lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTikUtGSJSaG=wsW8i0LzX66F3YwD_MroD-36jr1f@mail.gmail.com>
Date:	Wed, 12 Jan 2011 15:17:09 +0800
From:	Po-Yu Chuang <ratbert.chuang@...il.com>
To:	Nick Piggin <npiggin@...nel.dk>
Cc:	linux-kernel@...r.kernel.org, Dipankar Sarma <dipankar@...ibm.com>,
	"Paul E. McKenney" <paulmck@...ux.vnet.ibm.com>
Subject: rcu: hlist_bl_set_first_rcu hangs

Dear Nick,

I am porting arm-based platform from 2.6.35 to current mainline.
The compiler is gcc-4.4.0.

While booting, the kernel (mainline) hangs after
"RPC: Registered tcp NFSv4.1 backchannel transport module "
with similar configurations to 2.6.35.
Then I found that there is an infinite loop in hlist_bl_set_first_rcu hangs().

The call sequence is:

_d_rehash @fs/dcache.c
__d_rehash @fs/dcache.c
hlist_bl_add_head_rcu @include/linux/rculist_bl.h
hlist_bl_set_first_rcu @include/linux/rculist_bl.h

Current implementation of hlist_bl_set_first_rcu:

static inline void hlist_bl_set_first_rcu(struct hlist_bl_head *h,
                                        struct hlist_bl_node *n)
{
        LIST_BL_BUG_ON((unsigned long)n & LIST_BL_LOCKMASK);
        LIST_BL_BUG_ON(!((unsigned long)h->first & LIST_BL_LOCKMASK));
        rcu_assign_pointer(h->first,
                (struct hlist_bl_node *)((unsigned long)n | LIST_BL_LOCKMASK));
}

The infinite loop is caused by:
        LIST_BL_BUG_ON(!((unsigned long)h->first & LIST_BL_LOCKMASK));
If I comment out this line, the kernel boots well.

The problem looks like that LIST_BL_LOCKMASK is 0 if CONFIG_SMP=n
and CONFIG_DEBUG_SPINLOCK=n.

#if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK)
#define LIST_BL_LOCKMASK        1UL
#else
#define LIST_BL_LOCKMASK        0UL
#endif

Therefore !((unsigned long)h->first & LIST_BL_LOCKMASK) is always true.

I also have CONFIG_DEBUG_LIST=y, so boom! Kernel dies.

best regards,
Po-Yu Chuang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ