| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Aug 2012 08:12:18 +0300 From: "Michael S. Tsirkin" <mst@...hat.com> To: Rusty Russell <rusty@...tcorp.com.au> Cc: Rafael Aquini <aquini@...hat.com>, linux-mm@...ck.org, linux-kernel@...r.kernel.org, virtualization@...ts.linux-foundation.org, Rik van Riel <riel@...hat.com>, Mel Gorman <mel@....ul.ie>, Andi Kleen <andi@...stfloor.org>, Andrew Morton <akpm@...ux-foundation.org>, Konrad Rzeszutek Wilk <konrad.wilk@...cle.com>, Minchan Kim <minchan@...nel.org> Subject: Re: [PATCH v7 2/4] virtio_balloon: introduce migration primitives to balloon pages On Mon, Aug 20, 2012 at 11:59:11AM +0930, Rusty Russell wrote: > On Wed, 15 Aug 2012 17:40:19 +0300, "Michael S. Tsirkin" <mst@...hat.com> wrote: > > On Wed, Aug 15, 2012 at 09:34:58AM -0300, Rafael Aquini wrote: > > > On Tue, Aug 14, 2012 at 10:31:09PM +0300, Michael S. Tsirkin wrote: > > > > > > now CPU1 executes the next instruction: > > > > > > > > > > > > } > > > > > > > > > > > > which would normally return to function's caller, > > > > > > but it has been overwritten by CPU2 so we get corruption. > > > > > > > > > > > > No? > > > > > > > > > > At the point CPU2 is unloading the module, it will be kept looping at the > > > > > snippet Rusty pointed out because the isolation / migration steps do not mess > > > > > with 'vb->num_pages'. The driver will only unload after leaking the total amount > > > > > of balloon's inflated pages, which means (for this hypothetical case) CPU2 will > > > > > wait until CPU1 finishes the putaback procedure. > > > > > > > > > > > > > Yes but only until unlock finishes. The last return from function > > > > is not guarded and can be overwritten. > > > > > > CPU1 will be returning to putback_balloon_page() which code is located at core > > > mm/compaction.c, outside the driver. > > > > Sorry, I don't seem to be able to articulate this clearly. > > But this is a correctness issue so I am compelled to try again. > > But if there are 0 balloon pages, how is it migrating a page? It could be we just finished migrating a page dropped page lock and are 1 instruction away from returning from callback. > > In the end the rule is simple: you can not > > prevent module unloading from within module > > itself. It always must be the caller of your > > module that uses some lock to do this. > > Not quite. If you clean up everything in your cleanup function, it also > works, No, we also need a way to make sure we returned to caller, this is missing here. > which is what this does, right? > > Cheers, > Rusty. This makes sure callback was invoked but not that it returned to caller. All will be well if callbacks are done in rcu critical section and we synchronise it before unload. -- MST -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists