linux/fs/proc/base.c, branch v2.6.19 Linux kernel source tree https://git.amat.us/linux/atom/fs/proc/base.c?h=v2.6.19 2006-11-25T21:28:33Z [PATCH] mounstats NULL pointer dereference 2006-11-25T21:28:33Z Vasily Tarasov vtaras@openvz.org 2006-11-25T19:09:22Z urn:sha1:701e054e0c2db82359f0454c7ed4fd24346d52eb OpenVZ developers team has encountered the following problem in 2.6.19-rc6 kernel. After some seconds of running script while [[ 1 ]] do find /proc -name mountstats | xargs cat done this Oops appears: BUG: unable to handle kernel NULL pointer dereference at virtual address 00000010 printing eip: c01a6b70 *pde = 00000000 Oops: 0000 [#1] SMP Modules linked in: xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle iptable_filter xt_multiport xt_limit ipt_tos ipt_REJECT ip_tables x_tables parport_pc lp parport sunrpc af_packet thermal processor fan button battery asus_acpi ac ohci_hcd ehci_hcd usbcore i2c_nforce2 i2c_core tg3 floppy pata_amd ide_cd cdrom sata_nv libata CPU: 1 EIP: 0060:[<c01a6b70>] Not tainted VLI EFLAGS: 00010246 (2.6.19-rc6 #2) EIP is at mountstats_open+0x70/0xf0 eax: 00000000 ebx: e6247030 ecx: e62470f8 edx: 00000000 esi: 00000000 edi: c01a6b00 ebp: c33b83c0 esp: f4105eb4 ds: 007b es: 007b ss: 0068 Process cat (pid: 6044, ti=f4105000 task=f4104a70 task.ti=f4105000) Stack: c33b83c0 c04ee940 f46a4a80 c33b83c0 e4df31b4 c01a6b00 f4105000 c0169231 e4df31b4 c33b83c0 c33b83c0 f4105f20 00000003 f4105000 c0169445 f2503cf0 f7f8c4c0 00008000 c33b83c0 00000000 00008000 c0169350 f4105f20 00008000 Call Trace: [<c01a6b00>] mountstats_open+0x0/0xf0 [<c0169231>] __dentry_open+0x181/0x250 [<c0169445>] nameidata_to_filp+0x35/0x50 [<c0169350>] do_filp_open+0x50/0x60 [<c01873d6>] seq_read+0xc6/0x300 [<c0169511>] get_unused_fd+0x31/0xc0 [<c01696d3>] do_sys_open+0x63/0x110 [<c01697a7>] sys_open+0x27/0x30 [<c01030bd>] sysenter_past_esp+0x56/0x79 ======================= Code: 45 74 8b 54 24 20 89 44 24 08 8b 42 f0 31 d2 e8 47 cb f8 ff 85 c0 89 c3 74 51 8d 80 a0 04 00 00 e8 46 06 2c 00 8b 83 48 04 00 00 <8b> 78 10 85 ff 74 03 f0 ff 07 b0 01 86 83 a0 04 00 00 f0 ff 4b EIP: [<c01a6b70>] mountstats_open+0x70/0xf0 SS:ESP 0068:f4105eb4 The problem is that task->nsproxy can be equal NULL for some time during task exit. This patch fixes the BUG. Signed-off-by: Vasily Tarasov <vtaras@openvz.org> Cc: Herbert Poetzl <herbert@13thfloor.at> Cc: "Serge E. Hallyn" <serue@us.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] OOM killer meets userspace headers 2006-10-20T17:26:38Z Alexey Dobriyan adobriyan@gmail.com 2006-10-20T06:28:32Z urn:sha1:8ac773b4f73afa6fd66695131103944b975d5d5c Despite mm.h is not being exported header, it does contain one thing which is part of userspace ABI -- value disabling OOM killer for given process. So, a) create and export include/linux/oom.h b) move OOM_DISABLE define there. c) turn bounding values of /proc/$PID/oom_adj into defines and export them too. Note: mass __KERNEL__ removal will be done later. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Cc: Nick Piggin <nickpiggin@yahoo.com.au> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Christoph Hellwig <hch@infradead.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] PROC_NUMBUF is wrong 2006-10-17T15:18:43Z Andrew Morton akpm@osdl.org 2006-10-17T07:09:41Z urn:sha1:0187f879ee8d4b914e74ffa3cc5df268311fc2d2 Actually, the decimal representation of a 32-bit signed number can take 12 bytes, including the \0. And then some code adds a \n as well, so let's give it 13 bytes. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] introduce get_task_pid() to fix unsafe get_pid() 2006-10-02T14:57:25Z Oleg Nesterov oleg@tv-sign.ru 2006-10-02T09:18:59Z urn:sha1:1a657f78dcc8ea7c53eaa1f2a45ea2315738c15f proc_pid_make_inode: ei->pid = get_pid(task_pid(task)); I think this is not safe. get_pid() can be preempted after checking "pid != NULL". Then the task exits, does detach_pid(), and RCU frees the pid. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] proc: comment what proc_fill_cache does 2006-10-02T14:57:25Z Eric W. Biederman ebiederm@xmission.com 2006-10-02T09:18:57Z urn:sha1:1c0d04c9e44f4a248335c33d2be7c7f7b06ff359 Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Cc: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] proc: remove the useless SMP-safe comments from /proc 2006-10-02T14:57:25Z Eric W. Biederman ebiederm@xmission.com 2006-10-02T09:18:57Z urn:sha1:5e61feafa2c641c2a013ba94eec56c411011cc94 Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Cc: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] proc: remove trailing blank entry from pid_entry arrays 2006-10-02T14:57:25Z Eric W. Biederman ebiederm@xmission.com 2006-10-02T09:18:56Z urn:sha1:7bcd6b0efd5216f2f208e92150b0e5b9bea2c210 It was pointed out that since I am taking ARRAY_SIZE anyway the trailing empty entry is silly and just wastes space. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Cc: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] proc: properly compute TGID_OFFSET 2006-10-02T14:57:24Z Eric W. Biederman ebiederm@xmission.com 2006-10-02T09:18:55Z urn:sha1:8e95bd936df2d3fc0e773068aa34350306a5c52a The value doesn't change but this ensures I will have the proper value when other files are added to proc_base_stuff. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Cc: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] proc: Use pid_task instead of open coding it 2006-10-02T14:57:24Z Eric W. Biederman ebiederm@xmission.com 2006-10-02T09:18:51Z urn:sha1:7fbaac005cab2f3b4d6999cdb32fb93d442c5cdb Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org> [PATCH] proc: Merge proc_tid_attr and proc_tgid_attr 2006-10-02T14:57:24Z Eric W. Biederman ebiederm@xmission.com 2006-10-02T09:18:50Z urn:sha1:72d9dcfc7afd80fe98334ec23531b638ee54df8b The implementation is exactly the same and there is currently nothing to distinguish proc_tid_attr, and proc_tgid_attr. So it is pointless to have two separate implementations. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>