Re: LOR with filedesc structure and Giant

From: Kris Kennaway <kris_at_obsecurity.org> Date: Fri, 15 Aug 2003 17:35:34 -0700 · This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:18 UTC

On Mon, Aug 11, 2003 at 03:47:02PM -0700, Kris Kennaway wrote:

> > lock order reversal
> >  1st 0xc3d25134 filedesc structure (filedesc structure) _at_ /a/asami/portbuild/i386/src-client/sys/kern/sys_generic.c:902
> >  2nd 0xc04aa500 Giant (Giant) _at_ /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:372

> #10 0xc02313e4 in spec_poll (ap=0xce655af8)
>     at /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:372

The problem seems to be due to select() being called on the /dev/null
device, and it is holding the filedesc lock when it reaches
PICKUP_GIANT() in spec_poll.

(kgdb) frame 10
#10 0xc02313e4 in spec_poll (ap=0xce655af8)
    at /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:372
372     in /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c
(kgdb) print ap->a_vp->v_type
$26 = VCHR
(kgdb) print ap->a_vp->v_un->vu_spec->vu_cdev->si_udev
$27 = 514

This may be related to the following commit of phk:

---
date: 2002/09/27 19:47:59;  author: phk;  state: Exp;  lines: +76 -13
Add a D_NOGIANT flag which can be set in a struct cdevsw to indicate
that a particular device driver is not Giant-challenged.

SPECFS will DROP_GIANT() ... PICKUP_GIANT() around calls to the
driver in question.

Notice that the interrupt path is not affected by this!

This does _NOT_ work for drivers accessed through cdevsw->d_strategy()
ie drivers for disk(-like), some tapes, maybe others.
---

> #11 0xc02308d8 in spec_vnoperate (ap=0x0)
>     at /a/asami/portbuild/i386/src-client/sys/fs/specfs/spec_vnops.c:122
> #12 0xc02d152c in vn_poll (fp=0x0, events=0, active_cred=0xc42f6800, td=0x0) at vnode_if.h:537
> #13 0xc029491e in selscan (td=0xc3087720, ibits=0xce655b98, obits=0xce655b88, nfd=6)
>     at /a/asami/portbuild/i386/src-client/sys/sys/file.h:272
> #14 0xc029449f in kern_select (td=0xc3087720, nd=6, fd_in=0xbfbff5b0, fd_ou=0x0, fd_ex=0x0, tvp=0xce655cd4)
>     at /a/asami/portbuild/i386/src-client/sys/kern/sys_generic.c:822
> #15 0xc0294116 in select (td=0x0, uap=0xce655d10)
>     at /a/asami/portbuild/i386/src-client/sys/kern/sys_generic.c:726
> #16 0xc03f0233 in syscall (frame=
>       {tf_fs = 47, tf_es = 47, tf_ds = 47, tf_edi = 134565968, tf_esi = -1077938776, tf_ebp = 674425792, tf_isp = -832217740, tf_ebx = 0, tf_edx = -1077938768, tf_ecx = 0, tf_eax = 93, tf_trapno = 12, tf_err = 2, tf_eip = 671926988, tf_cs = 31, tf_eflags = 534, tf_esp = 674425704, tf_ss = 47})
>     at /a/asami/portbuild/i386/src-client/sys/i386/i386/trap.c:1008
> #17 0xc03e011d in Xint0x80_syscall () at {standard input}:144
> ---Can't read userspace from dump, or kernel process---