LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Alexey Dobriyan <adobriyan@openvz.org>
Cc: akpm@osdl.org, linux-kernel@vger.kernel.org, devel@openvz.org
Subject: Re: [PATCH] Fix NULL ->nsproxy dereference in /proc/*/mounts
Date: Tue, 16 Jan 2007 10:55:47 -0600	[thread overview]
Message-ID: <20070116165547.GA14658@vino.hallyn.com> (raw)
In-Reply-To: <20070115164506.GA6031@localhost.sw.ru>

Quoting Alexey Dobriyan (adobriyan@openvz.org):
> /proc/*/mounstats was fixed, all right, but...
> 
> To reproduce:
> 
> 	while true; do
> 		find /proc -type f 2>/dev/null | xargs cat 1>/dev/null 2>/dev/null;
> 	done
> 
> BUG: unable to handle kernel NULL pointer dereference at virtual address 0000000c
>  printing eip:
> c01754df
> *pde = 00000000
> Oops: 0000 [#28]
> Modules linked in: af_packet ohci_hcd e1000 ehci_hcd uhci_hcd usbcore xfs
> CPU:    0
> EIP:    0060:[<c01754df>]    Not tainted VLI
> EFLAGS: 00010286   (2.6.20-rc5 #1)
> EIP is at mounts_open+0x1c/0xac
> eax: 00000000   ebx: d5898ac0   ecx: d1d27b18   edx: d1d27a50
> esi: e6083e10   edi: d3c87f38   ebp: d5898ac0   esp: d3c87ef0
> ds: 007b   es: 007b   ss: 0068
> Process cat (pid: 18071, ti=d3c86000 task=f7d5f070 task.ti=d3c86000)
> Stack: d5898ac0 e6083e10 d3c87f38 c01754c3 c0147c91 c18c52c0 d343f314 d5898ac0
>        00008000 d3c87f38 ffffff9c c0147e09 d5898ac0 00000000 00000000 c0147e4b
>        00000000 d3c87f38 d343f314 c18c52c0 c015e53e 00001000 08051000 00000101
> Call Trace:
>  [<c01754c3>] mounts_open+0x0/0xac
>  [<c0147c91>] __dentry_open+0xa1/0x18c
>  [<c0147e09>] nameidata_to_filp+0x31/0x3a
>  [<c0147e4b>] do_filp_open+0x39/0x40
>  [<c015e53e>] seq_read+0x128/0x2aa
>  [<c0147e8c>] do_sys_open+0x3a/0x6d
>  [<c0147efa>] sys_open+0x1c/0x20
>  [<c0102b76>] sysenter_past_esp+0x5f/0x85
>  [<c02a0033>] unix_stream_recvmsg+0x3bf/0x4bf
>  =======================
> Code: 5d c3 89 d8 e8 06 e0 f9 ff eb bd 0f 0b eb fe 55 57 56 53 89 d5 8b 40 f0 31 d2 e8 02 c1 fa ff 89 c2 85 c0 74 5c 8b 80 48 04 00 00 <8b> 58 0c 85 db 74 02 ff 03 ff 4a 08 0f 94 c0 84 c0 75 74 85 db
> EIP: [<c01754df>] mounts_open+0x1c/0xac SS:ESP 0068:d3c87ef0
> 
> Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org>

Yup, race with do_exit()'s call to exit_namespaces().  Thanks for
the patch.

Acked-by: Serge Hallyn <serue@us.ibm.com>

> ---
> 
>  fs/proc/base.c |    8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)
> 
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -371,9 +371,11 @@ static int mounts_open(struct inode *ino
>  
>  	if (task) {
>  		task_lock(task);
> -		ns = task->nsproxy->mnt_ns;
> -		if (ns)
> -			get_mnt_ns(ns);
> +		if (task->nsproxy) {
> +			ns = task->nsproxy->mnt_ns;
> +			if (ns)
> +				get_mnt_ns(ns);
> +		}
>  		task_unlock(task);
>  		put_task_struct(task);
>  	}
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/

      reply	other threads:[~2007-01-16 17:02 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-01-15 16:45 Alexey Dobriyan
2007-01-16 16:55 ` Serge E. Hallyn [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070116165547.GA14658@vino.hallyn.com \
    --to=serge@hallyn.com \
    --cc=adobriyan@openvz.org \
    --cc=akpm@osdl.org \
    --cc=devel@openvz.org \
    --cc=linux-kernel@vger.kernel.org \
    --subject='Re: [PATCH] Fix NULL ->nsproxy dereference in /proc/*/mounts' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).