| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Oct 2006 15:27:25 -0400 From: Jeff Moyer <jmoyer@...hat.com> To: Zach Brown <zach.brown@...cle.com> Cc: Andrew Morton <akpm@...l.org>, linux-kernel@...r.kernel.org Subject: Re: [PATCH] dio: lock refcount operations ==> Regarding [PATCH] dio: lock refcount operations; Zach Brown <zach.brown@...cle.com> adds: zach.brown> dio: lock refcount operations The wait_for_more_bios() function zach.brown> name was poorly chosen. While looking to clean it up it I zach.brown> noticed that the dio struct refcounting between the bio zach.brown> completion and dio submission paths was racey. zach.brown> The bio submission path was simply freeing the dio struct if zach.brown> atomic_dec_and_test() indicated that it dropped the final zach.brown> reference. zach.brown> The aio bio completion path was dereferencing its dio struct zach.brown> pointer *after dropping its reference* based on the remaining zach.brown> number of references. zach.brown> These two paths could race and result in the aio bio completion zach.brown> path dereferencing a freed dio, though this was not observed in zach.brown> the wild. I don't believe that this can happen. dio_bio_end_aio will only reference the dio if (remaining == 1 && waiter_holds_ref). If the waiter is holding the reference, then the bio submission path would not have dropped its reference yet! -Jeff - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists