fs: initialize resize_wait wait queue of init task

Commit Message

Daeho Jeong June 14, 2017, 12:27 a.m. UTC

We don't initialize resize_wait of init task now and all the kernel
threads share this uninitialized resize_wait wait queue because they
are sharing the file table of init task. Therefore, when expanding
this file table shared by the kernel threads, we encounter kernel panic
by accessing the NULL resize_wait wait queue.

Signed-off-by: Daeho Jeong <daeho.jeong@samsung.com>
Tested-by: Youngjin Gil <youngjin.gil@samsung.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Fixes: 8a81252b774b ("fs/file.c: don't acquire files->file_lock in
fd_install()")
---
 fs/file.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Al Viro June 15, 2017, 11:16 a.m. UTC | #1

On Wed, Jun 14, 2017 at 09:27:21AM +0900, Daeho Jeong wrote:
> We don't initialize resize_wait of init task now and all the kernel
> threads share this uninitialized resize_wait wait queue because they
> are sharing the file table of init task. Therefore, when expanding
> this file table shared by the kernel threads, we encounter kernel panic
> by accessing the NULL resize_wait wait queue.

*shrug*

Not a problem, but kernel threads playing with init_files are seriously
asking for trouble.  It *is* shared and uncooperating threads playing
with shared descriptor table can fuck up very easily.  I can apply that,
but it might make more sense to restrict the use of that thing...

Patch

diff --git a/fs/file.c b/fs/file.c
index ad6f094f2eff..74748c32e07a 100644
--- a/fs/file.c
+++ b/fs/file.c
@@ -475,6 +475,7 @@  struct files_struct init_files = {
 		.full_fds_bits	= init_files.full_fds_bits_init,
 	},
 	.file_lock	= __SPIN_LOCK_UNLOCKED(init_files.file_lock),
+	.resize_wait	= __WAIT_QUEUE_HEAD_INITIALIZER(init_files.resize_wait),
 };
 
 static unsigned int find_next_fd(struct fdtable *fdt, unsigned int start)