Re: [patch for-3.6] fs, debugfs: fix race in u32_array_read and allocatearray at open

From: Raghavendra K T
Date: Fri Sep 21 2012 - 06:26:11 EST

Next message: Mel Gorman: "[PATCH 1/9] Revert "mm: compaction: check lock contention first before taking lock""
Previous message: Paul Bolle: "[PATCH] mISDN: suppress compiler warning"
In reply to: David Rientjes: "[patch for-3.6] fs, debugfs: fix race in u32_array_read and allocatearray at open"
Next in thread: Raghavendra K T: "Re: 3.6rc6 slab corruption."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 09/21/2012 02:46 PM, David Rientjes wrote:

u32_array_open() is racy when multiple threads read from a file with a
seek position of zero, i.e. when two or more simultaneous reads are
occurring after the non-seekable files are created. It is possible that
file->private_data is double-freed because the threads races between

kfree(file->private-data);

and

file->private_data = NULL;

The fix is to only do format_array_alloc() when the file is opened and
free it when it is closed. This means that any thread that holds the
file open and reads multiple times will see persistent data;

I think you meant we can read data only once. second time onwards we don't see any data. (except when fd is forked by child/ races in
threads).

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mel Gorman: "[PATCH 1/9] Revert "mm: compaction: check lock contention first before taking lock""
Previous message: Paul Bolle: "[PATCH] mISDN: suppress compiler warning"
In reply to: David Rientjes: "[patch for-3.6] fs, debugfs: fix race in u32_array_read and allocatearray at open"
Next in thread: Raghavendra K T: "Re: 3.6rc6 slab corruption."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]