From: ebiederm@xmission.com (Eric W. Biederman)
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Patrick McHardy <kaber@trash.net>,
Matias Zabaljauregui <zabaljauregui@gmail.com>,
odie@cs.aau.dk, Rusty Russell <rusty@rustcorp.com.au>,
lguest@ozlabs.org, virtualization@lists.osdl.org,
"David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org,
Christian Borntraeger <borntraeger@de.ibm.com>
Subject: Re: [Lguest] [PATCH 4/5] lguest: use KVM hypercalls
Date: Wed, 15 Apr 2009 06:23:29 -0700 [thread overview]
Message-ID: <m18wm2rqy6.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20090415084717.GA8829@gondor.apana.org.au> (Herbert Xu's message of "Wed\, 15 Apr 2009 16\:47\:17 +0800")
Herbert Xu <herbert@gondor.apana.org.au> writes:
> On Wed, Apr 15, 2009 at 04:36:10PM +0800, Herbert Xu wrote:
>>
>> Let me whip up a patch.
>
> tun: Fix sk_sleep races when attaching/detaching
>
> As the sk_sleep wait queue actually lives in tfile, which may be
> detached from the tun device, bad things will happen when we use
> sk_sleep after detaching.
>
> Since the tun device is the persistent data structure here (when
> requested by the user), it makes much more sense to have the wait
> queue live there. There is no reason to have it in tfile at all
> since the only time we can wait is if we have a tun attached.
> In fact we already have a wait queue in tun_struct, so we might
> as well use it.
There is a GIGANTIC reason to have the wait queue on tfile.
If you open a file, and do ip link del tapN you can still
be blocked waiting in poll.
The problem is specifically free_poll_entry, where we call
remove_wait_queue and fput without calling any file methods.
So all of this happens without struct tun_file's count being
elevated. Which means tun_net_uninit can detach before we get
off of the stupid poll wait queue.
As documented in:
commit b2430de37ef0bc0799ffba7b5219d38ca417eb76
Author: Eric W. Biederman <ebiederm@xmission.com>
Date: Tue Jan 20 11:03:21 2009 +0000
tun: Move read_wait into tun_file
The poll interface requires that the waitqueue exist while the struct
file is open. In the rare case when a tun device disappears before
the tun file closes we fail to provide this property, so move
read_wait.
This is safe now that tun_net_xmit is atomic with tun_detach.
Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
I specifically moved the wait queue out of tun struct to avoid this
race.
I will see about getting the vfs to do something saner in my generic
revoke work. But for 2.6.30 we have to live with the nasties that
are there.
Nacked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Eric
next prev parent reply other threads:[~2009-04-15 13:23 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200903271022.38244.rusty@rustcorp.com.au>
[not found] ` <1238709324.5823.8.camel@odie.local>
[not found] ` <1239043798.27826.93.camel@zetabook>
[not found] ` <200904081021.39877.rusty@rustcorp.com.au>
[not found] ` <1239224319.17844.16.camel@zetabook>
[not found] ` <49DDE91A.8060603@trash.net>
[not found] ` <49DDF614.1060909@trash.net>
[not found] ` <m1bpr6hqrm.fsf@fess.ebiederm.org>
[not found] ` <49E47976.8020005@trash.net>
2009-04-15 8:36 ` [Lguest] [PATCH 4/5] lguest: use KVM hypercalls Herbert Xu
[not found] ` <20090415083610.GA8579-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2009-04-15 8:47 ` Herbert Xu
2009-04-15 9:07 ` [Lguest] " Christian Borntraeger
2009-04-15 11:07 ` Patrick McHardy
2009-04-15 13:23 ` Eric W. Biederman [this message]
[not found] ` <m18wm2rqy6.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-04-15 13:28 ` Herbert Xu
[not found] ` <20090415132802.GA11408-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2009-04-15 13:35 ` Eric W. Biederman
[not found] ` <m1skkaox8h.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-04-15 13:46 ` Herbert Xu
[not found] ` <20090415134610.GA11683-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2009-04-15 13:55 ` Herbert Xu
[not found] ` <20090415135502.GA11827-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2009-04-15 14:10 ` Eric W. Biederman
[not found] ` <m1ocuynh2f.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-04-15 14:12 ` Herbert Xu
2009-04-15 14:06 ` [Lguest] " Eric W. Biederman
[not found] ` <m11vruovu5.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-04-15 14:08 ` Herbert Xu
[not found] ` <20090415140819.GA11991-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2009-04-15 14:18 ` Eric W. Biederman
[not found] ` <m1iql6m24b.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-04-15 14:23 ` Herbert Xu
2009-04-15 14:38 ` Herbert Xu
[not found] ` <20090415143834.GA12384-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2009-04-15 14:56 ` Eric W. Biederman
[not found] ` <m1zleiklsl.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2009-04-15 22:27 ` Herbert Xu
2009-04-16 11:08 ` [1/2] tun: Only free a netdev when all tun descriptors are closed Herbert Xu
[not found] ` <20090416110818.GA20950-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2009-04-16 11:09 ` [2/2] tun: Fix sk_sleep races when attaching/detaching Herbert Xu
[not found] ` <20090416110952.GB20950-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2009-04-20 8:35 ` Herbert Xu
2009-04-20 9:26 ` David Miller
2009-04-20 9:35 ` Herbert Xu
2009-04-20 10:02 ` David Miller
2009-04-24 8:55 ` [1/2] tun: Only free a netdev when all tun descriptors are closed Christian Borntraeger
[not found] ` <200904241055.49794.borntraeger-tA70FqPdS9bQT0dZR+AlfA@public.gmane.org>
2009-04-24 12:11 ` Herbert Xu
[not found] ` <20090424121156.GA28039-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2009-04-24 12:40 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m18wm2rqy6.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=borntraeger@de.ibm.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=kaber@trash.net \
--cc=lguest@ozlabs.org \
--cc=netdev@vger.kernel.org \
--cc=odie@cs.aau.dk \
--cc=rusty@rustcorp.com.au \
--cc=virtualization@lists.osdl.org \
--cc=zabaljauregui@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).