Re: [PATCH 1/1][BUG][TAKE2] KEYRINGS: find_keyring_by_name() cangain the freed keyring

From: Toshiyuki Okajima
Date: Fri Apr 23 2010 - 11:24:28 EST

Next message: Pavel Machek: "Re: [PATCH 7/7] ondemand: Solve the big performance issue withondemand during disk IO"
Previous message: Josef Bacik: "Re: [PATCH] cleanup block based fiemap"
In reply to: David Howells: "Re: [PATCH 1/1][BUG][TAKE2] KEYRINGS: find_keyring_by_name() can gain the freed keyring"
Next in thread: David Howells: "Re: [PATCH 1/1][BUG][TAKE2] KEYRINGS: find_keyring_by_name() can gain the freed keyring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 23 Apr 2010 12:33:57 +0100
David Howells <dhowells@xxxxxxxxxx> wrote:

> Better still, atomic_inc_not_zero(). How about the attached patch?
Your fix looks good to me. But, if usage count of the keyring is 0,
I think it better to return -ENOKEY immediately.

Like this.
> + /* we've got a match but we might end up racing with
> + * key_cleanup() if the keyring is currently 'dead'
> + * (ie. it has a zero usage count) */
> + if (!atomic_inc_not_zero(&keyring->usage))

> + continue;
=> break;

And my previous figure description(in first patch) was a bit wrong.
Please replace it with my new one:

[Figure Description](Example)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|(cleaner) (user)
| free_user(user) sys_keyctl()
| | |
| key_put(user->session_keyring) keyctl_get_keyring_ID()
| || //=> keyring->usage = 0 |
| |schedule_work(&key_cleanup_task) lookup_user_key()
| || |
| kmem_cache_free(,user) |
| . |[KEY_SPEC_USER_KEYRING]
| . install_user_keyrings()
| . ||
| key_cleanup() [<= worker_thread()] ||
| | ||
| [spin_lock(&key_serial_lock)] |[mutex_lock(&key_user_keyr..mutex)]
| | ||
| atomic_read() == 0 ||
| |{ rb_ease(&key->serial_node,) } ||
| | ||
| [spin_unlock(&key_serial_lock)] |find_keyring_by_name()
| | |||
| keyring_destroy(keyring) ||[read_lock(&keyring_name_lock)]
| || |||
| |[write_lock(&keyring_name_lock)] ||atomic_inc(&keyring->usage)
| |. ||| *** GET freeing keyring ***
| |. ||[read_unlock(&keyring_name_lock)]
| || ||
| |list_del() |[mutex_unlock(&key_user_k..mutex)]
| || |
| |[write_unlock(&keyring_name_lock)] ** INVALID keyring is returned **
| | .
| kmem_cache_free(,keyring) .
| .
| atomic_dec(&keyring->usage)
v *** DESTROYED ***
TIME
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Best Regards,
Toshiyuki Okajima
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Pavel Machek: "Re: [PATCH 7/7] ondemand: Solve the big performance issue withondemand during disk IO"
Previous message: Josef Bacik: "Re: [PATCH] cleanup block based fiemap"
In reply to: David Howells: "Re: [PATCH 1/1][BUG][TAKE2] KEYRINGS: find_keyring_by_name() can gain the freed keyring"
Next in thread: David Howells: "Re: [PATCH 1/1][BUG][TAKE2] KEYRINGS: find_keyring_by_name() can gain the freed keyring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]