Re: fs/pipe.c null pointer dereference

From: Earl Chew
Date: Thu Oct 15 2009 - 23:42:07 EST

Previous message: Earl Chew: "Re: fs/pipe.c null pointer dereference"
In reply to: Earl Chew: "Re: fs/pipe.c null pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Earl Chew wrote:

Is this possible via /proc/pid/fd/* ?

The window for failure is small. It's easiest to reproduce
this problem by stalling pipe_rdwr_open() to open up the
window:

--- pipe.c.orig 2009-10-15 20:33:53.000000000 -0700
+++ pipe.c 2009-10-15 20:17:40.000000000 -0700
@@ -736,2 +736,3 @@
{
+ msleep(100);
mutex_lock(&inode->i_mutex);

With the failure window widened, it's easy to reproduce
the failure with:

--------------------------------------------------------------
#!/bin/sh

while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1
done
--------------------------------------------------------------

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Previous message: Earl Chew: "Re: fs/pipe.c null pointer dereference"
In reply to: Earl Chew: "Re: fs/pipe.c null pointer dereference"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]