This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:
> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
> [<ffffffff8028125c>] __dentry_open+0x13c/0x230
> [<ffffffff8028143d>] do_filp_open+0x2d/0x40
> [<ffffffff802814aa>] do_sys_open+0x5a/0x100
> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
This defect is also described in:
http://lkml.org/lkml/2009/10/14/184
http://bugzilla.kernel.org/show_bug.cgi?id=14416
The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:
=============================================================
#!/bin/sh
while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1 # Trigger defect
done
=============================================================
Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:
static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
msleep(100);
mutex_lock(&inode->i_mutex);
Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.
The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.
The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.
--- linux-2.6.21_mvlcge500/fs/pipe.c.orig 2009-10-15 20:33:53.000000000
-0700
+++ linux-2.6.21_mvlcge500/fs/pipe.c 2009-10-15 21:21:25.000000000 -0700
@@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
static int
pipe_read_open(struct inode *inode, struct file *filp)
{
- /* We could have perhaps used atomic_t, but this and friends
- below are the only places. So it doesn't seem worthwhile. */
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- inode->i_pipe->readers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ inode->i_pipe->readers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
static int
pipe_write_open(struct inode *inode, struct file *filp)
{
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- inode->i_pipe->writers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ inode->i_pipe->writers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- if (filp->f_mode & FMODE_READ)
- inode->i_pipe->readers++;
- if (filp->f_mode & FMODE_WRITE)
- inode->i_pipe->writers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ if (filp->f_mode & FMODE_READ)
+ inode->i_pipe->readers++;
+ if (filp->f_mode & FMODE_WRITE)
+ inode->i_pipe->writers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
/*
[ adding some CCs, so that this userspace-triggerable NULL pointer
dereference doesn't get lost in the deep dark waters of LKML ]
On Fri, 16 Oct 2009, Earl Chew wrote:
> This patch fixes a null pointer exception in pipe_rdwr_open() which
> generates the stack trace:
>
>
> > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> > [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
> > [<ffffffff8028125c>] __dentry_open+0x13c/0x230
> > [<ffffffff8028143d>] do_filp_open+0x2d/0x40
> > [<ffffffff802814aa>] do_sys_open+0x5a/0x100
> > [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
>
> This defect is also described in:
> http://lkml.org/lkml/2009/10/14/184
> http://bugzilla.kernel.org/show_bug.cgi?id=14416
>
>
> The failure mode is triggered by an attempt to open an anonymous
> pipe via /proc/pid/fd/* as exemplified by this script:
>
> =============================================================
> #!/bin/sh
> while : ; do
> { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
> PID=$!
> OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
> { read PID REST ; echo $PID; } )
> OUT="${OUT%% *}"
> DELAY=$((RANDOM * 1000 / 32768))
> usleep $((DELAY * 1000 + RANDOM % 1000 ))
> echo n > /proc/$OUT/fd/1 # Trigger defect
> done
> =============================================================
>
> Note that the failure window is quite small and I could only
> reliably reproduce the defect by inserting a small delay
> in pipe_rdwr_open(). For example:
>
> static int
> pipe_rdwr_open(struct inode *inode, struct file *filp)
> {
> msleep(100);
> mutex_lock(&inode->i_mutex);
>
>
> Although the defect was observed in pipe_rdwr_open(), I think it
> makes sense to replicate the change through all the pipe_*_open()
> functions.
>
> The core of the change is to verify that inode->i_pipe has not
> been released before attempting to manipulate it. If inode->i_pipe
> is no longer present, return ENOENT to indicate so.
>
> The comment about potentially using atomic_t for i_pipe->readers
> and i_pipe->writers has also been removed because it is no longer
> relevant in this context. The inode->i_mutex lock must be used so
> that inode->i_pipe can be dealt with correctly.
>
>
>
> --- linux-2.6.21_mvlcge500/fs/pipe.c.orig 2009-10-15 20:33:53.000000000
> -0700
> +++ linux-2.6.21_mvlcge500/fs/pipe.c 2009-10-15 21:21:25.000000000 -0700
> @@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
> static int
> pipe_read_open(struct inode *inode, struct file *filp)
> {
> - /* We could have perhaps used atomic_t, but this and friends
> - below are the only places. So it doesn't seem worthwhile. */
> + int ret = -ENOENT;
> +
> mutex_lock(&inode->i_mutex);
> - inode->i_pipe->readers++;
> +
> + if (inode->i_pipe) {
> + ret = 0;
> + inode->i_pipe->readers++;
> + }
> +
> mutex_unlock(&inode->i_mutex);
>
> - return 0;
> + return ret;
> }
>
> static int
> pipe_write_open(struct inode *inode, struct file *filp)
> {
> + int ret = -ENOENT;
> +
> mutex_lock(&inode->i_mutex);
> - inode->i_pipe->writers++;
> +
> + if (inode->i_pipe) {
> + ret = 0;
> + inode->i_pipe->writers++;
> + }
> +
> mutex_unlock(&inode->i_mutex);
>
> - return 0;
> + return ret;
> }
>
> static int
> pipe_rdwr_open(struct inode *inode, struct file *filp)
> {
> + int ret = -ENOENT;
> +
> mutex_lock(&inode->i_mutex);
> - if (filp->f_mode & FMODE_READ)
> - inode->i_pipe->readers++;
> - if (filp->f_mode & FMODE_WRITE)
> - inode->i_pipe->writers++;
> +
> + if (inode->i_pipe) {
> + ret = 0;
> + if (filp->f_mode & FMODE_READ)
> + inode->i_pipe->readers++;
> + if (filp->f_mode & FMODE_WRITE)
> + inode->i_pipe->writers++;
> + }
> +
> mutex_unlock(&inode->i_mutex);
>
> - return 0;
> + return ret;
> }
>
> /*
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
--
Jiri Kosina
SUSE Labs, Novell Inc.
[ Exactly as before, but with sign off ]
This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:
> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
> [<ffffffff8028125c>] __dentry_open+0x13c/0x230
> [<ffffffff8028143d>] do_filp_open+0x2d/0x40
> [<ffffffff802814aa>] do_sys_open+0x5a/0x100
> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
This defect is also described in:
http://lkml.org/lkml/2009/10/14/184
http://bugzilla.kernel.org/show_bug.cgi?id=14416
The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:
=============================================================
#!/bin/sh
while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1 # Trigger defect
done
=============================================================
Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:
static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
msleep(100);
mutex_lock(&inode->i_mutex);
Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.
The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.
The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.
Signed-off-by: Earl Chew <[email protected]>
--- linux-2.6.21_mvlcge500/fs/pipe.c.orig 2009-10-15
20:33:53.000000000 -0700
+++ linux-2.6.21_mvlcge500/fs/pipe.c 2009-10-15 21:21:25.000000000 -0700
@@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
static int
pipe_read_open(struct inode *inode, struct file *filp)
{
- /* We could have perhaps used atomic_t, but this and friends
- below are the only places. So it doesn't seem worthwhile. */
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- inode->i_pipe->readers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ inode->i_pipe->readers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
static int
pipe_write_open(struct inode *inode, struct file *filp)
{
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- inode->i_pipe->writers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ inode->i_pipe->writers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- if (filp->f_mode & FMODE_READ)
- inode->i_pipe->readers++;
- if (filp->f_mode & FMODE_WRITE)
- inode->i_pipe->writers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ if (filp->f_mode & FMODE_READ)
+ inode->i_pipe->readers++;
+ if (filp->f_mode & FMODE_WRITE)
+ inode->i_pipe->writers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
/*
On Mon, 2009-10-19 at 11:13 -0700, Earl Chew wrote:
> [ Exactly as before, but with sign off ]
>
You've got a few more submission related issues, see below.
> This patch fixes a null pointer exception in pipe_rdwr_open() which
> generates the stack trace:
>
>
> > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> > [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
> > [<ffffffff8028125c>] __dentry_open+0x13c/0x230
> > [<ffffffff8028143d>] do_filp_open+0x2d/0x40
> > [<ffffffff802814aa>] do_sys_open+0x5a/0x100
> > [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
>
> This defect is also described in:
> http://lkml.org/lkml/2009/10/14/184
> http://bugzilla.kernel.org/show_bug.cgi?id=14416
>
>
> The failure mode is triggered by an attempt to open an anonymous
> pipe via /proc/pid/fd/* as exemplified by this script:
>
> =============================================================
> #!/bin/sh
> while : ; do
> { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
> PID=$!
> OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
> { read PID REST ; echo $PID; } )
> OUT="${OUT%% *}"
> DELAY=$((RANDOM * 1000 / 32768))
> usleep $((DELAY * 1000 + RANDOM % 1000 ))
> echo n > /proc/$OUT/fd/1 # Trigger defect
> done
> =============================================================
>
> Note that the failure window is quite small and I could only
> reliably reproduce the defect by inserting a small delay
> in pipe_rdwr_open(). For example:
>
> static int
> pipe_rdwr_open(struct inode *inode, struct file *filp)
> {
> msleep(100);
> mutex_lock(&inode->i_mutex);
>
>
> Although the defect was observed in pipe_rdwr_open(), I think it
> makes sense to replicate the change through all the pipe_*_open()
> functions.
>
> The core of the change is to verify that inode->i_pipe has not
> been released before attempting to manipulate it. If inode->i_pipe
> is no longer present, return ENOENT to indicate so.
>
> The comment about potentially using atomic_t for i_pipe->readers
> and i_pipe->writers has also been removed because it is no longer
> relevant in this context. The inode->i_mutex lock must be used so
> that inode->i_pipe can be dealt with correctly.
>
>
> Signed-off-by: Earl Chew <[email protected]>
>
>
> --- linux-2.6.21_mvlcge500/fs/pipe.c.orig 2009-10-15
> 20:33:53.000000000 -0700
> +++ linux-2.6.21_mvlcge500/fs/pipe.c 2009-10-15 21:21:25.000000000 -0700
> @@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
> static int
You patch looks like it might be line wrapped .. Sometimes mailers will
do that if you don't tell them the content is already formatted.
Also I see your using a MontaVista kernel, which is older than current
mainline .. I would assume you tested this on a recent kernel also?
> pipe_read_open(struct inode *inode, struct file *filp)
> {
> - /* We could have perhaps used atomic_t, but this and friends
> - below are the only places. So it doesn't seem worthwhile. */
> + int ret = -ENOENT;
>From checkpatch,
ERROR: code indent should use tabs where possible
#125: FILE: fs/pipe.c:720:
+ ret = 0;$
It looks like maybe your mailer (or copy and paste) may have stripped
all the tabs off your patch. This makes is very difficult to apply.
Daniel
Daniel Walker wrote:
> You patch looks like it might be line wrapped .. Sometimes mailers will
> do that if you don't tell them the content is already formatted.
Arghhh ... struck by Thunderbirditis.
Apparently mailnews.send_plaintext_flowed=false is the key to
preserving tabs, and the Toggle Word Wrap extension is useful
for to avoid inserting additional newlines:
https://addons.mozilla.org/en-US/thunderbird/addon/2351
As you can see, I'm new to this game. Your patience is appreciated.
I'll repost.
> Also I see your using a MontaVista kernel, which is older than current
> mainline .. I would assume you tested this on a recent kernel also?
I don't have immediate access to a more recent kernel.
The changes are fairly straightforward and I have added extensive
documentation on how to reproduce and verify the defect.
Is anyone interested in helping out here by verifying on a
more recent kernel?
Earl
[ Exactly as before, but with sign off and tabs preserved ]
This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:
> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
> [<ffffffff8028125c>] __dentry_open+0x13c/0x230
> [<ffffffff8028143d>] do_filp_open+0x2d/0x40
> [<ffffffff802814aa>] do_sys_open+0x5a/0x100
> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:
=============================================================
#!/bin/sh
while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1 # Trigger defect
done
=============================================================
Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:
static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
msleep(100);
mutex_lock(&inode->i_mutex);
Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.
The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.
The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.
--- linux-2.6.21_mvlcge500/fs/pipe.c.orig 2009-10-15 20:33:53.000000000 -0700
+++ linux-2.6.21_mvlcge500/fs/pipe.c 2009-10-15 21:21:25.000000000 -0700
@@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
static int
pipe_read_open(struct inode *inode, struct file *filp)
{
- /* We could have perhaps used atomic_t, but this and friends
- below are the only places. So it doesn't seem worthwhile. */
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- inode->i_pipe->readers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ inode->i_pipe->readers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
static int
pipe_write_open(struct inode *inode, struct file *filp)
{
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- inode->i_pipe->writers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ inode->i_pipe->writers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- if (filp->f_mode & FMODE_READ)
- inode->i_pipe->readers++;
- if (filp->f_mode & FMODE_WRITE)
- inode->i_pipe->writers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ if (filp->f_mode & FMODE_READ)
+ inode->i_pipe->readers++;
+ if (filp->f_mode & FMODE_WRITE)
+ inode->i_pipe->writers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
/*
[ Exactly as before, but really sign off and tabs preserved ]
This patch fixes a null pointer exception in pipe_rdwr_open() which
generates the stack trace:
> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
> [<ffffffff8028125c>] __dentry_open+0x13c/0x230
> [<ffffffff8028143d>] do_filp_open+0x2d/0x40
> [<ffffffff802814aa>] do_sys_open+0x5a/0x100
> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
The failure mode is triggered by an attempt to open an anonymous
pipe via /proc/pid/fd/* as exemplified by this script:
=============================================================
#!/bin/sh
while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1 # Trigger defect
done
=============================================================
Note that the failure window is quite small and I could only
reliably reproduce the defect by inserting a small delay
in pipe_rdwr_open(). For example:
static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
msleep(100);
mutex_lock(&inode->i_mutex);
Although the defect was observed in pipe_rdwr_open(), I think it
makes sense to replicate the change through all the pipe_*_open()
functions.
The core of the change is to verify that inode->i_pipe has not
been released before attempting to manipulate it. If inode->i_pipe
is no longer present, return ENOENT to indicate so.
The comment about potentially using atomic_t for i_pipe->readers
and i_pipe->writers has also been removed because it is no longer
relevant in this context. The inode->i_mutex lock must be used so
that inode->i_pipe can be dealt with correctly.
Signed-off-by: Earl Chew <[email protected]>
--- linux-2.6.21_mvlcge500/fs/pipe.c.orig 2009-10-15 20:33:53.000000000 -0700
+++ linux-2.6.21_mvlcge500/fs/pipe.c 2009-10-15 21:21:25.000000000 -0700
@@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
static int
pipe_read_open(struct inode *inode, struct file *filp)
{
- /* We could have perhaps used atomic_t, but this and friends
- below are the only places. So it doesn't seem worthwhile. */
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- inode->i_pipe->readers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ inode->i_pipe->readers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
static int
pipe_write_open(struct inode *inode, struct file *filp)
{
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- inode->i_pipe->writers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ inode->i_pipe->writers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
static int
pipe_rdwr_open(struct inode *inode, struct file *filp)
{
+ int ret = -ENOENT;
+
mutex_lock(&inode->i_mutex);
- if (filp->f_mode & FMODE_READ)
- inode->i_pipe->readers++;
- if (filp->f_mode & FMODE_WRITE)
- inode->i_pipe->writers++;
+
+ if (inode->i_pipe) {
+ ret = 0;
+ if (filp->f_mode & FMODE_READ)
+ inode->i_pipe->readers++;
+ if (filp->f_mode & FMODE_WRITE)
+ inode->i_pipe->writers++;
+ }
+
mutex_unlock(&inode->i_mutex);
- return 0;
+ return ret;
}
/*
On Tue, Oct 20, 2009 at 6:55 AM, Earl Chew <[email protected]> wrote:
> [ Exactly as before, but really sign off and tabs preserved ]
>
>
> This patch fixes a null pointer exception in pipe_rdwr_open() which
> generates the stack trace:
>
>
>> Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
>> [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
>> [<ffffffff8028125c>] __dentry_open+0x13c/0x230
>> [<ffffffff8028143d>] do_filp_open+0x2d/0x40
>> [<ffffffff802814aa>] do_sys_open+0x5a/0x100
>> [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
>
>
> The failure mode is triggered by an attempt to open an anonymous
> pipe via /proc/pid/fd/* as exemplified by this script:
>
> =============================================================
> #!/bin/sh
> while : ; do
> { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
> PID=$!
> OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
> { read PID REST ; echo $PID; } )
> OUT="${OUT%% *}"
Well, you can use 'pgrep', it will save you a lot here.
Try: pgrep -f 'sleep 1' -n
> DELAY=$((RANDOM * 1000 / 32768))
> usleep $((DELAY * 1000 + RANDOM % 1000 ))
> echo n > /proc/$OUT/fd/1 # Trigger defect
> done
> =============================================================
>
This still has very little chance to trigger it, I am afraid.
I tried on my machine, didn't get any oops.
Trying to use C to write it may be better.
> Note that the failure window is quite small and I could only
> reliably reproduce the defect by inserting a small delay
> in pipe_rdwr_open(). For example:
>
> static int
> pipe_rdwr_open(struct inode *inode, struct file *filp)
> {
> msleep(100);
> mutex_lock(&inode->i_mutex);
>
>
> Although the defect was observed in pipe_rdwr_open(), I think it
> makes sense to replicate the change through all the pipe_*_open()
> functions.
>
> The core of the change is to verify that inode->i_pipe has not
> been released before attempting to manipulate it. If inode->i_pipe
> is no longer present, return ENOENT to indicate so.
>
> The comment about potentially using atomic_t for i_pipe->readers
> and i_pipe->writers has also been removed because it is no longer
> relevant in this context. The inode->i_mutex lock must be used so
> that inode->i_pipe can be dealt with correctly.
So, if I understand you correctly, you mean we have a small window
between calling sys_open() and fifo_open(), during this little period,
we don't have i_mutex held, thun another process have a chance
to release that pipe and make i_pipe NULL. Right?
Hmm, sounds reasonable. :-/
I'd like you to put the explanations into the code, as comments.
>
>
> Signed-off-by: Earl Chew <[email protected]>
Add some Cc, fs-devel and Al.
>
>
> --- linux-2.6.21_mvlcge500/fs/pipe.c.orig 2009-10-15 20:33:53.000000000 -0700
> +++ linux-2.6.21_mvlcge500/fs/pipe.c 2009-10-15 21:21:25.000000000 -0700
> @@ -712,36 +712,55 @@ pipe_rdwr_release(struct inode *inode, s
> static int
> pipe_read_open(struct inode *inode, struct file *filp)
> {
> - /* We could have perhaps used atomic_t, but this and friends
> - below are the only places. So it doesn't seem worthwhile. */
> + int ret = -ENOENT;
> +
> mutex_lock(&inode->i_mutex);
> - inode->i_pipe->readers++;
> +
> + if (inode->i_pipe) {
> + ret = 0;
> + inode->i_pipe->readers++;
> + }
> +
> mutex_unlock(&inode->i_mutex);
>
> - return 0;
> + return ret;
> }
>
> static int
> pipe_write_open(struct inode *inode, struct file *filp)
> {
> + int ret = -ENOENT;
> +
> mutex_lock(&inode->i_mutex);
> - inode->i_pipe->writers++;
> +
> + if (inode->i_pipe) {
> + ret = 0;
> + inode->i_pipe->writers++;
> + }
> +
> mutex_unlock(&inode->i_mutex);
>
> - return 0;
> + return ret;
> }
>
> static int
> pipe_rdwr_open(struct inode *inode, struct file *filp)
> {
> + int ret = -ENOENT;
> +
> mutex_lock(&inode->i_mutex);
> - if (filp->f_mode & FMODE_READ)
> - inode->i_pipe->readers++;
> - if (filp->f_mode & FMODE_WRITE)
> - inode->i_pipe->writers++;
> +
> + if (inode->i_pipe) {
> + ret = 0;
> + if (filp->f_mode & FMODE_READ)
> + inode->i_pipe->readers++;
> + if (filp->f_mode & FMODE_WRITE)
> + inode->i_pipe->writers++;
> + }
> +
> mutex_unlock(&inode->i_mutex);
>
> - return 0;
> + return ret;
> }
>
> /*
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>