Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 12 Sep 2006 17:52:20 -0500
From:      "Christian S.J. Peron" <csjp@FreeBSD.org>
To:        Bruce Evans <bde@zeta.org.au>
Cc:        src-committers@FreeBSD.org, John Baldwin <jhb@FreeBSD.org>, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org, Max Laier <max@love2party.net>, Martin Blapp <mbr@FreeBSD.org>
Subject:   Re: cvs commit: src/sys/kern tty.c
Message-ID:  <45073A24.6060108@FreeBSD.org>
In-Reply-To: <20060913051026.D745@epsplex.bde.org>
References:  <200609101651.k8AGpuqm069774@repoman.freebsd.org> <200609111048.19397.jhb@freebsd.org> <200609111829.58796.max@love2party.net> <200609111428.01836.jhb@freebsd.org> <20060913051026.D745@epsplex.bde.org>

next in thread | previous in thread | raw e-mail | index | archive | help

Rev. 1.272 was my commit, I can't remember the context of the 
conversations around the Giant push down there, but it's quite possible 
that I jumped the gun and made a mistake, because I am not sure how much 
analysis of the TTY locking I did there.

Should we roll back that commit and Pickup Giant for the TTY sake?

Bruce Evans wrote:
> On Mon, 11 Sep 2006, John Baldwin wrote:
>
>> I've told Martin numerous times that t_session is not locked by the 
>> proctree
>> lock and thus by default it is covered by Giant.  I think much of the 
>> session
>> stuff still belongs under Giant in fact.
>
> I thought that the session stuff was already locked.  It has very
> little to do with ttys.  However, apparently, only p_session is covered
> by session locking, while t_session still needs tty (Giant) locking.
> It seems unlikely that ttymodem() isn't still under Giant.  However,
> Giant locking for references to t_session and even more important tty
> things was removed in rev.1.272 of kern_exit.c:
>
> % Index: kern_exit.c
> % ===================================================================
> % RCS file: /home/ncvs/src/sys/kern/kern_exit.c,v
> % retrieving revision 1.271
> % retrieving revision 1.272
> % diff -u -r1.271 -r1.272
> % --- kern_exit.c    8 Nov 2005 09:09:26 -0000    1.271
> % +++ kern_exit.c    8 Nov 2005 17:11:03 -0000    1.272
> % @@ -303,13 +303,13 @@
> %              vm_map_max(&vm->vm_map));
> %      }
> % % -    mtx_lock(&Giant);
>
> Not long before 1.272, the Giant locking had been pushed down to here.
>
> %      sx_xlock(&proctree_lock);
>
> I don't know exactly what this covers.  SESS_LOCK() is not used until 
> later.
> According to proc.h:
>
>     p_session:  constant until freed (what locks the freeing?)
>     *p_session: mostly locked by SESS_LOCK(), except s_leader also 
> requires
>         the proctree lock
>
> %      if (SESS_LEADER(p)) {
>
> SESS_LEADER() loads s_leader, so why isn't SESS_LOCK() before here?
>
> %          struct session *sp;
> % %          sp = p->p_session;
> %          if (sp->s_ttyvp) {
>
> This seems to need SESS_LOCK() but not proctree_lock.
>
> % +            locked = VFS_LOCK_GIANT(sp->s_ttyvp->v_mount);
> %              /*
> %               * Controlling process.
> %               * Signal foreground pgrp,
>
> s_ttyvp and t_session are referenced just after here.  1.272 is 
> apparently
> only correct for s_ttyvp (except the session locking was already wrong?).
> The reference to t_session seems to be only read-only here -- I can't
> see where it goes away on exit, but think it should -- but nothing
> good can happen if it changes underneath.
>
> Just after this there is a call to ttywait().  ttywait() certainly
> needs Giant locking.  The call is preceded by a comment saying "XXX
> tp should be locked.".  This comment was bogus -- tp was locked by
> Giant when the comment was written.  Now the code is broken instead.
>
> % @@ -355,6 +355,7 @@
> %               * that the session once had a controlling terminal.
> %               * (for logging and informational purposes)
> %               */
> % +            VFS_UNLOCK_GIANT(locked);
> %          }
> %          SESS_LOCK(p->p_session);
> %          sp->s_leader = NULL;
> % @@ -363,7 +364,6 @@
> %      fixjobc(p, p->p_pgrp, 0);
> %      sx_xunlock(&proctree_lock);
> %      (void)acct_process(td);
> % -    mtx_unlock(&Giant); %  #ifdef KTRACE
> %      /*
> %       * release trace file
>
> Other references to t_session in kern:
>
> kern_proc.c:
> fill_kinfo_proc_only() deferences t_session after checking that it is not
> NULL.  I think the necessary Giant locking is missing here.
>
> tty.c:
> Lots of references to t_session here.  None should cause problems 
> directly,
> since callers are required to provide Giant locking.  ttymodem() should
> only be called from device driver interrupt handlers and these require
> Giant locking for ordinary i/o too, so the problem is unlikely to be
> at this level.
>
> Bruce
>
>


-- 
Christian S.J. Peron
csjp@FreeBSD.ORG
FreeBSD Committer
FreeBSD Security Team




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?45073A24.6060108>