Date: Fri, 15 Aug 2003 17:35:34 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Kris Kennaway <kris@obsecurity.org> Cc: phk@FreeBSD.org Subject: Re: LOR with filedesc structure and Giant Message-ID: <20030816003534.GA71111@rot13.obsecurity.org> In-Reply-To: <20030811224702.GA44119@rot13.obsecurity.org> References: <20030809061112.GA4044@rot13.obsecurity.org> <20030811220932.GA43465@rot13.obsecurity.org> <20030811224702.GA44119@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--+HP7ph2BbKc20aGI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Aug 11, 2003 at 03:47:02PM -0700, Kris Kennaway wrote: > > lock order reversal > > 1st 0xc3d25134 filedesc structure (filedesc structure) @ /a/asami/portbuild/i386/src-client/sys/kern/sys_generic.c:902 > > 2nd 0xc04aa500 Giant (Giant) @ /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:372 > #10 0xc02313e4 in spec_poll (ap=0xce655af8) > at /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:372 The problem seems to be due to select() being called on the /dev/null device, and it is holding the filedesc lock when it reaches PICKUP_GIANT() in spec_poll. (kgdb) frame 10 #10 0xc02313e4 in spec_poll (ap=0xce655af8) at /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:372 372 in /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c (kgdb) print ap->a_vp->v_type $26 = VCHR (kgdb) print ap->a_vp->v_un->vu_spec->vu_cdev->si_udev $27 = 514 This may be related to the following commit of phk: --- date: 2002/09/27 19:47:59; author: phk; state: Exp; lines: +76 -13 Add a D_NOGIANT flag which can be set in a struct cdevsw to indicate that a particular device driver is not Giant-challenged. SPECFS will DROP_GIANT() ... PICKUP_GIANT() around calls to the driver in question. Notice that the interrupt path is not affected by this! This does _NOT_ work for drivers accessed through cdevsw->d_strategy() ie drivers for disk(-like), some tapes, maybe others. --- > #11 0xc02308d8 in spec_vnoperate (ap=0x0) > at /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:122 > #12 0xc02d152c in vn_poll (fp=0x0, events=0, active_cred=0xc42f6800, td=0x0) at vnode_if.h:537 > #13 0xc029491e in selscan (td=0xc3087720, ibits=0xce655b98, obits=0xce655b88, nfd=6) > at /a/asami/portbuild/i386/src-client/sys/sys/file.h:272 > #14 0xc029449f in kern_select (td=0xc3087720, nd=6, fd_in=0xbfbff5b0, fd_ou=0x0, fd_ex=0x0, tvp=0xce655cd4) > at /a/asami/portbuild/i386/src-client/sys/kern/sys_generic.c:822 > #15 0xc0294116 in select (td=0x0, uap=0xce655d10) > at /a/asami/portbuild/i386/src-client/sys/kern/sys_generic.c:726 > #16 0xc03f0233 in syscall (frame= > {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 134565968, tf_esi = -1077938776, tf_ebp = 674425792, tf_isp = -832217740, tf_ebx = 0, tf_edx = -1077938768, tf_ecx = 0, tf_eax = 93, tf_trapno = 12, tf_err = 2, tf_eip = 671926988, tf_cs = 31, tf_eflags = 534, tf_esp = 674425704, tf_ss = 47}) > at /a/asami/portbuild/i386/src-client/sys/i386/i386/trap.c:1008 > #17 0xc03e011d in Xint0x80_syscall () at {standard input}:144 > ---Can't read userspace from dump, or kernel process--- --+HP7ph2BbKc20aGI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/PXxWWry0BWjoQKURAvgyAKDNFX71A1L9KukDh95W7cSow+0ySgCgwi9V 2C4qY3axQmNjW59d81Ac2qk= =n2AH -----END PGP SIGNATURE----- --+HP7ph2BbKc20aGI--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030816003534.GA71111>