lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 06 Oct 2009 15:02:05 +0800
From:	Amerigo Wang <amwang@...hat.com>
To:	David Howells <dhowells@...hat.com>
CC:	linux-kernel@...r.kernel.org,
	Brian Behlendorf <behlendorf1@...l.gov>,
	Ben Woodard <bwoodard@...l.gov>,
	Stable Team <stable@...nel.org>, akpm@...ux-foundation.org
Subject: Re: [Patch v2] rwsem: fix rwsem_is_locked() bugs

David Howells wrote:
> Amerigo Wang <amwang@...hat.com> wrote:
> 
>> -	return (sem->activity != 0);
>> +	return !(sem->activity == 0 && list_empty(&sem->wait_list));
> 
> This needs to be done in the opposite order with an smp_rmb() between[*], I
> think, because the someone releasing the lock will first reduce activity to
> zero, and then attempt to empty the list, so with your altered code as it
> stands, you can get:
> 
> 	CPU 1				CPU 2
> 	===============================	===============================
> 	[sem is read locked, 1 queued writer]
> 	-->up_read()
> 	sem->activity--			-->rwsem_is_locked()
> 	[sem->activity now 0]		sem->activity == 0 [true]
> 					<interrupt>
> 	-->__rwsem_do_wake()
> 	sem->activity = -1
> 	[sem->activity now !=0]
> 	list_del()
> 	[sem->wait_list now empty]	</interrupt>
> 					list_empty(&sem->wait_list) [true]
> 	wake_up_process()
> 	<--__rwsem_do_wake()
> 	<--up_read()
> 	[sem is write locked]		return false [ie. sem is not locked]
> 
> In fact, I don't think even swapping things around addresses the problem.  You
> do not prevent the state inside the sem changing under you whilst you try to
> interpret it.

Hmm, right. I think we have to disable irq and preempt here, so
probably spin_trylock_irq() is a good choice.

Since if we have locks, we don't need memory barriers any more, right?

I just sent out the updated patch.

Thanks!
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ