701e054e0c
OpenVZ developers team has encountered the following problem in 2.6.19-rc6 kernel. After some seconds of running script while [[ 1 ]] do find /proc -name mountstats | xargs cat done this Oops appears: BUG: unable to handle kernel NULL pointer dereference at virtual address 00000010 printing eip: c01a6b70 *pde = 00000000 Oops: 0000 [#1] SMP Modules linked in: xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle iptable_filter xt_multiport xt_limit ipt_tos ipt_REJECT ip_tables x_tables parport_pc lp parport sunrpc af_packet thermal processor fan button battery asus_acpi ac ohci_hcd ehci_hcd usbcore i2c_nforce2 i2c_core tg3 floppy pata_amd ide_cd cdrom sata_nv libata CPU: 1 EIP: 0060:[<c01a6b70>] Not tainted VLI EFLAGS: 00010246 (2.6.19-rc6 #2) EIP is at mountstats_open+0x70/0xf0 eax: 00000000 ebx: e6247030 ecx: e62470f8 edx: 00000000 esi: 00000000 edi: c01a6b00 ebp: c33b83c0 esp: f4105eb4 ds: 007b es: 007b ss: 0068 Process cat (pid: 6044, ti=f4105000 task=f4104a70 task.ti=f4105000) Stack: c33b83c0 c04ee940 f46a4a80 c33b83c0 e4df31b4 c01a6b00 f4105000 c0169231 e4df31b4 c33b83c0 c33b83c0 f4105f20 00000003 f4105000 c0169445 f2503cf0 f7f8c4c0 00008000 c33b83c0 00000000 00008000 c0169350 f4105f20 00008000 Call Trace: [<c01a6b00>] mountstats_open+0x0/0xf0 [<c0169231>] __dentry_open+0x181/0x250 [<c0169445>] nameidata_to_filp+0x35/0x50 [<c0169350>] do_filp_open+0x50/0x60 [<c01873d6>] seq_read+0xc6/0x300 [<c0169511>] get_unused_fd+0x31/0xc0 [<c01696d3>] do_sys_open+0x63/0x110 [<c01697a7>] sys_open+0x27/0x30 [<c01030bd>] sysenter_past_esp+0x56/0x79 ======================= Code: 45 74 8b 54 24 20 89 44 24 08 8b 42 f0 31 d2 e8 47 cb f8 ff 85 c0 89 c3 74 51 8d 80 a0 04 00 00 e8 46 06 2c 00 8b 83 48 04 00 00 <8b> 78 10 85 ff 74 03 f0 ff 07 b0 01 86 83 a0 04 00 00 f0 ff 4b EIP: [<c01a6b70>] mountstats_open+0x70/0xf0 SS:ESP 0068:f4105eb4 The problem is that task->nsproxy can be equal NULL for some time during task exit. This patch fixes the BUG. Signed-off-by: Vasily Tarasov <vtaras@openvz.org> Cc: Herbert Poetzl <herbert@13thfloor.at> Cc: "Serge E. Hallyn" <serue@us.ibm.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
55 lines
1.3 KiB
C
55 lines
1.3 KiB
C
#ifndef _LINUX_NSPROXY_H
|
|
#define _LINUX_NSPROXY_H
|
|
|
|
#include <linux/spinlock.h>
|
|
#include <linux/sched.h>
|
|
|
|
struct namespace;
|
|
struct uts_namespace;
|
|
struct ipc_namespace;
|
|
|
|
/*
|
|
* A structure to contain pointers to all per-process
|
|
* namespaces - fs (mount), uts, network, sysvipc, etc.
|
|
*
|
|
* 'count' is the number of tasks holding a reference.
|
|
* The count for each namespace, then, will be the number
|
|
* of nsproxies pointing to it, not the number of tasks.
|
|
*
|
|
* The nsproxy is shared by tasks which share all namespaces.
|
|
* As soon as a single namespace is cloned or unshared, the
|
|
* nsproxy is copied.
|
|
*/
|
|
struct nsproxy {
|
|
atomic_t count;
|
|
spinlock_t nslock;
|
|
struct uts_namespace *uts_ns;
|
|
struct ipc_namespace *ipc_ns;
|
|
struct namespace *namespace;
|
|
};
|
|
extern struct nsproxy init_nsproxy;
|
|
|
|
struct nsproxy *dup_namespaces(struct nsproxy *orig);
|
|
int copy_namespaces(int flags, struct task_struct *tsk);
|
|
void get_task_namespaces(struct task_struct *tsk);
|
|
void free_nsproxy(struct nsproxy *ns);
|
|
|
|
static inline void put_nsproxy(struct nsproxy *ns)
|
|
{
|
|
if (atomic_dec_and_test(&ns->count)) {
|
|
free_nsproxy(ns);
|
|
}
|
|
}
|
|
|
|
static inline void exit_task_namespaces(struct task_struct *p)
|
|
{
|
|
struct nsproxy *ns = p->nsproxy;
|
|
if (ns) {
|
|
task_lock(p);
|
|
p->nsproxy = NULL;
|
|
task_unlock(p);
|
|
put_nsproxy(ns);
|
|
}
|
|
}
|
|
#endif
|