lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 2 Sep 2013 14:30:47 +0800
From:	Zhi Yong Wu <zwu.kernel@...il.com>
To:	Michel Lespinasse <walken@...gle.com>
Cc:	linux-kernel mlist <linux-kernel@...r.kernel.org>,
	akpm@...ux-foundation.org, Zhi Yong Wu <wuzhy@...ux.vnet.ibm.com>
Subject: Re: [PATCH] rbtree: Add some necessary condition checks

In Tue, Aug 27, 2013 at 6:01 AM, Michel Lespinasse <walken@...gle.com> wrote:
> On Fri, Aug 23, 2013 at 7:45 AM,  <zwu.kernel@...il.com> wrote:
>> From: Zhi Yong Wu <wuzhy@...ux.vnet.ibm.com>
>>
>> Signed-off-by: Zhi Yong Wu <wuzhy@...ux.vnet.ibm.com>
>> ---
>>  include/linux/rbtree_augmented.h | 3 ++-
>>  lib/rbtree.c                     | 5 +++--
>>  2 files changed, 5 insertions(+), 3 deletions(-)
>
> So, you are saying that the checks are necessary, but you are not saying why.
>
> The way I see it, the checks are *not* necessary, because the rbtree
> invariants guarantee them to be true. The only way for the checks to
> fail would be if people directly manipulate the rbtrees without going
> through the proper APIs, and if they do that then I think they're on
> their own. So to me, I think it's the same situation as dereferencing
> a pointer without checking if it's NULL, because you know it should
> never be NULL - which in my eyes is perfectly acceptable.
In my patchset, some rbtree APIs to be invoked, and I think that those
rbtree APIs are used corrently, Below is the pointer of its code:
https://github.com/wuzhy/kernel/compare/torvalds:master...hot_tracking
But I hit some issues when using compilebench to do perf benchmark.
compile dir kernel-7 691MB in 8.92 seconds (77.53 MB/s)
[  411.597890] general protection fault: 0000 [#1] SMP
[  411.598011] Modules linked in:
[  411.598011] CPU: 0 PID: 24 Comm: kswapd0 Not tainted 3.11.0-rc7+ #1235
[  411.598011] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  411.598011] task: ffff88029366df70 ti: ffff88029211e000 task.ti:
ffff88029211e000
[  411.598011] RIP: 0010:[<ffffffff8149952d>]  [<ffffffff8149952d>]
rb_erase+0x1bd/0x390
[  411.598011] RSP: 0018:ffff88029211fb38  EFLAGS: 00010206
[  411.598011] RAX: ffff8801484805f8 RBX: ffff8801484804e0 RCX: 00ffff880155f00a
[  411.598011] RDX: ffff880155f00ae1 RSI: ffff880288630000 RDI: ffff880155f00ad8
[  411.598011] RBP: ffff88029211fb38 R08: ffff880155f00ae1 R09: 0000000000000000
[  411.598011] R10: ffff8801484805f8 R11: 0000000000000000 R12: ffff880288630000
[  411.598011] R13: ffff880148480520 R14: 0000000000003af0 R15: ffff8801484805b0
[  411.598011] FS:  0000000000000000(0000) GS:ffff88029fc00000(0000)
knlGS:0000000000000000
[  411.598011] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  411.598011] CR2: 00000000f7798000 CR3: 000000028a69d000 CR4: 00000000000006f0
[  411.598011] Stack:
[  411.598011]  ffff88029211fb68 ffffffff811dd6f9 ffff8801484804e0
ffff880288630000
[  411.598011]  ffffffff811dd1d0 0000000000003af0 ffff88029211fb78
ffffffff811dd79c
[  411.598011]  ffff88029211fbe8 ffffffff811dd8f9 ffff88029211fba8
ffff880288632008
[  411.598011] Call Trace:
[  411.598011]  [<ffffffff811dd6f9>] hot_inode_item_free+0x29/0xa0
[  411.598011]  [<ffffffff811dd1d0>] ? hot_mem_limit_sum+0x10/0x10
[  411.598011]  [<ffffffff811dd79c>] hot_inode_item_put+0x2c/0x30
[  411.598011]  [<ffffffff811dd8f9>] hot_item_evict.part.5+0xa9/0x120
[  411.598011]  [<ffffffff811dd9aa>] hot_track_prune+0x3a/0x70
[  411.598011]  [<ffffffff81159f33>] shrink_slab+0x153/0x2f0
[  411.598011]  [<ffffffff81080cd3>] ? up_read+0x23/0x40
[  411.598011]  [<ffffffff8115d4d1>] balance_pgdat+0x491/0x5d0
[  411.598011]  [<ffffffff8115d7a0>] kswapd+0x190/0x470
[  411.598011]  [<ffffffff8107ca10>] ? wake_up_bit+0x40/0x40
[  411.598011]  [<ffffffff8115d610>] ? balance_pgdat+0x5d0/0x5d0
[  411.598011]  [<ffffffff8107c4fa>] kthread+0xea/0xf0
[  411.598011]  [<ffffffff8107c410>] ? flush_kthread_work+0x1b0/0x1b0
[  411.598011]  [<ffffffff818b9a1c>] ret_from_fork+0x7c/0xb0
[  411.598011]  [<ffffffff8107c410>] ? flush_kthread_work+0x1b0/0x1b0
[  411.598011] Code: 49 89 d0 49 83 c8 01 4c 89 07 48 89 d7 48 89 ca
48 8b 4a 08 49 89 d0 49 83 c8 01 48 85 c9 48 89 48 10 48 89 42 08 4c
89 07 74 0c <48> 8b 39 83 e7 01 48 09 c7 48 89 39 48 8b 08 48 89 0a 48
83 e1
[  411.598011] RIP  [<ffffffff8149952d>] rb_erase+0x1bd/0x390
[  411.598011]  RSP <ffff88029211fb38>
[  411.669881] ---[ end trace 89d346eca258dcf8 ]---

(gdb) l *rb_erase+0x1bd
0xffffffff8149952d is in rb_erase (include/linux/rbtree_augmented.h:101).
96    #define rb_is_red(rb)      __rb_is_red((rb)->__rb_parent_color)
97    #define rb_is_black(rb)    __rb_is_black((rb)->__rb_parent_color)
98
99    static inline void rb_set_parent(struct rb_node *rb, struct rb_node *p)
100    {
101        rb->__rb_parent_color = rb_color(rb) | (unsigned long)p;
102    }
103
104    static inline void rb_set_parent_color(struct rb_node *rb,
105                           struct rb_node *p, int color)
(gdb)

compile dir kernel-27 691MB in 14.26 seconds (48.50 MB/s)
create dir kernel-64334 222MB in 12.78 seconds (17.40 MB/s)
[ 1630.646485] BUG: unable to handle kernel NULL pointer dereference
at           (null)
[ 1630.647010] IP: [<ffffffff814993d2>] rb_erase+0x62/0x390
[ 1630.647010] PGD 289f78067 PUD 291de4067 PMD 0
[ 1630.647010] Oops: 0000 [#1] SMP
[ 1630.647010] Modules linked in:
[ 1630.647010] CPU: 0 PID: 24 Comm: kswapd0 Not tainted 3.11.0-rc7+ #1235
[ 1630.647010] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 1630.647010] task: ffff88029366df70 ti: ffff88029211e000 task.ti:
ffff88029211e000
[ 1630.647010] RIP: 0010:[<ffffffff814993d2>]  [<ffffffff814993d2>]
rb_erase+0x62/0x390
[ 1630.647010] RSP: 0018:ffff88029211fb38  EFLAGS: 00010282
[ 1630.647010] RAX: ffff8800a57b3a08 RBX: ffff8800a57b39c0 RCX: 0000000000000000
[ 1630.647010] RDX: ffff8800a57b3ad8 RSI: ffff88013011c000 RDI: ffff8800a57b3a08
[ 1630.647010] RBP: ffff88029211fb38 R08: ffff8801cd31b118 R09: 0000000000000000
[ 1630.647010] R10: ffff8800a57b3ad8 R11: 0000000000000000 R12: ffff88013011c000
[ 1630.647010] R13: ffff8800a57b3a00 R14: 0000000000003f58 R15: ffff8800a57b3a90
[ 1630.647010] FS:  0000000000000000(0000) GS:ffff88029fc00000(0000)
knlGS:0000000000000000
[ 1630.647010] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1630.647010] CR2: 0000000000000000 CR3: 0000000256e71000 CR4: 00000000000006f0
[ 1630.647010] Stack:
[ 1630.647010]  ffff88029211fb68 ffffffff811dd6f9 ffff8800a57b39c0
ffff88013011c000
[ 1630.647010]  ffffffff811dd1d0 0000000000003f58 ffff88029211fb78
ffffffff811dd79c
[ 1630.647010]  ffff88029211fbe8 ffffffff811dd8f9 ffff88029211fba8
ffff88013011e008
[ 1630.647010] Call Trace:
[ 1630.647010]  [<ffffffff811dd6f9>] hot_inode_item_free+0x29/0xa0
[ 1630.647010]  [<ffffffff811dd1d0>] ? hot_mem_limit_sum+0x10/0x10
[ 1630.647010]  [<ffffffff811dd79c>] hot_inode_item_put+0x2c/0x30
[ 1630.647010]  [<ffffffff811dd8f9>] hot_item_evict.part.5+0xa9/0x120
[ 1630.647010]  [<ffffffff811dd9aa>] hot_track_prune+0x3a/0x70
[ 1630.647010]  [<ffffffff81159f33>] shrink_slab+0x153/0x2f0
[ 1630.647010]  [<ffffffff81080cd3>] ? up_read+0x23/0x40
[ 1630.647010]  [<ffffffff8115d4d1>] balance_pgdat+0x491/0x5d0
[ 1630.647010]  [<ffffffff8115d7a0>] kswapd+0x190/0x470
[ 1630.647010]  [<ffffffff8107ca10>] ? wake_up_bit+0x40/0x40
[ 1630.647010]  [<ffffffff8115d610>] ? balance_pgdat+0x5d0/0x5d0
[ 1630.647010]  [<ffffffff8107c4fa>] kthread+0xea/0xf0
[ 1630.647010]  [<ffffffff8107c410>] ? flush_kthread_work+0x1b0/0x1b0
[ 1630.647010]  [<ffffffff818b9a1c>] ret_from_fork+0x7c/0xb0
[ 1630.647010]  [<ffffffff8107c410>] ? flush_kthread_work+0x1b0/0x1b0
[ 1630.647010] Code: 8b 4a 10 48 85 c9 75 f1 4c 8b 4a 08 49 89 d2 4c
89 48 10 4c 89 42 08 49 8b 08 83 e1 01 48 09 d1 49 89 08 48 8b 4f 10
48 89 4a 10 <4c> 8b 01 41 83 e0 01 4d 09 d0 4c 89 01 48 8b 0f 49 89 c8
49 83
[ 1630.647010] RIP  [<ffffffff814993d2>] rb_erase+0x62/0x390
[ 1630.647010]  RSP <ffff88029211fb38>
[ 1630.647010] CR2: 0000000000000000
[ 1630.724782] ---[ end trace aec3e0601deedd6a ]---

60            inc.head = ACCESS_ONCE(lock->tickets.head);
(gdb) l *rb_erase+0x62
0xffffffff814993d2 is in rb_erase (include/linux/rbtree_augmented.h:101).
96    #define rb_is_red(rb)      __rb_is_red((rb)->__rb_parent_color)
97    #define rb_is_black(rb)    __rb_is_black((rb)->__rb_parent_color)
98
99    static inline void rb_set_parent(struct rb_node *rb, struct rb_node *p)
100    {
101        rb->__rb_parent_color = rb_color(rb) | (unsigned long)p;
102    }
103
104    static inline void rb_set_parent_color(struct rb_node *rb,
105                           struct rb_node *p, int color)
(gdb)


clean kernel-7 691MB in 0.42 seconds (1646.66 MB/s)
delete kernel-27 in 3.63 seconds
[  623.474634] BUG: unable to handle kernel paging request at fffffffffffffffc
[  623.475009] IP: [<ffffffff81499a10>] rb_insert_color+0xa0/0x170
[  623.475009] PGD 1e0c067 PUD 1e0e067 PMD 0
[  623.475009] Oops: 0000 [#1] SMP
[  623.475009] Modules linked in:
[  623.475009] CPU: 0 PID: 1696 Comm: btrfs-transacti Not tainted
3.11.0-rc7+ #1235
[  623.475009] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[  623.475009] task: ffff88028c691fd0 ti: ffff880291ef2000 task.ti:
ffff880291ef2000
[  623.475009] RIP: 0010:[<ffffffff81499a10>]  [<ffffffff81499a10>]
rb_insert_color+0xa0/0x170
[  623.475009] RSP: 0018:ffff880291ef3958  EFLAGS: 00010286
[  623.475009] RAX: fffffffffffffffc RBX: ffff880289ed0000 RCX: ffffffff820ea8c0
[  623.475009] RDX: ffff8801f83bd1e8 RSI: ffff880289ed0000 RDI: ffff8801f83bd1e9
[  623.475009] RBP: ffff880291ef3958 R08: ffff8801f83bd1e8 R09: 0000000000000001
[  623.475009] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880289ed2008
[  623.475009] R13: ffff8802365b4ea0 R14: 0000000000000101 R15: ffff8802365b4e18
[  623.475009] FS:  0000000000000000(0000) GS:ffff88029fc00000(0000)
knlGS:0000000000000000
[  623.475009] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  623.475009] CR2: fffffffffffffffc CR3: 0000000289ee2000 CR4: 00000000000006f0
[  623.475009] Stack:
[  623.475009]  ffff880291ef39a8 ffffffff811ddfc6 ffff880291ef3988
00000001813a5e52
[  623.475009]  ffff880291ef39c0 0000000000040000 0000000000040000
0000000000040000
[  623.475009]  7fffffffffffffff 0000000000000000 ffff880291ef3a08
ffffffff811de338
[  623.475009] Call Trace:
[  623.475009]  [<ffffffff811ddfc6>] hot_inode_item_lookup+0x166/0x1b0
[  623.475009]  [<ffffffff811de338>] hot_freqs_update+0x78/0x160
[  623.475009]  [<ffffffff81390c30>] ?
insert_reserved_file_extent.constprop.62+0x2c0/0x2c0
[  623.475009]  [<ffffffff811542fa>] do_writepages+0x6a/0xa0
[  623.475009]  [<ffffffff81148f19>] __filemap_fdatawrite_range+0x59/0x60
[  623.475009]  [<ffffffff81149d83>] filemap_fdatawrite_range+0x13/0x20
[  623.475009]  [<ffffffff813a571d>] btrfs_wait_ordered_range+0x4d/0x120
[  623.475009]  [<ffffffff813cca94>] __btrfs_write_out_cache+0x764/0x970
[  623.475009]  [<ffffffff813ccfe8>] btrfs_write_out_cache+0x98/0xf0
[  623.475009]  [<ffffffff8137bf50>] btrfs_write_dirty_block_groups+0x580/0x660
[  623.475009]  [<ffffffff813ac4e9>] ? free_extent_buffer+0x49/0xc0
[  623.475009]  [<ffffffff818a5f50>] commit_cowonly_roots+0x154/0x226
[  623.475009]  [<ffffffff8138c5b5>] btrfs_commit_transaction+0x445/0x950
[  623.475009]  [<ffffffff81383efd>] transaction_kthread+0x1bd/0x240
[  623.475009]  [<ffffffff81383d40>] ? cleaner_kthread+0x1a0/0x1a0
[  623.475009]  [<ffffffff8107c4fa>] kthread+0xea/0xf0
[  623.475009]  [<ffffffff8107c410>] ? flush_kthread_work+0x1b0/0x1b0
[  623.475009]  [<ffffffff818b9a1c>] ret_from_fork+0x7c/0xb0
[  623.475009]  [<ffffffff8107c410>] ? flush_kthread_work+0x1b0/0x1b0
[  623.475009] Code: 00 48 89 41 08 5d c3 0f 1f 40 00 48 89 d7 48 83
cf 01 48 89 39 48 89 38 48 8b 02 48 83 e0 fc 48 85 c0 48 89 02 0f 84
8e 00 00 00 <48> 8b 10 4c 89 c7 f6 c2 01 75 cf 48 8b 4a 08 49 89 d0 48
39 c8
[  623.475009] RIP  [<ffffffff81499a10>] rb_insert_color+0xa0/0x170
[  623.475009]  RSP <ffff880291ef3958>
[  623.475009] CR2: fffffffffffffffc
[  623.475009] ---[ end trace 0e8e9ac8daa97bd0 ]---

(gdb) l *rb_insert_color+0xa0
0xffffffff81499a10 is in rb_insert_color (lib/rbtree.c:89).
84             * want a red root or two consecutive red nodes.
85             */
86            if (!parent) {
87                rb_set_parent_color(node, NULL, RB_BLACK);
88                break;
89            } else if (rb_is_black(parent))
90                break;
91
92            gparent = rb_red_parent(parent);
93
(gdb)

create dir kernel-23 222MB in 6.01 seconds (37.00 MB/s)
[ 6622.862142] BUG: unable to handle kernel NULL pointer dereference
at           (null)
[ 6622.863012] IP: [<ffffffff81499488>] rb_erase+0x118/0x390
[ 6622.863012] PGD 231f4f067 PUD 238297067 PMD 0
[ 6622.863012] Oops: 0002 [#1] SMP
[ 6622.863012] Modules linked in:
[ 6622.863012] CPU: 0 PID: 24 Comm: kswapd0 Not tainted 3.11.0-rc7+ #1235
[ 6622.863012] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
[ 6622.863012] task: ffff88029366df70 ti: ffff88029211e000 task.ti:
ffff88029211e000
[ 6622.863012] RIP: 0010:[<ffffffff81499488>]  [<ffffffff81499488>]
rb_erase+0x118/0x390
[ 6622.863012] RSP: 0018:ffff88029211fb38  EFLAGS: 00010282
[ 6622.863012] RAX: ffff88019c1f1ee8 RBX: ffff88019c1f1d00 RCX: 0000000000000000
[ 6622.863012] RDX: ffff88017f964a08 RSI: ffff880233798000 RDI: ffff88019c1f1ee9
[ 6622.863012] RBP: ffff88029211fb38 R08: ffff88019c1f1ee8 R09: 0000000000000000
[ 6622.863012] R10: ffff88019c1f1e18 R11: 0000000000000000 R12: ffff880233798000
[ 6622.863012] R13: ffff88019c1f1d40 R14: 0000000000003d0c R15: ffff88019c1f1dd0
[ 6622.863012] FS:  0000000000000000(0000) GS:ffff88029fc00000(0000)
knlGS:0000000000000000
[ 6622.863012] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 6622.863012] CR2: 0000000000000000 CR3: 00000002336fc000 CR4: 00000000000006f0
[ 6622.863012] Stack:
[ 6622.863012]  ffff88029211fb68 ffffffff811dd6f9 ffff88019c1f1d00
ffff880233798000
[ 6622.863012]  ffffffff811dd1d0 0000000000003d0c ffff88029211fb78
ffffffff811dd79c
[ 6622.863012]  ffff88029211fbe8 ffffffff811dd8f9 ffff88029211fba8
ffff88023379a008
[ 6622.863012] Call Trace:
[ 6622.863012]  [<ffffffff811dd6f9>] hot_inode_item_free+0x29/0xa0
[ 6622.863012]  [<ffffffff811dd1d0>] ? hot_mem_limit_sum+0x10/0x10
[ 6622.863012]  [<ffffffff811dd79c>] hot_inode_item_put+0x2c/0x30
[ 6622.863012]  [<ffffffff811dd8f9>] hot_item_evict.part.5+0xa9/0x120
[ 6622.863012]  [<ffffffff811dd9aa>] hot_track_prune+0x3a/0x70
[ 6622.863012]  [<ffffffff81159f33>] shrink_slab+0x153/0x2f0
[ 6622.863012]  [<ffffffff81080cd3>] ? up_read+0x23/0x40
[ 6622.863012]  [<ffffffff8115d4d1>] balance_pgdat+0x491/0x5d0
[ 6622.863012]  [<ffffffff8115d7a0>] kswapd+0x190/0x470
[ 6622.863012]  [<ffffffff8107ca10>] ? wake_up_bit+0x40/0x40
[ 6622.863012]  [<ffffffff8115d610>] ? balance_pgdat+0x5d0/0x5d0
[ 6622.863012]  [<ffffffff8107c4fa>] kthread+0xea/0xf0
[ 6622.863012]  [<ffffffff8107c410>] ? flush_kthread_work+0x1b0/0x1b0
[ 6622.863012]  [<ffffffff818b9a1c>] ret_from_fork+0x7c/0xb0
[ 6622.863012]  [<ffffffff8107c410>] ? flush_kthread_work+0x1b0/0x1b0
[ 6622.863012] Code: e2 fc 74 ab 48 89 c1 48 89 d0 48 8b 50 08 48 39
ca 74 48 f6 02 01 75 b3 48 8b 4a 10 48 89 c7 48 83 cf 01 48 89 48 08
48 89 42 10 <48> 89 39 48 8b 38 48 89 3a 48 83 e7 fc 48 89 10 0f 84 02
01 00
[ 6622.863012] RIP  [<ffffffff81499488>] rb_erase+0x118/0x390
[ 6622.863012]  RSP <ffff88029211fb38>
[ 6622.863012] CR2: 0000000000000000
[ 6622.938771] ---[ end trace 75fedfe9cb5f4943 ]---

(gdb) l *rb_erase+0x118
0xffffffff81499488 is in rb_erase (include/linux/rbtree_augmented.h:107).
102    }
103
104    static inline void rb_set_parent_color(struct rb_node *rb,
105                           struct rb_node *p, int color)
106    {
107        rb->__rb_parent_color = (unsigned long)p | color;
108    }
109
110    static inline void
111    __rb_change_child(struct rb_node *old, struct rb_node *new,
(gdb)


>
> If you really feel this is a problem, you should explain why. I would
> also prefer if any checks you add could be limited to debug builds.
>
> --
> Michel "Walken" Lespinasse
> A program is never fully debugged until the last user dies.



-- 
Regards,

Zhi Yong Wu
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists