race in fsnotify subsystem causes kernel oops

Bug #1096137 reported by Chris J Arges on 2013-01-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Linux
Fix Released
Medium
linux (Ubuntu)
High
Chris J Arges
Precise
High
Chris J Arges
Quantal
High
Chris J Arges
Raring
High
Chris J Arges

Bug Description

This race can be triggered by plugging and unplugging a usb disk.

Related upstream bug: https://bugzilla.kernel.org/show_bug.cgi?id=22602

Previous bug: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/922906
This was fixed in the above bug using patches that were not mainline yet. This bug aims to re-introduce the proper patches using the properly mainline patches.

--

SRU Justification:

Impact:
When plugging and unplugging a USB drive occasionally a race condition in the notify subsystem causes a kernel oops.

Fix:
A set of patches from upstream address this issue, this should already
be present in raring.

Here are the commit hashes:
6960b0d909cde5bdff49e4e5c1250edd10be7ebd
64c20d2a20fce295c260ea6cb3b468edfa2fb07b
d5a335b845792d2a69ed1e244c0b233117b7db3c
e2a29943e9a2ee2aa737a77f550f46ba72269db4 (backported)
986ab09807ca9454c3f54aae4db7e1bb00daeed3
6dfbd149946c22c2e2886d6b560def78630c8387
104d06f08ea59247cb0e7e548c5a5d22d21dcfd5
23e964c284ca0a767b80a30482bd53b059d30391
986129520479d689962a42c31acdeaf854ac91f5

Testcase:
Comment #8 and #9 in the upstream bug: https://bugzilla.kernel.org/show_bug.cgi?id=22602 has a test case that easily reproduces this issue within 15-30 minutes. I have applied the above fixes and was able to run this test case overnight in all cases.
In addition I've tested using the LTP tests for inotfy and these run properly with the fix applied.

Chris J Arges (arges) on 2013-01-04
Changed in linux (Ubuntu Quantal):
assignee: nobody → Chris J Arges (christopherarges)
Changed in linux (Ubuntu Precise):
assignee: nobody → Chris J Arges (christopherarges)
importance: Undecided → High
Changed in linux (Ubuntu Quantal):
importance: Undecided → High
Changed in linux (Ubuntu Precise):
status: New → In Progress
Changed in linux (Ubuntu Quantal):
status: New → In Progress
Changed in linux:
importance: Unknown → Medium
status: Unknown → Expired
Luis Henriques (henrix) wrote :

I'm tagging this bug as verified for Precise: running the reproducer (https://lkml.org/lkml/2012/12/20/536) with the kernel in -updates causes an oops; running it with the -proposed kernel doesn't.

tags: added: verification-done-precise
Luis Henriques (henrix) on 2013-01-10
tags: added: verification-done-quantal
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package linux - 3.2.0-36.57

---------------
linux (3.2.0-36.57) precise-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1097389

  [ Chris J Arges ]

  * Revert "SAUCE: fsnotify: dont put marks on temporary list when clearing
    marks by group"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: introduce locked versions of
    fsnotify_add_mark() and fsnotify_remove_mark()"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: pass group to fsnotify_destroy_mark()"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: use a mutex instead of a spinlock to protect a
    groups mark list"
    - LP: #1096137
  * Revert "SAUCE: fanotify: add an extra flag to mark_remove_from_mask
    that indicates wheather a mark should be destroyed"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: take groups mark_lock before mark lock"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: use reference counting for groups"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: introduce fsnotify_get_group()"
    - LP: #1096137

  [ Upstream Kernel Changes ]

  * fsnotify: introduce fsnotify_get_group()
    - LP: #1096137
  * fsnotify: use reference counting for groups
    - LP: #1096137
  * fsnotify: take groups mark_lock before mark lock
    - LP: #1096137
  * fanotify: add an extra flag to mark_remove_from_mask that indicates
    wheather a mark should be destroyed
    - LP: #1096137
  * fsnotify: use a mutex instead of a spinlock to protect a groups mark
    list
    - LP: #1096137
  * fsnotify: pass group to fsnotify_destroy_mark()
    - LP: #1096137
  * fsnotify: introduce locked versions of fsnotify_add_mark() and
    fsnotify_remove_mark()
    - LP: #1096137
  * fsnotify: dont put marks on temporary list when clearing marks by group
    - LP: #1096137
  * fsnotify: change locking order
    - LP: #1096137

linux (3.2.0-36.56) precise-proposed; urgency=low

  [Brad Figg]

  * Release Tracking Bug
    - LP: #1095351

  [ Chris J Arges ]

  * SAUCE: add eeprom_bad_csum_allow module parameter
    - LP: #1070182

  [ Colin Ian King ]

  * SAUCE: samsung-laptop: disable in UEFI mode
    - LP: #1040557

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: usb: cdc-wdm: fix regression on buffer deallocation
    - LP: #1074157

  [ Kees Cook ]

  * SAUCE: exec: do not leave bprm->interp on stack
    - LP: #1068888
    - CVE-2012-4530

  [ Leann Ogasawara ]

  * Add ceph to virtual kernel flavor
    - LP: #1063784

  [ Lino Sanfilippo ]

  * SAUCE: fsnotify: introduce fsnotify_get_group()
    - LP: #922906
  * SAUCE: fsnotify: use reference counting for groups
    - LP: #922906
  * SAUCE: fsnotify: take groups mark_lock before mark lock
    - LP: #922906
  * SAUCE: fanotify: add an extra flag to mark_remove_from_mask that
    indicates wheather a mark should be destroyed
    - LP: #922906
  * SAUCE: fsnotify: use a mutex instead of a spinlock to protect a groups
    mark list
    - LP: #922906
  * SAUCE: fsnotify: pass group to fsnotify_destroy_mark()
    - LP: #922906
  * SAUCE: fsnotify: introduce locked versions of fsnotify_add_mark() and
    fsnotify_remove_mark()
    - LP: #922906
  * SAUCE: fsnotify: dont put marks on temporary list when ...

Changed in linux (Ubuntu Precise):
status: In Progress → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :
Download full text (21.3 KiB)

This bug was fixed in the package linux - 3.5.0-22.34

---------------
linux (3.5.0-22.34) quantal-proposed; urgency=low

  [Luis Henriques]

  * Release Tracking Bug
    - LP: #1097343

  [ Chris J Arges ]

  * Revert "SAUCE: fsnotify: dont put marks on temporary list when clearing
    marks by group"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: introduce locked versions of
    fsnotify_add_mark() and fsnotify_remove_mark()"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: pass group to fsnotify_destroy_mark()"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: use a mutex instead of a spinlock to protect a
    groups mark list"
    - LP: #1096137
  * Revert "SAUCE: fanotify: add an extra flag to mark_remove_from_mask
    that indicates wheather a mark should be destroyed"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: take groups mark_lock before mark lock"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: use reference counting for groups"
    - LP: #1096137
  * Revert "SAUCE: fsnotify: introduce fsnotify_get_group()"
    - LP: #1096137

  [ Upstream Kernel Changes ]

  * fsnotify: introduce fsnotify_get_group()
    - LP: #1096137
  * fsnotify: use reference counting for groups
    - LP: #1096137
  * fsnotify: take groups mark_lock before mark lock
    - LP: #1096137
  * fanotify: add an extra flag to mark_remove_from_mask that indicates
    wheather a mark should be destroyed
    - LP: #1096137
  * fsnotify: use a mutex instead of a spinlock to protect a groups mark
    list
    - LP: #1096137
  * fsnotify: pass group to fsnotify_destroy_mark()
    - LP: #1096137
  * fsnotify: introduce locked versions of fsnotify_add_mark() and
    fsnotify_remove_mark()
    - LP: #1096137
  * fsnotify: dont put marks on temporary list when clearing marks by group
    - LP: #1096137
  * fsnotify: change locking order
    - LP: #1096137

linux (3.5.0-22.33) quantal-proposed; urgency=low

  [Brad Figg]

  * Release Tracking Bug
    - LP: #1095349

  [ Chris J Arges ]

  * SAUCE: add eeprom_bad_csum_allow module parameter
    - LP: #1070182

  [ Colin Ian King ]

  * SAUCE: samsung-laptop: disable in UEFI mode
    - LP: #1040557

  [ Kees Cook ]

  * SAUCE: exec: do not leave bprm->interp on stack
    - LP: #1068888
    - CVE-2012-4530

  [ Leann Ogasawara ]

  * Add ceph to linux-image for virtual instances
    - LP: #1063784

  [ Lino Sanfilippo ]

  * SAUCE: fsnotify: introduce fsnotify_get_group()
    - LP: #922906
  * SAUCE: fsnotify: use reference counting for groups
    - LP: #922906
  * SAUCE: fsnotify: take groups mark_lock before mark lock
    - LP: #922906
  * SAUCE: fanotify: add an extra flag to mark_remove_from_mask that
    indicates wheather a mark should be destroyed
    - LP: #922906
  * SAUCE: fsnotify: use a mutex instead of a spinlock to protect a groups
    mark list
    - LP: #922906
  * SAUCE: fsnotify: pass group to fsnotify_destroy_mark()
    - LP: #922906
  * SAUCE: fsnotify: introduce locked versions of fsnotify_add_mark() and
    fsnotify_remove_mark()
    - LP: #922906
  * SAUCE: fsnotify: dont put marks on temporary list when clearing marks
    by group
    - LP: #922906

  [ Tomas Hozza ]

  * SAUCE: tools: hv: Netlink source a...

Changed in linux (Ubuntu Quantal):
status: In Progress → Fix Released
Changed in linux:
status: Expired → Fix Released
Changed in linux (Ubuntu Raring):
status: In Progress → Fix Released
Changed in linux (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.