Bug 660871
Summary: | mpctl module doesn't release fasync_struct at file close | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | David Jeffery <djeffery> | ||||
Component: | kernel | Assignee: | Tomas Henzl <thenzl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Storage QE <storage-qe> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | urgent | ||||||
Version: | 5.4 | CC: | bdonahue, chyang, coughlan, cward, cww, dhoward, fge, jpirko, kashyap.desai, moshiro, qcai | ||||
Target Milestone: | rc | Keywords: | OtherQA, ZStream | ||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: |
Calling the mptctl_fasync() function to enable async notification caused the fasync_struct data structure, which was allocated, to never be freed. fasync_struct remained on the event list of the mptctl module even after a file was closed and released. After the file was closed, fasync_struct had an invalid file pointer which was dereferenced when the mptctl module called the kill_fasync() function to report any events. The use of the invalid file pointer could result in a deadlock on the system because the send_sigio() function tried to acquire the rwlock in the f_owner field of the previously closed file. With this update, a release callback function has been added for the file operations in the mptctl module. fasync_struct is now properly freed when a file is closed, no longer causing a deadlock.
|
Story Points: | --- | ||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-07-21 09:28:26 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 677173 | ||||||
Attachments: |
|
Description
David Jeffery
2010-12-07 18:13:05 UTC
Created attachment 467583 [details]
add a mptctl_release function to clean up fasync state
I've attached an untested patch. The upstream kernel's mptctl driver also looks to fail to clean up the fasync_struct at file close.
Kashyap, the patch seem to correct the issue. Is the the solution good from your point of view? (In reply to comment #1) > Created attachment 467583 [details] > add a mptctl_release function to clean up fasync state > > I've attached an untested patch. The upstream kernel's mptctl driver also > looks to fail to clean up the fasync_struct at file close. David, I couldn't find it posted, has it already been posted? (In reply to comment #8) > David, > I couldn't find it posted, has it already been posted? Sorry, this is confusing - meant posted upstream for example in scsi-misc (In reply to comment #4) > Kashyap, > the patch seem to correct the issue. Is the the solution good from your point > of view? Ping Kashyap, any thoughts? (In reply to comment #10) > (In reply to comment #4) > > Kashyap, > > the patch seem to correct the issue. Is the the solution good from your point > > of view? > > Ping Kashyap, > any thoughts? Tomas, Sorry for delay...! Patch absolutely fine.! I have to post this to uptream as well..! (In reply to comment #13) > Tomas, Sorry for delay...! Patch absolutely fine.! I have to post this to > uptream as well..! Kashyp, thanks and for posting this upstream as well. Let me know when you will have this posted. in kernel-2.6.18-244.el5 You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5 Detailed testing feedback is always welcomed. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Calling the mptctl_fasync() function to enable async notification caused the fasync_struct data structure, which was allocated, to never be freed. fasync_struct remained on the event list of the mptctl module even after a file was closed and released. After the file was closed, fasync_struct had an invalid file pointer which was dereferenced when the mptctl module called the kill_fasync() function to report any events. The use of the invalid file pointer could result in a deadlock on the system because the send_sigio() function tried to acquire the rwlock in the f_owner field of the previously closed file. With this update, a release callback function has been added for the file operations in the mptctl module. fasync_struct is now properly freed when a file is closed, no longer causing a deadlock. Code reviewed, patch found in kernel-2.6.18-272.el5 Sanity Only An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2011-1065.html |