lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20080110163635.33e7640e.akpm@linux-foundation.org>
Date:	Thu, 10 Jan 2008 16:36:35 -0800
From:	Andrew Morton <akpm@...ux-foundation.org>
To:	Jan Kara <jack@...e.cz>
Cc:	linux-kernel@...r.kernel.org, supriyak@...ibm.com
Subject: Re: [PATCH] Fix private_list handling

On Thu, 10 Jan 2008 16:55:13 +0100
Jan Kara <jack@...e.cz> wrote:

>   Hi,
> 
>   sorry for the previous empty email...
> 
>   Supriya noted in his testing that sometimes buffers removed by
> __remove_assoc_queue() don't have b_assoc_mapping set (and thus IO error
> won't be properly propagated). Actually, looking more into the code I found
> there are some more races. The patch below should fix them. It survived
> beating with LTP and fsstress on ext2 filesystem on my testing machine so
> it should be reasonably bugfree... Andrew, would you put the patch into
> -mm? Thanks.
> 
> 								Honza
> -- 
> Jan Kara <jack@...e.cz>
> SUSE Labs, CR
> ---
> 
> There are two possible races in handling of private_list in buffer cache.
> 1) When fsync_buffers_list() processes a private_list, it clears
> b_assoc_mapping and moves buffer to its private list. Now drop_buffers() comes,
> sees a buffer is on list so it calls __remove_assoc_queue() which complains
> about b_assoc_mapping being cleared (as it cannot propagate possible IO error).
> This race has been actually observed in the wild.

private_lock should prevent this race.

Which call to drop_buffers() is the culprit?  The first one in
try_to_free_buffers(), I assume?  The "can this still happen?" one?

If so, it can happen.  How?  Perhaps this is a bug.

> 2) When fsync_buffers_list() processes a private_list,
> mark_buffer_dirty_inode() can be called on bh which is already on the private
> list of fsync_buffers_list(). As buffer is on some list (note that the check is
> performed without private_lock), it is not readded to the mapping's
> private_list and after fsync_buffers_list() finishes, we have a dirty buffer
> which should be on private_list but it isn't. This race has not been reported,
> probably because most (but not all) callers of mark_buffer_dirty_inode() hold
> i_mutex and thus are serialized with fsync().

Maybe fsync_buffers_list should put the buffer back onto private_list if it
got dirtied again.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ