| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180111090447.gymhnet7sxx4yqkl@quack2.suse.cz>
Date: Thu, 11 Jan 2018 10:04:47 +0100
From: Jan Kara <jack@...e.cz>
To: Theodore Ts'o <tytso@....edu>
Cc: Jan Kara <jack@...e.cz>, Andrew Morton <akpm@...ux-foundation.org>,
Jiang Biao <jiang.biao2@....com.cn>,
linux-fsdevel@...r.kernel.org, linux-ext4@...r.kernel.org,
ebiggers@...gle.com, zhong.weidong@....com.cn
Subject: Re: [PATCH v2] fs/mbcache: make sure mb_cache_count() not return
negative value.
On Wed 10-01-18 15:11:37, Theodore Ts'o wrote:
> On Wed, Jan 10, 2018 at 04:02:23PM +0100, Jan Kara wrote:
> > So I don't think this can be a problem. Look, mb_cache_shrink() holds
> > c_list_lock. It will take first entry from cache->c_list - this list is
> > using list_head entry->e_list and so we are guaranteed entry->e_list is
> > non-empty.
> >
> > The other place deleting entry - mb_cache_entry_delete() - which is using
> > different list to grab the entry is properly checking for
> > !list_empty(entry->e_list) after acquiring c_list_lock.
>
> Hmm... you're right. How we handle the hlist_bl_lock and c_list_lock
> still creeps me out a bit, but it's not going to cause the potential
> problem. I think there is a problem if mb_cache_entry_create() races
> with mb_cache_delete(), but that will result in an entry being on the
> c_list while not being on the hash list, and it doesn't cause the
> c_entry_count to get out of sync with reality.
So that is actually an interesting scenario. If mb_cache_entry_delete() for
(key, value) could happen at the same moment as mb_cache_entry_create() for
the same (key, value) pair, the whole thing could race like:
mb_cache_entry_create() mb_cache_entry_delete()
alloc and init 'entry'
hlist_bl_lock(head);
search hash, found nothing
hlist_bl_add_head(&entry->e_hash_list, head);
hlist_bl_unlock(head);
hlist_bl_lock(head);
search hash, found 'entry'
hlist_bl_del_init(&entry->e_hash_list);
hlist_bl_unlock(head);
spin_lock(&cache->c_list_lock);
if (!list_empty(&entry->e_list))
false
spin_unlock(&cache->c_list_lock);
mb_cache_entry_put(cache, entry);
- drops last reference, entry
gets freed
spin_lock(&cache->c_list_lock);
list_add_tail(&entry->e_list, &cache->c_list);
atomic_inc(&entry->e_refcnt);
...
- and we have added freed entry to LRU, from this point on anything could
happen.
Now I don't see how this could really happen with the way how ext4 uses
mbache as we call mb_cache_entry_delete() only when xattr block refcount
would drop to 0 (i.e., the last inode referencing the block deletes its
xattr) and then there's nobody to try to insert the same block into the
cache at the same time (xattr_sem protects this) but then ext4 locking in
this area is hairy enough that I could be missing something.
This is relatively easy for mbcache to tolerate but first I'd like to know
whether ext4 indeed can trigger the behavior as that might indicate ext4
bug which would be just hidden by the mbcache fix.
Jiang, can you please run with the attached patch and see whether the
WARN_ON triggers before the entry count goes wrong? Thanks!
Honza
--
Jan Kara <jack@...e.com>
SUSE Labs, CR
View attachment "0001-mbcache-WARN-if-entry-was-already-freed-when-adding-.patch" of type "text/x-patch" (867 bytes)
Powered by blists - more mailing lists