• Andrew Morton's avatar
    [PATCH] posix locks oops fix · ab31c400
    Andrew Morton authored
    From: Andreas Gruenbacher <agruen@suse.de>
    
    There is a race between unshare_files() and the following steal_locks().
    As a consequence, steal_locks() may steal some additional FL_POSIX locks
    that don't belong to the current thread.  This triggers a BUG in
    locks_remove_flock().
    
    In detail, the current thread shares its files struct with other threads.
    This causes unshare_files() to associate the current thread with a copy of
    its files_struct.  The copy shares all file objects with the original files
    struct.  In the time between unshare_files() and steal_locks(), another
    thread creates a new file and a FL_POSIX lock on it.  The current thread
    gets into steal_locks() and takes over all FL_POSIX locks that refer to the
    previous files_struct, including the new lock.  We do
    put_files_struct(original files_struct).  This causes the file handle to
    the new file to be closed.  We get into locks_remove_posix() and miss the
    lock, because its fl_owner field now refers to the new files_struct. 
    Finally we get into locks_remove_flock(), and stumble upon the lock.
    
    While looking into this bug report I gathered the following data with a
    SUSE kernel (oops and LKCD dump from Chris):
    
    kernel BUG at fs/locks.c:1736!
    invalid operand: 0000 [#1]
    SMP
    CPU:    0
    EIP:    0060:[<c01844fb>]    Tainted: G  U
    EFLAGS: 00010246   (2.6.5-0-testing)
    EIP is at locks_remove_flock+0x8b/0x130
    eax: f7b89998   ebx: f61df3fc   ecx: f61df354   edx: 00000000
    esi: f61df354   edi: f6702b80   ebp: f6179c24   esp: f6179c08
    ds: 007b   es: 007b   ss: 0068
    Process owcimomd (pid: 1713, threadinfo=f6178000 task=f66d0d60)
    Stack: c1e1fdac c1e1fdac f7fe83c0 00000296 f6702b80 f7fe87c0 f61df354 f6179c3c
           c016ce00 f61ddadc f6702b80 00000000 f6703b00 f6179c54 c0168b1f c0000000
           0000026f 00000012 f6703b00 f6179c6c c0124ba7 00000001 f6179e5c f6179d88
    Call Trace:
     [<c016ce00>] __fput+0x30/0x120
     [<c0168b1f>] filp_close+0x4f/0x90
     [<c0124ba7>] put_files_struct+0x67/0xc0
     [<c019d285>] load_elf_binary+0x3f5/0x1596
     [<c018a5af>] update_atime+0x9f/0xc0
     [<c01478fd>] __generic_file_aio_read+0x1cd/0x200
     [<c0145060>] file_read_actor+0x0/0xd0
     [<c01784b7>] search_binary_handler+0x97/0x270
     [<c017a072>] do_execve+0x172/0x200
     [<c0105fb2>] sys_execve+0x32/0x70
     [<c0107e21>] sysenter_past_esp+0x52/0x71
    
    Code: 0f 0b c8 06 eb 74 35 c0 eb db b8 00 e0 ff ff 21 e0 8b 10 8b
    
    put_files_struct+0x67 is equivalent to fs/binfmt_elf.c:681 in 2.6.6
    
    current->files == fl->fl_owner
    fl->fl_file = 0xf6702b80 (a valid struct file)
    
    current->files =
      max_fds=32
      max_fdset=1024
      next_fd=3
      fd=[0xf6927080 0xf6951b80  0xf6951b80 0 ...]
    
    Here's a proposed fix.  As a side effect, steal_locks no longer walks the
    global list of locks, but only the locks of all open inodes.
    
    What are the reasons (other than historic ones) for not getting rid of
    fl_owner and using fl_pid instead, by the way?  I think that would clean up
    the whole mess with file locks a bit.
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    ab31c400
locks.c 50.3 KB