| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 26 Apr 2012 01:14:57 +0400 From: Stanislav Kinsbursky <skinsbursky@...allels.com> To: "J. Bruce Fields" <bfields@...ldses.org> CC: "linux-nfs@...r.kernel.org" <linux-nfs@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "devel@...nvz.org" <devel@...nvz.org> Subject: Re: [PATCH v2] SUNRPC: skip dead but not buried clients on PipeFS events 25.04.2012 21:30, J. Bruce Fields написал: > On Fri, Apr 20, 2012 at 06:11:02PM +0400, Stanislav Kinsbursky wrote: >> v2: atomic_inc_return() was replaced by atomic_inc_not_zero(). >> >> These clients can't be safely dereferenced if their counter in 0. > I'm pretty confused by how these notifiers work.... There were made as simple as possible - i.e. notifier holds a client while creating of destroying PipeFS dentries. But event in this case there were races. > rpc_release_client decrements cl_count to zero temporarily, to have it > immediately re-incremented by rpc_free_auth. BTW, I'm really confused with these re-incrementing reference counter technic. It makes life-time of RPC client unpredictable. Is this a real-world valid situation, when usage of it reached zero, but while we destroying auth, there can some other user of client appear and client become alive again? It it was done just to make sure that client is still active while we destroying auth, then maybe we can just remove the client from the clients list before rpc_free_auth? It will simplify the notifier callback logic greatly... > So if we're called concurrently with rpc_release_client then it's sort > of random whether someone gets this callback. > > Is that a problem? > > Also, is this an existing bug? (In which case Trond should take it > now.) This is probably not a bug (I can't llok at the code right now; because these dentries will be destroyed), but a flaw. Today (without this patch) notifier can try to create dentries for clients, which are dead already (i.e. auth was destroyed and client is going to be destroyed very soon, but notifier gained lock first. > > --b. > >> Signed-off-by: Stanislav Kinsbursky<skinsbursky@...allels.com> >> >> --- >> net/sunrpc/clnt.c | 3 ++- >> 1 files changed, 2 insertions(+), 1 deletions(-) >> >> diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c >> index 6797246..d10ebc4 100644 >> --- a/net/sunrpc/clnt.c >> +++ b/net/sunrpc/clnt.c >> @@ -218,7 +218,8 @@ static struct rpc_clnt *rpc_get_client_for_event(struct net *net, int event) >> if (((event == RPC_PIPEFS_MOUNT)&& clnt->cl_dentry) || >> ((event == RPC_PIPEFS_UMOUNT)&& !clnt->cl_dentry)) >> continue; >> - atomic_inc(&clnt->cl_count); >> + if (atomic_inc_not_zero(&clnt->cl_count) == 0) >> + continue; >> spin_unlock(&sn->rpc_client_lock); >> return clnt; >> } >> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists