| commit | 934acf6c631798192ebf93a685d555bddfbdac1d | |
| author | Andrew Morton <akpm@osdl.org> | |
| Thu, 10 Jul 2003 17:04:38 +0000 (10 10:04 -0700) | ||
| committer | Linus Torvalds <torvalds@home.osdl.org> | |
| Thu, 10 Jul 2003 17:04:38 +0000 (10 10:04 -0700) | ||
| tree | 77613bc40b3b9e814c3612e5dc8b72bdc6abb226 | treesnapshot (tar.gz zip) |
| parent | e59d9afb3656cd89b6831463958d5ba88fdeb052 | commitdiff |
[PATCH] devfs oops fix
From: Andrey Borzenkov <arvidjaar@mail.ru>
Doing concurrent lookups for the same name in devfs with devfsd and modules
enabled may result in stack coruption.
When devfs_lookup needs to call devfsd it arranges for other lookups for the
same name to wait. It is using local variable as wait queue head. After
devfsd returns devfs_lookup wakes up all waiters and returns. Unfortunately
there is no garantee all waiters will actually get chance to run and clean up
before devfs_lookup returns. so some of them attempt to access already freed
storage on stack.
It is trivial to trigger with SMP kernel (I have single-CPU system if it
matters) doing
while true
do
ls /dev/foo &
done
Without spinlock debug system usually hung dead with reset button as the only
possibility.
I was not able to reproduce it on 2.4 on single-CPU system - in 2.4
devfs_d_revalidate_wait does not attempt to remove itself from wait queue
so it appears to be safe.
The patch makes lookup struct be allocated from heap and adds reference
counter to free it when no more needed.
From: Andrey Borzenkov <arvidjaar@mail.ru>
Doing concurrent lookups for the same name in devfs with devfsd and modules
enabled may result in stack coruption.
When devfs_lookup needs to call devfsd it arranges for other lookups for the
same name to wait. It is using local variable as wait queue head. After
devfsd returns devfs_lookup wakes up all waiters and returns. Unfortunately
there is no garantee all waiters will actually get chance to run and clean up
before devfs_lookup returns. so some of them attempt to access already freed
storage on stack.
It is trivial to trigger with SMP kernel (I have single-CPU system if it
matters) doing
while true
do
ls /dev/foo &
done
Without spinlock debug system usually hung dead with reset button as the only
possibility.
I was not able to reproduce it on 2.4 on single-CPU system - in 2.4
devfs_d_revalidate_wait does not attempt to remove itself from wait queue
so it appears to be safe.
The patch makes lookup struct be allocated from heap and adds reference
counter to free it when no more needed.
| fs/devfs/base.c | diffblobblamehistory |