[Devel] [PATCH rh7] ve/tty: vt -- Fix nil dereference due to race

Cyrill Gorcunov gorcunov at virtuozzo.com
Thu Aug 6 13:19:04 PDT 2015 

In commit 5571b126368c0153d73eaec0fdf43fbcbae67fd9 we bring
in the stabs for virtual terminals but they are race sensitive:
all therminals are represented by one per-VE @vz_tty_conm tty peer
which can be removed and set to nil if application ask for new
terminal when old one is inside "remove" stage. This may
lead to nil dereference and panic as Nikita spotted

 | [  325.357491] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
 | [  325.357816] IP: [<ffffffff81364260>] tty_open+0x610/0x6e0
 | [  325.357994] PGD 3b745067 PUD 3b6ff067 PMD 0 
 | [  325.358201] Oops: 0002 [#1] SMP 
 | [  325.362469] CPU: 1 PID: 2873 Comm: criu ve: 200 Not tainted 3.10.0-123.1.2.vz7.5.29 #1 5.29
 | [  325.362954] task: ffff88003af56480 ti: ffff88003bf24000 task.ti: ffff88003bf24000
 | [  325.363119] RIP: 0010:[<ffffffff81364260>]  [<ffffffff81364260>] tty_open+0x610/0x6e0
 | [  325.363329] RSP: 0018:ffff88003bf25c00  EFLAGS: 00010202
 | [  325.363454] RAX: 0000000000000001 RBX: ffff88003638c000 RCX: 0000000000000001
 | [  325.363614] RDX: ffff88003bf25c34 RSI: 0000000000000002 RDI: ffff88003bf60000
 | [  325.363776] RBP: ffff88003bf25c68 R08: 00000000000208c0 R09: ffff88003d803c00
 | [  325.363972] R10: 0000000000000002 R11: 0000000000000004 R12: 0000000000000000
 | [  325.364145] R13: 0000000000000000 R14: 0000000000400002 R15: 0000000000000000
 | [  325.364303] FS:  00007fe73f0f6740(0000) GS:ffff88003de40000(0000) knlGS:0000000000000000
 | [  325.364479] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 | [  325.364616] CR2: 0000000000000004 CR3: 000000003c78b000 CR4: 00000000001406e0
 | [  325.364775] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
 | [  325.364949] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
 | [  325.365120] Stack:
 | [  325.365198]  ffff88003af56480 000000043bf25c68 ffff88003af56480 ffff88003b7a1960
 | [  325.365498]  ffff88003af56480 0040000200008002 0000000100000000 00000000b2cf8386
 | [  325.365838]  ffff88003d21a068 ffff88003b7a1960 ffff88003638c000 0000000000000000
 | [  325.366130] Call Trace:
 | [  325.366215]  [<ffffffff811c1761>] chrdev_open+0xa1/0x1e0
 | [  325.366339]  [<ffffffff811c16c0>] ? cdev_put+0x30/0x30
 | [  325.366472]  [<ffffffff811ba772>] do_dentry_open.isra.17+0x192/0x290
 | [  325.366625]  [<ffffffff811ba95e>] finish_open+0x1e/0x30
 | [  325.366752]  [<ffffffff811cbf7d>] do_last.isra.62+0x36d/0x1020
 | [  325.366956]  [<ffffffff811cccee>] path_openat.isra.63+0xbe/0x480
 | [  325.367097]  [<ffffffff811cd73b>] do_filp_open+0x4b/0xb0
 | [  325.367226]  [<ffffffff811c870c>] ? getname_flags+0x2c/0x120
 | [  325.367361]  [<ffffffff811da487>] ? __alloc_fd+0xa7/0x130
 | [  325.367490]  [<ffffffff811bbe33>] do_sys_open+0xf3/0x1f0
 | [  325.367623]  [<ffffffff811bbf64>] SyS_openat+0x14/0x20
 | [  325.367758]  [<ffffffff815dc359>] system_call_fastpath+0x16/0x1b

Lets provide per VT tty as it should be.

Note the code is being reworked now for bring in real virtualization
instead of stubs so this is rather a fix to not block migration testings
(that's why I don't remove @vz_tty_conm and @vz_tty_cons from the
 struct ve_struct since I've already zapped all this including
 the file kernel/ve/console.c itself and once new version is
 stabilized we drop all this in one pass).

https://jira.sw.ru/browse/PSBM-37929

Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
CC: Nikita Spiridonov <nspiridonov at odin.com>
CC: Vladimir Davydov <vdavydov at virtuozzo.com>
CC: Konstantin Khorenko <khorenko at virtuozzo.com>
---

Nikita, give it a shot please.

 kernel/ve/console.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Index: linux-pcs7.git/kernel/ve/console.c
===================================================================
--- linux-pcs7.git.orig/kernel/ve/console.c
+++ linux-pcs7.git/kernel/ve/console.c
@@ -47,7 +47,7 @@ static struct tty_struct *vz_tty_lookup(
 	if (idx != VZ_CON_INDEX || driver == vz_cons_driver)
 		return ERR_PTR(-EIO);
 
-	return ve->vz_tty_conm;
+	return ve->vz_tty_vt[idx];
 }
 
 static int vz_tty_install(struct tty_driver *driver, struct tty_struct *tty)
@@ -62,7 +62,7 @@ static int vz_tty_install(struct tty_dri
 	tty_port_init(tty->port);
 	tty->termios = driver->init_termios;
 
-	ve->vz_tty_conm = tty;
+	ve->vz_tty_vt[tty->index] = tty;
 
 	tty_driver_kref_get(driver);
 	tty->count++;
@@ -74,7 +74,7 @@ static void vz_tty_remove(struct tty_dri
 	struct ve_struct *ve = get_exec_env();
 
 	BUG_ON(driver != vz_conm_driver);
-	ve->vz_tty_conm = NULL;
+	ve->vz_tty_vt[tty->index] = NULL;
 }
 
 static int vz_tty_open(struct tty_struct *tty, struct file *filp)

More information about the Devel mailing list