMODE_WRITE)
+			inode->i_pipe->writers++;
+	}
+
 	mutex_unlock(&inode->i_mutex);
 
-	return 0;
+	return ret;
 }
 
 /*

Re: [PATCH v4 1/1]: fs: pipe.c null pointer dereference + really sign off + unmangled diffs

[Américo Wang]

On Tue, Oct 20, 2009 at 6:55 AM, Earl Chew <earl_chew@agilent.com> wrote:
> [ Exactly as before, but really sign off and tabs preserved ]
>
>
> This patch fixes a null pointer exception in pipe_rdwr_open() which
> generates the stack trace:
>
>
>> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
>>  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
>>  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
>>  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
>>  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
>>  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
>
>
> The failure mode is triggered by an attempt to open an anonymous
> pipe via /proc/pid/fd/* as exemplified by this script:
>
> =============================================================
> #!/bin/sh
> while : ; do
>   { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
>   PID=$!
>   OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
>        { read PID REST ; echo $PID; } )
>   OUT="${OUT%% *}"


Well, you can use 'pgrep', it will save you a lot here.
Try: pgrep -f 'sleep 1' -n

>   DELAY=$((RANDOM * 1000 / 32768))
>   usleep $((DELAY * 1000 + RANDOM % 1000 ))
>   echo n > /proc/$OUT/fd/1                 # Trigger defect
> done
> =============================================================
>

This still has very little chance to trigger it, I am afraid.
I tried on my machine, didn't get any oops.

Trying to use C to write it may be better.


> Note that the failure window is quite small and I could only
> reliably reproduce the defect by inserting a small delay
> in pipe_rdwr_open(). For example:
>
>  static int
>  pipe_rdwr_open(struct inode *inode, struct file *filp)
>  {
>       msleep(100);
>       mutex_lock(&inode->i_mutex);
>
>
> Although the defect was observed in pipe_rdwr_open(), I think it
> makes sense to replicate the change through all the pipe_*_open()
> functions.
>
> The core of the change is to verify that inode->i_pipe has not
> been released before attempting to manipulate it. If inode->i_pipe
> is no longer present, return ENOENT to indicate so.
>
> The comment about potentially using atomic_t for i_pipe->readers
> and i_pipe->writers has also been removed because it is no longer
> relevant in this context. The inode->i_mutex lock must be used so
> that inode->i_pipe can be dealt with correctly.


So, if I understand you correctly, you mean we have a small window
between calling sys_open() and fifo_open(), during this little period,
we don't have i_mutex held, thun another process have a chance
to release that pipe and make i_pipe NULL. Right?

Hmm, sounds reasonable. :-/

I'd like you to put the explanations into the code, as comments.

>
>
> Signed-off-by: Earl Chew <earl_chew@agilent.com>


Add some Cc, fs-devel and Al.


>
>
> --- linux-2.6.21_mvlcge500/fs/pipe.c.orig       2009-10-15 20:33:53.000000000 -0700
> +++ linux-2.6.21_mvlcge500/fs/pipe.c    2009-10-15 21:21:25.000000000 -0700
> @@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
>  static int
>  pipe_read_open(struct inode *inode, struct file *filp)
>  {
> -       /* We could have perhaps used atomic_t, but this and friends
> -          below are the only places.  So it doesn't seem worthwhile.  */
> +       int ret = -ENOENT;
> +
>        mutex_lock(&inode->i_mutex);
> -       inode->i_pipe->readers++;
> +
> +       if (inode->i_pipe) {
> +               ret = 0;
> +               inode->i_pipe->readers++;
> +       }
> +
>        mutex_unlock(&inode->i_mutex);
>
> -       return 0;
> +       return ret;
>  }
>
>  static int
>  pipe_write_open(struct inode *inode, struct file *filp)
>  {
> +       int ret = -ENOENT;
> +
>        mutex_lock(&inode->i_mutex);
> -       inode->i_pipe->writers++;
> +
> +       if (inode->i_pipe) {
> +               ret = 0;
> +               inode->i_pipe->writers++;
> +       }
> +
>        mutex_unlock(&inode->i_mutex);
>
> -       return 0;
> +       return ret;
>  }
>
>  static int
>  pipe_rdwr_open(struct inode *inode, struct file *filp)
>  {
> +       int ret = -ENOENT;
> +
>        mutex_lock(&inode->i_mutex);
> -       if (filp->f_mode & FMODE_READ)
> -               inode->i_pipe->readers++;
> -       if (filp->f_mode & FMODE_WRITE)
> -               inode->i_pipe->writers++;
> +
> +       if (inode->i_pipe) {
> +               ret = 0;
> +               if (filp->f_mode & FMODE_READ)
> +                       inode->i_pipe->readers++;
> +               if (filp->f_mode & FMODE_WRITE)
> +                       inode->i_pipe->writers++;
> +       }
> +
>        mutex_unlock(&inode->i_mutex);
>
> -       return 0;
> +       return ret;
>  }
>
>  /*
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>