lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.0804022058530.13737@artax.karlin.mff.cuni.cz>
Date:	Wed, 2 Apr 2008 21:20:33 +0200 (CEST)
From:	Mikulas Patocka <mikulas@...ax.karlin.mff.cuni.cz>
To:	torvalds@...ux-foundation.org
cc:	viro@...iv.linux.org.uk, linux-kernel@...r.kernel.org
Subject: [PATCH]: Fix SMP-reordering race in mark_buffer_dirty

Hi

It looks like someone overoptimized mark_buffer_dirty(). 

mark_buffer_dirty() is
void mark_buffer_dirty(struct buffer_head *bh)
{
        WARN_ON_ONCE(!buffer_uptodate(bh));
        if (!buffer_dirty(bh) && !test_set_buffer_dirty(bh))
                __set_page_dirty(bh->b_page, page_mapping(bh->b_page), 0);
}

That buffer_dirty() test is not atomic, it may be reordered with whatever 
else.

So suppose this race

CPU1:

write to buffer data
call mark_buffer_dirty()
test for !buffer_dirty(bh)

--- there is no synchronizing operation, so inside CPU it may get 
reordered to:

test for !buffer_dirty(bh)
write to buffer data

CPU2:
clear_buffer_dirty(bh);
submit_bh(WRITE, bh);

The resulting operations may end up in this order:
CPU1: test for !buffer_dirty(bh) --- sees that the bit is set
CPU2: clear_buffer_dirty(bh);
CPU2: submit_bh(WRITE, bh);
CPU1: write to buffer data

So we have a clean buffer with modified data and this modification is 
going to be lost.

Mikulas


Signed-off-by: Mikulas Patocka <mikulas@...ax.karlin.mff.cuni.cz>

--- linux-2.6.25-rc8/fs/buffer.c_	2008-04-02 21:08:36.000000000 +0200
+++ linux-2.6.25-rc8/fs/buffer.c	2008-04-02 21:10:25.000000000 +0200
@@ -1180,6 +1180,12 @@
  */
 void mark_buffer_dirty(struct buffer_head *bh)
 {
+	/*
+	 * Make sure that the test for buffer_dirty(bh) is not reordered with
+	 * previous modifications to the buffer data.
+	 * -- mikulas
+	 */
+	smp_mb();
 	WARN_ON_ONCE(!buffer_uptodate(bh));
 	if (!buffer_dirty(bh) && !test_set_buffer_dirty(bh))
 		__set_page_dirty(bh->b_page, page_mapping(bh->b_page), 0);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ