lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <22214.1254748402@redhat.com>
Date:	Mon, 05 Oct 2009 14:13:22 +0100
From:	David Howells <dhowells@...hat.com>
To:	Amerigo Wang <amwang@...hat.com>
Cc:	dhowells@...hat.com, linux-kernel@...r.kernel.org,
	Brian Behlendorf <behlendorf1@...l.gov>,
	Ben Woodard <bwoodard@...l.gov>,
	Stable Team <stable@...nel.org>, akpm@...ux-foundation.org
Subject: Re: [Patch v2] rwsem: fix rwsem_is_locked() bugs

Amerigo Wang <amwang@...hat.com> wrote:

> -	return (sem->activity != 0);
> +	return !(sem->activity == 0 && list_empty(&sem->wait_list));

This needs to be done in the opposite order with an smp_rmb() between[*], I
think, because the someone releasing the lock will first reduce activity to
zero, and then attempt to empty the list, so with your altered code as it
stands, you can get:

	CPU 1				CPU 2
	===============================	===============================
	[sem is read locked, 1 queued writer]
	-->up_read()
	sem->activity--			-->rwsem_is_locked()
	[sem->activity now 0]		sem->activity == 0 [true]
					<interrupt>
	-->__rwsem_do_wake()
	sem->activity = -1
	[sem->activity now !=0]
	list_del()
	[sem->wait_list now empty]	</interrupt>
					list_empty(&sem->wait_list) [true]
	wake_up_process()
	<--__rwsem_do_wake()
	<--up_read()
	[sem is write locked]		return false [ie. sem is not locked]

In fact, I don't think even swapping things around addresses the problem.  You
do not prevent the state inside the sem changing under you whilst you try to
interpret it.

[*] there would also need to be an smp_wmb() between the update of
    sem->activity and the deletion from sem->wait_list to balance out the
    smp_rmb().

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ