patch set for #90289
nmav at redhat.com
Wed Jun 24 01:25:34 PDT 2015
On Wed, 2015-06-24 at 09:18 +0100, David Woodhouse wrote:
> On Wed, 2015-06-24 at 10:03 +0200, Nikos Mavrogiannopoulos wrote:
> > This patch set eliminates two issues in the proxy module:
> > 1. A process using the proxy module would crash if at some point
> > after
> > initializing it would fork(). - patch set 0001-0002
> > 2. A process using the proxy module would call C_Finalize in a
> > child
> > process. - patch set 0003-0004
> Thanks for looking at this.
> Bug 90289 wasn't a 'crash' but a deadlock, wasn't it? Or is that what
> you meant?
Indeed 90289 wasn't a crash. But applying the fix for it reveals the
crash solved by the second patch.
> Your test case in patch #1 is actually *invalid* behaviour — the
> thing the child calls MUST by C_Initialize(). Calling C_Finalize() in
> the child without C_Initialize() first is broken.
While it is broken with respect to PKCS #11 standard a crash on the
parent process should not happen no matter what the child process does
(or does not).
> It's OK to ensure that p11-kit-proxy.so copes with that, but it's
> probably best to explicitly note in the test case that it's not
> guaranteed to work on modules in the general case. And if we want to
> allow people to generally call C_Finalize() on p11-kit-proxy.so, we
> also need to ensure that *doesn't* translate to invalid C_Finalize()
> calls into the modules that it's loaded.
> I posted a different test case, a week or two ago, to check for the
> deadlock in the *valid* case of the child calling C_Initialize().
Isn't the one included in my patch set?
More information about the p11-glue