Skip to content

cloud-kernel
cloud-kernel

openanolis / cloud-kernel
大约 1 年 前同步成功

通知 158
Star 36
Fork 7
cloud-kernel
cloud-kernel
切换分支/标签
  1. 19 3月, 2007 1 次提交
    • E
      [PATCH] tty: Fix two reported pid leaks · d9c1e9a8
      Eric W. Biederman 提交于 
      These leaks were reported by: Catalin Marinas <catalin.marians@gmail.com>
and I have been able to very by inspection they are possible.

When converting tty_io.c to store pids as struct pid pointers instead
of pid_t values it appears I overlooked two places where we stop using
the pid value.  The very obvious one is in do_tty_hangup, and the one
the less obvious one in __proc_set_tty.

When looking into the code __proc_set_tty only has pids that need to
be put because of failures of other parts of the code to properly
perform hangup processing.   Fixing the leak here in __proc_set_tty
is easy and obviously correct so I am doing that first.

Fixing the places that should be performing hangup processing is much
less obviously correct.  So those I'm aiming those patches at -mm.
for now, so the can age a while before they are merged.
Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d9c1e9a8
  3. 02 3月, 2007 1 次提交
    • A
      [PATCH] tty_io: fix race in master pty close/slave pty close path · 5a39e8c6
      Aristeu Sergio Rozanski Filho 提交于 
      This patch fixes a possible race that leads to double freeing an idr index.
 When the master begin to close, release_dev() is called and then
pty_close() is called:

        if (tty->driver->close)
                tty->driver->close(tty, filp);

This is done without helding any locks other than BKL.  Inside pty_close(),
being a master close, the devpts entry will be removed:

#ifdef CONFIG_UNIX98_PTYS
                if (tty->driver == ptm_driver)
                        devpts_pty_kill(tty->index);
#endif

But devpts_pty_kill() will call get_node() that may sleep while waiting for
&devpts_root->d_inode->i_sem.  When this happens and the slave is being
opened, tty_open() just found the driver and index:

        driver = get_tty_driver(device, &index);
        if (!driver) {
                mutex_unlock(&tty_mutex);
                return -ENODEV;
        }

This part of the code is already protected under tty_mute.  The problem is
that the slave close already got an index.  Then init_dev() is called and
blocks waiting for the same &devpts_root->d_inode->i_sem.

When the master close resumes, it removes the devpts entry, and the
relation between idr index and the tty is gone.  The master then sleeps
waiting for the tty_mutex on release_dev().

Slave open resumes and found no tty for that index.  As result, a NULL tty
is returned and init_dev() doesn't flow to fast_track:

        /* check whether we're reopening an existing tty */
        if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
                tty = devpts_get_tty(idx);
                if (tty && driver->subtype == PTY_TYPE_MASTER)
                        tty = tty->link;
        } else {
                tty = driver->ttys[idx];
        }
        if (tty) goto fast_track;

The result of this, is that a new tty will be created and init_dev() returns
sucessfull. After returning, tty_mutex is dropped and master close may resume.

Master close finds it's the only use and both sides are closing, then releases
the tty and the index. At this point, the idr index is free, but slave still
has it.

Slave open then calls pty_open() and finds that tty->link->count is 0,
because there's no master and returns error.  Then tty_open() calls
release_dev() which executes without any warning, as it was a case of last
slave close when the master is already closed (master->count == 0,
slave->count == 1).  The tty is then released with the already released idr
index.

This normally would only issue a warning on idr_remove() but in case of a
customer's critical application, it's never too simple:

thread1: opens master, gets index X
thread1: begin closing master
thread2: begin opening slave with index X
thread1: finishes closing master, index X released
thread3: opens master, gets index X, just released
thread2: fails opening slave, releases index X         <----
thread4: opens master, gets index X, init_dev() then find an already in use
	 and healthy tty and fails

If no more indexes are released, ptmx_open() will keep failing, as the
first free index available is X, and it will make init_dev() fail because
you're trying to "reopen a master" which isn't valid.

The patch notices when this race happens and make init_dev() fail
imediately.  The init_dev() function is called with tty_mutex held, so it's
safe to continue with tty till the end of function because release_dev()
won't make any further changes without grabbing the tty_mutex.

Without the patch, on some machines it's possible get easily idr warnings
like this one:

idr_remove called for id=15 which is not allocated.
 [<c02555b9>] idr_remove+0x139/0x170
 [<c02a1b62>] release_mem+0x182/0x230
 [<c02a28e7>] release_dev+0x4b7/0x700
 [<c02a0ea7>] tty_ldisc_enable+0x27/0x30
 [<c02a1e64>] init_dev+0x254/0x580
 [<c02a0d64>] check_tty_count+0x14/0xb0
 [<c02a4f05>] tty_open+0x1c5/0x340
 [<c02a4d40>] tty_open+0x0/0x340
 [<c017388f>] chrdev_open+0xaf/0x180
 [<c017c2ac>] open_namei+0x8c/0x760
 [<c01737e0>] chrdev_open+0x0/0x180
 [<c0167bc9>] __dentry_open+0xc9/0x210
 [<c0167e2c>] do_filp_open+0x5c/0x70
 [<c0167a91>] get_unused_fd+0x61/0xd0
 [<c0167e93>] do_sys_open+0x53/0x100
 [<c0167f97>] sys_open+0x27/0x30
 [<c010303b>] syscall_call+0x7/0xb

using this test application available on:
 http://www.ruivo.org/~aris/pty_sodomizer.cSigned-off-by: NAristeu Sergio Rozanski Filho <aris@ruivo.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      5a39e8c6
  5. 21 2月, 2007 2 次提交
  7. 14 2月, 2007 1 次提交
    • E
      [PATCH] Fix SAK_work workqueue initialization. · 7f1f86a0
      Eric W. Biederman 提交于 
      Somewhere in the rewrite of the work queues my cleanup of SAK handling
got broken.  Maybe I didn't retest it properly or possibly the API
was changing so fast I missed something.  Regardless currently
triggering a SAK now generates an ugly BUG_ON and kills the kernel.

Thanks to Alexey Dobriyan <adobriyan@openvz.org> for spotting this.

This modifies the use of SAK_work to initialize it when the data
structure it resides in is initialized, and to simply call
schedule_work when we need to generate a SAK.  I update both
data structures that have a SAK_work member for consistency.

All of the old PREPARE_WORK calls that are now gone.

If we call schedule_work again before it has processed it
has generated the first SAK it will simply ignore the duplicate
schedule_work request.
Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      7f1f86a0
  9. 13 2月, 2007 6 次提交
    • E
      [PATCH] tty: update the tty layer to work with struct pid · ab521dc0
      Eric W. Biederman 提交于 
      Of kernel subsystems that work with pids the tty layer is probably the largest
consumer.  But it has the nice virtue that the assiation with a session only
lasts until the session leader exits.  Which means that no reference counting
is required.  So using struct pid winds up being a simple optimization to
avoid hash table lookups.

In the long term the use of pid_nr also ensures that when we have multiple pid
spaces mixed everything will work correctly.
Signed-off-by: NEric W. Biederman <eric@maxwell.lnxi.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ab521dc0
    • E
      [PATCH] pid: replace is_orphaned_pgrp with is_current_pgrp_orphaned · 3e7cd6c4
      Eric W. Biederman 提交于 
      Every call to is_orphaned_pgrp passed in process_group(current) which is racy
with respect to another thread changing our process group.  It didn't bite us
because we were dealing with integers and the worse we would get would be a
stale answer.

In switching the checks to use struct pid to be a little more efficient and
prepare the way for pid namespaces this race became apparent.

So I simplified the calls to the more specialized is_current_pgrp_orphaned so
I didn't have to worry about making logic changes to avoid the race.
Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3e7cd6c4
    • E
      [PATCH] pid: make session_of_pgrp use struct pid instead of pid_t · 04a2e6a5
      Eric W. Biederman 提交于 
      To properly implement a pid namespace I need to deal exclusively in terms of
struct pid, because pid_t values become ambiguous.

To this end session_of_pgrp is transformed to take and return a struct pid
pointer.  To avoid the need to worry about reference counting I now require my
caller to hold the appropriate locks.  Leaving callers repsonsible for
increasing the reference count if they need access to the result outside of
the locks.

Since session_of_pgrp currently only has one caller and that caller simply
uses only test the result for equality with another process group, the locking
change means I don't actually have to acquire the tasklist_lock at all.

tiocspgrp is also modified to take and release the lock.  The logic there is a
little more complicated but nothing I won't need when I convert pgrp of a tty
to a struct pid pointer.
Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      04a2e6a5
    • E
      [PATCH] tty: fix the locking for signal->session in disassociate_ctty · 2ea81868
      Eric W. Biederman 提交于 
      commit 24ec839c while fixing the locking for
signal->tty got the locking wrong for signal->session.  This places our
accesses of signal->session back under the tasklist_lock where they belong.
Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      2ea81868
    • E
      [PATCH] tty: clarify disassociate_ctty · 680a9671
      Eric W. Biederman 提交于 
      The code to look at tty_old_pgrp and send SIGHUP and SIGCONT when it is
present only executes when disassociate_ctty is called from do_exit.  Make
this clear by adding an explict on_exit check, and explicitly setting
tty_old_pgrp to 0.

In addition fix the locking by reading tty_old_pgrp under the siglock.
Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      680a9671
    • E
      [PATCH] tty: make __proc_set_tty static · cdc62330
      Eric W. Biederman 提交于 
      The aim of this patch set is to start wrapping up the struct pid conversions.
As such this patchset culminates with the removal of kill_pg, kill_pg_info,
__kill_pg_info, do_each_task_pid, and while_each_task_pid.

kill_proc, daemonize, and kernel_thread are still in my sights but there is
still work to get to them.

The first three are basic cleanups around disassociate_ctty, while working on
converting it I found several issues.  tty_old_pgrp can be a tricky concept to
wrap your head around.

 1 tty: Make __proc_set_tty static.
 2 tty: Clarify disassociate_ctty
 3 tty: Fix the locking for signal->session in disassociate_ctty

These just stop using the old helper functions.

 4 signal: Use kill_pgrp not kill_pg in the sunos compatibility code.
 5 signal: Rewrite kill_something_info so it uses newer helpers.

Then the grind to convert the tty layer and all of it's helper functions to
struct pid.

 6 pid: Make session_of_pgrp use struct pid instead of pid_t.
 7 pid: Use struct pid for talking about process groups in exit.c
 8 pid: Replace is_orphaned_pgrp with is_current_pgrp_orphaned
 9 tty: Update the tty layer to work with struct pid.

A final helper function update.

10 pid: Replace do/while_each_task_pid with do/while_each_pid_task

And the removal of the functions that are now unused.
11 pid: Remove now unused do_each_task_pid and while_each_task_pid
12 pid: Remove the now unused kill_pg kill_pg_info and __kill_pg_info

All of these should be fairly simple and to the point.

This patch:

Currently all users of __proc_set_tty are in tty_io.c so make the function
static.
Signed-off-by: NEric W. Biederman <ebiederm@xmission.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      cdc62330
  11. 12 2月, 2007 3 次提交
  13. 14 12月, 2006 2 次提交
  15. 09 12月, 2006 5 次提交
  17. 02 12月, 2006 1 次提交
  19. 22 11月, 2006 2 次提交
    • D
      WorkStruct: Pass the work_struct pointer instead of context data · 65f27f38
      David Howells 提交于 
      Pass the work_struct pointer to the work function rather than context data.
The work function can use container_of() to work out the data.

For the cases where the container of the work_struct may go away the moment the
pending bit is cleared, it is made possible to defer the release of the
structure by deferring the clearing of the pending bit.

To make this work, an extra flag is introduced into the management side of the
work_struct.  This governs auto-release of the structure upon execution.

Ordinarily, the work queue executor would release the work_struct for further
scheduling or deallocation by clearing the pending bit prior to jumping to the
work function.  This means that, unless the driver makes some guarantee itself
that the work_struct won't go away, the work function may not access anything
else in the work_struct or its container lest they be deallocated..  This is a
problem if the auxiliary data is taken away (as done by the last patch).

However, if the pending bit is *not* cleared before jumping to the work
function, then the work function *may* access the work_struct and its container
with no problems.  But then the work function must itself release the
work_struct by calling work_release().

In most cases, automatic release is fine, so this is the default.  Special
initiators exist for the non-auto-release case (ending in _NAR).
Signed-Off-By: NDavid Howells <dhowells@redhat.com>
      65f27f38
    • D
      WorkStruct: Separate delayable and non-delayable events. · 52bad64d
      David Howells 提交于 
      Separate delayable work items from non-delayable work items be splitting them
into a separate structure (delayed_work), which incorporates a work_struct and
the timer_list removed from work_struct.

The work_struct struct is huge, and this limits it's usefulness.  On a 64-bit
architecture it's nearly 100 bytes in size.  This reduces that by half for the
non-delayable type of event.
Signed-Off-By: NDavid Howells <dhowells@redhat.com>
      52bad64d
  21. 02 10月, 2006 1 次提交
    • J
      [PATCH] const struct tty_operations · b68e31d0
      Jeff Dike 提交于 
      As part of an SMP cleanliness pass over UML, I consted a bunch of
structures in order to not have to document their locking.  One of these
structures was a struct tty_operations.  In order to const it in UML
without introducing compiler complaints, the declaration of
tty_set_operations needs to be changed, and then all of its callers need to
be fixed.

This patch declares all struct tty_operations in the tree as const.  In all
cases, they are static and used only as input to tty_set_operations.  As an
extra check, I ran an i386 allyesconfig build which produced no extra
warnings.

53 drivers are affected.  I checked the history of a bunch of them, and in
most cases, there have been only a handful of maintenance changes in the
last six months.  serial_core.c was the busiest one that I looked at.
Signed-off-by: NJeff Dike <jdike@addtoit.com>
Acked-by: NAlan Cox <alan@redhat.com>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      b68e31d0
  23. 30 9月, 2006 8 次提交
  25. 28 8月, 2006 3 次提交
  27. 04 7月, 2006 2 次提交
  29. 01 7月, 2006 1 次提交
  31. 29 6月, 2006 1 次提交
    • P
      [PATCH] remove active field from tty buffer structure · 33b37a33
      Paul Fulghum 提交于 
      Remove 'active' field from tty buffer structure.  This was added in 2.6.16
as part of a patch to make the new tty buffering SMP safe.  This field is
unnecessary with the more intelligently written flush_to_ldisc that adds
receive_room handling.

Removing this field reverts to simpler logic where the tail buffer is
always the 'active' buffer, which should not be freed by flush_to_ldisc.
(active == buffer being filled with new data)

The result is simpler, smaller, and faster tty buffer code.
Signed-off-by: NPaul Fulghum <paulkf@microgate.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: NAndrew Morton <akpm@osdl.org>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
      33b37a33