Date: Fri, 15 Aug 2003 17:35:34 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Kris Kennaway <kris@obsecurity.org> Cc: phk@FreeBSD.org Subject: Re: LOR with filedesc structure and Giant Message-ID: <20030816003534.GA71111@rot13.obsecurity.org> In-Reply-To: <20030811224702.GA44119@rot13.obsecurity.org> References: <20030809061112.GA4044@rot13.obsecurity.org> <20030811220932.GA43465@rot13.obsecurity.org> <20030811224702.GA44119@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--+HP7ph2BbKc20aGI
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Mon, Aug 11, 2003 at 03:47:02PM -0700, Kris Kennaway wrote:
> > lock order reversal
> > 1st 0xc3d25134 filedesc structure (filedesc structure) @ /a/asami/portbuild/i386/src-client/sys/kern/sys_generic.c:902
> > 2nd 0xc04aa500 Giant (Giant) @ /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:372
> #10 0xc02313e4 in spec_poll (ap=0xce655af8)
> at /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:372
The problem seems to be due to select() being called on the /dev/null
device, and it is holding the filedesc lock when it reaches
PICKUP_GIANT() in spec_poll.
(kgdb) frame 10
#10 0xc02313e4 in spec_poll (ap=0xce655af8)
at /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:372
372 in /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c
(kgdb) print ap->a_vp->v_type
$26 = VCHR
(kgdb) print ap->a_vp->v_un->vu_spec->vu_cdev->si_udev
$27 = 514
This may be related to the following commit of phk:
---
date: 2002/09/27 19:47:59; author: phk; state: Exp; lines: +76 -13
Add a D_NOGIANT flag which can be set in a struct cdevsw to indicate
that a particular device driver is not Giant-challenged.
SPECFS will DROP_GIANT() ... PICKUP_GIANT() around calls to the
driver in question.
Notice that the interrupt path is not affected by this!
This does _NOT_ work for drivers accessed through cdevsw->d_strategy()
ie drivers for disk(-like), some tapes, maybe others.
---
> #11 0xc02308d8 in spec_vnoperate (ap=0x0)
> at /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:122
> #12 0xc02d152c in vn_poll (fp=0x0, events=0, active_cred=0xc42f6800, td=0x0) at vnode_if.h:537
> #13 0xc029491e in selscan (td=0xc3087720, ibits=0xce655b98, obits=0xce655b88, nfd=6)
> at /a/asami/portbuild/i386/src-client/sys/sys/file.h:272
> #14 0xc029449f in kern_select (td=0xc3087720, nd=6, fd_in=0xbfbff5b0, fd_ou=0x0, fd_ex=0x0, tvp=0xce655cd4)
> at /a/asami/portbuild/i386/src-client/sys/kern/sys_generic.c:822
> #15 0xc0294116 in select (td=0x0, uap=0xce655d10)
> at /a/asami/portbuild/i386/src-client/sys/kern/sys_generic.c:726
> #16 0xc03f0233 in syscall (frame=
> {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 134565968, tf_esi = -1077938776, tf_ebp = 674425792, tf_isp = -832217740, tf_ebx = 0, tf_edx = -1077938768, tf_ecx = 0, tf_eax = 93, tf_trapno = 12, tf_err = 2, tf_eip = 671926988, tf_cs = 31, tf_eflags = 534, tf_esp = 674425704, tf_ss = 47})
> at /a/asami/portbuild/i386/src-client/sys/i386/i386/trap.c:1008
> #17 0xc03e011d in Xint0x80_syscall () at {standard input}:144
> ---Can't read userspace from dump, or kernel process---
--+HP7ph2BbKc20aGI
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)
iD8DBQE/PXxWWry0BWjoQKURAvgyAKDNFX71A1L9KukDh95W7cSow+0ySgCgwi9V
2C4qY3axQmNjW59d81Ac2qk=
=n2AH
-----END PGP SIGNATURE-----
--+HP7ph2BbKc20aGI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030816003534.GA71111>