Bug 695357 - dasd: fix race between open and offline
Summary: dasd: fix race between open and offline
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.6
Hardware: s390x
OS: All
urgent
urgent
Target Milestone: rc
: ---
Assignee: Hendrik Brueckner
QA Contact: WANG Chao
URL:
Whiteboard:
Depends On:
Blocks: 684940 699808
TreeView+ depends on / blocked
 
Reported: 2011-04-11 13:31 UTC by IBM Bug Proxy
Modified: 2018-11-14 13:09 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Setting a DASD (Direct Access Storage Device) device offline while another process is trying to open that device caused a race in the dasd_open function. The dasd_open function tried to read a pointer from the private_data field after the structure has already been freed, resulting in a dereference of an invalid pointer. With this update, the aforementioned pointer is now stored in a different structure; thus, preventing the race condition.
Clone Of:
Environment:
Last Closed: 2011-07-21 09:51:03 UTC
Target Upstream Version:

Attachments (Terms of Use)
linux-2.6.18-s390-dasd-fix-open-offline-race.patch (10.47 KB, text/plain)
2011-04-11 13:31 UTC, IBM Bug Proxy 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
IBM Linux Technology Center 71450 0 None None None Never
Red Hat Product Errata RHSA-2011:1065 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.7 kernel security and bug fix update 2011-07-21 09:21:37 UTC

Description IBM Bug Proxy 2011-04-11 13:31:13 UTC 
linux-2.6.18-s390-dasd-fix-open-offline-race.patch

Description: dasd: fix race between open and offline
Symptom:     Oops when dasd_open tries to dereference an invalid pointer.
Problem:     The dasd_open function uses the private_data pointer of
             the gendisk to find the drivers internal structures that
             represent this DASD device. When a DASD device is set
             offline, and a process tries to open the device at the
             same time, then there is a small race window, in which
             dasd_open could first read a pointer from the
             private_data field and then try to use it, after the
             structure has already been freed.
Solution:    To close this race window, we will store a pointer to a
             different internal structure (dasd_devmap) in the
             private_data field. The devmap entries are not deleted
             when a device is set offline, and we already have proper
             locking and reference counting in place, so that we can
             safely get from a devmap to the other structures of
             a DASD device.

Server architecture(s):		  System z
Server type:			  s390x
General component:		  kernel
Other components involved:	  No

Does the server have the latest GA firmware?
  Yes.

Has the problem been shown to occur on more than one system?
  Yes.

Is a tested patch available?
  Yes.

If yes to the above, has it been approved upstream?
  The patch will be sent upstream for inclusion into a 2.6.39 release
  candidate.

What is the latest official Red Hat build on which this bug has been seen?
  RHEL 5.6


The patch has been tested and fixes the problem.

With best regards,
     Hendrik
Comment 1 IBM Bug Proxy 2011-04-11 13:31:19 UTC 
Created attachment 491235 [details]
linux-2.6.18-s390-dasd-fix-open-offline-race.patch
Comment 4 Hendrik Brueckner 2011-04-15 13:26:47 UTC 
The patch has been posted to rhkernel by Hendrik Brueckner <brueckner>
Comment 12 Jarod Wilson 2011-04-29 17:51:32 UTC 
Patch(es) available in kernel-2.6.18-259.el5
You can download this test kernel (or newer) from http://people.redhat.com/jwilson/el5
Detailed testing feedback is always welcomed.
Comment 14 Martin Prpič 2011-06-02 13:32:10 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Setting a DASD (Direct Access Storage Device) device offline while another process is trying to open that device caused a race in the dasd_open function. The dasd_open function tried to read a pointer from the private_data field after the structure has already been freed, resulting in a dereference of an invalid pointer. With this update, the aforementioned pointer is now stored in a different structure; thus, preventing the race condition.
Comment 17 errata-xmlrpc 2011-07-21 09:51:03 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-1065.html
Note You need to log in before you can comment on or make changes to this bug.