[Devel] [PATCH RHEL7 COMMIT] ve/tty: vt -- Fix nil dereference due to race

Konstantin Khorenko khorenko at virtuozzo.com
Mon Aug 31 06:08:30 PDT 2015 

The commit is pushed to "branch-rh7-3.10.0-229.7.2-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-229.7.2.vz7.6.4
------>
commit 0fa0a39ad2c644f55f447cef85e5a9a8f06e43b7
Author: Cyrill Gorcunov <gorcunov at virtuozzo.com>
Date:   Mon Aug 31 17:08:30 2015 +0400

    ve/tty: vt -- Fix nil dereference due to race
    
    In commit 5571b126368c0153d73eaec0fdf43fbcbae67fd9 we bring
    in the stabs for virtual terminals but they are race sensitive:
    all therminals are represented by one per-VE @vz_tty_conm tty peer
    which can be removed and set to nil if application ask for new
    terminal when old one is inside "remove" stage. This may
    lead to nil dereference and panic as Nikita spotted
    
     | [  325.357491] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
     | [  325.357816] IP: [<ffffffff81364260>] tty_open+0x610/0x6e0
     | [  325.357994] PGD 3b745067 PUD 3b6ff067 PMD 0
     | [  325.358201] Oops: 0002 [#1] SMP
     | [  325.362469] CPU: 1 PID: 2873 Comm: criu ve: 200 Not tainted 3.10.0-123.1.2.vz7.5.29 #1 5.29
     | [  325.362954] task: ffff88003af56480 ti: ffff88003bf24000 task.ti: ffff88003bf24000
     | [  325.363119] RIP: 0010:[<ffffffff81364260>]  [<ffffffff81364260>] tty_open+0x610/0x6e0
     | [  325.363329] RSP: 0018:ffff88003bf25c00  EFLAGS: 00010202
     | [  325.363454] RAX: 0000000000000001 RBX: ffff88003638c000 RCX: 0000000000000001
     | [  325.363614] RDX: ffff88003bf25c34 RSI: 0000000000000002 RDI: ffff88003bf60000
     | [  325.363776] RBP: ffff88003bf25c68 R08: 00000000000208c0 R09: ffff88003d803c00
     | [  325.363972] R10: 0000000000000002 R11: 0000000000000004 R12: 0000000000000000
     | [  325.364145] R13: 0000000000000000 R14: 0000000000400002 R15: 0000000000000000
     | [  325.364303] FS:  00007fe73f0f6740(0000) GS:ffff88003de40000(0000) knlGS:0000000000000000
     | [  325.364479] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
     | [  325.364616] CR2: 0000000000000004 CR3: 000000003c78b000 CR4: 00000000001406e0
     | [  325.364775] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
     | [  325.364949] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
     | [  325.365120] Stack:
     | [  325.365198]  ffff88003af56480 000000043bf25c68 ffff88003af56480 ffff88003b7a1960
     | [  325.365498]  ffff88003af56480 0040000200008002 0000000100000000 00000000b2cf8386
     | [  325.365838]  ffff88003d21a068 ffff88003b7a1960 ffff88003638c000 0000000000000000
     | [  325.366130] Call Trace:
     | [  325.366215]  [<ffffffff811c1761>] chrdev_open+0xa1/0x1e0
     | [  325.366339]  [<ffffffff811c16c0>] ? cdev_put+0x30/0x30
     | [  325.366472]  [<ffffffff811ba772>] do_dentry_open.isra.17+0x192/0x290
     | [  325.366625]  [<ffffffff811ba95e>] finish_open+0x1e/0x30
     | [  325.366752]  [<ffffffff811cbf7d>] do_last.isra.62+0x36d/0x1020
     | [  325.366956]  [<ffffffff811cccee>] path_openat.isra.63+0xbe/0x480
     | [  325.367097]  [<ffffffff811cd73b>] do_filp_open+0x4b/0xb0
     | [  325.367226]  [<ffffffff811c870c>] ? getname_flags+0x2c/0x120
     | [  325.367361]  [<ffffffff811da487>] ? __alloc_fd+0xa7/0x130
     | [  325.367490]  [<ffffffff811bbe33>] do_sys_open+0xf3/0x1f0
     | [  325.367623]  [<ffffffff811bbf64>] SyS_openat+0x14/0x20
     | [  325.367758]  [<ffffffff815dc359>] system_call_fastpath+0x16/0x1b
    
    Lets provide per VT tty as it should be.
    
    Note the code is being reworked now for bring in real virtualization
    instead of stubs so this is rather a fix to not block migration testings
    (that's why I don't remove @vz_tty_conm and @vz_tty_cons from the
     struct ve_struct since I've already zapped all this including
     the file kernel/ve/console.c itself and once new version is
     stabilized we drop all this in one pass).
    
    https://jira.sw.ru/browse/PSBM-37929
    
    Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
    
    CC: Nikita Spiridonov <nspiridonov at odin.com>
    CC: Vladimir Davydov <vdavydov at virtuozzo.com>
    CC: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 kernel/ve/console.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kernel/ve/console.c b/kernel/ve/console.c
index 922848a..bc7d752 100644
--- a/kernel/ve/console.c
+++ b/kernel/ve/console.c
@@ -47,7 +47,7 @@ static struct tty_struct *vz_tty_lookup(struct tty_driver *driver,
 	if (idx != VZ_CON_INDEX || driver == vz_cons_driver)
 		return ERR_PTR(-EIO);
 
-	return ve->vz_tty_conm;
+	return ve->vz_tty_vt[idx];
 }
 
 static int vz_tty_install(struct tty_driver *driver, struct tty_struct *tty)
@@ -62,7 +62,7 @@ static int vz_tty_install(struct tty_driver *driver, struct tty_struct *tty)
 	tty_port_init(tty->port);
 	tty->termios = driver->init_termios;
 
-	ve->vz_tty_conm = tty;
+	ve->vz_tty_vt[tty->index] = tty;
 
 	tty_driver_kref_get(driver);
 	tty->count++;
@@ -74,7 +74,7 @@ static void vz_tty_remove(struct tty_driver *driver, struct tty_struct *tty)
 	struct ve_struct *ve = get_exec_env();
 
 	BUG_ON(driver != vz_conm_driver);
-	ve->vz_tty_conm = NULL;
+	ve->vz_tty_vt[tty->index] = NULL;
 }
 
 static int vz_tty_open(struct tty_struct *tty, struct file *filp)

More information about the Devel mailing list