lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.LRH.2.02.1406271432430.18515@file01.intranet.prod.int.rdu2.redhat.com>
Date:	Fri, 27 Jun 2014 14:44:41 -0400 (EDT)
From:	Mikulas Patocka <mpatocka@...hat.com>
To:	Joe Thornber <thornber@...hat.com>
cc:	device-mapper development <dm-devel@...hat.com>,
	snitzer@...hat.com, linux-kernel@...r.kernel.org,
	Minfei Huang <huangminfei@...oud.cn>,
	linux-raid@...r.kernel.org, agk@...hat.com
Subject: Re: [dm-devel] [PATCH] dm-io: Prevent the danging point of the sync
 io callback function



On Fri, 27 Jun 2014, Joe Thornber wrote:

> On Fri, Jun 27, 2014 at 12:01:30PM +0800, Minfei Huang wrote:
> > The io address in callback function will become the danging point,
> > cause by the thread of sync io wakes up by other threads
> > and return to relieve the io address,
> 
> Yes, well found.  I prefer the following fix however.
> 
> - Joe

It seems ok.

The patch is too big, I think the only change that needs to be done to fix 
the bug is to replace "struct task_struct *sleeper;" with "struct 
completion *completion;", replace "if (io->sleeper) 
wake_up_process(io->sleeper);" with "if (io->completion) 
complete(io->completion);" and declare the completion in sync_io() and 
wait on it instead of "while (1)" loop there.

I suggest - split it to two patches, a minimal patch that fixes the bug by 
changing sleeper to completion and the second patch with remaining changes 
- so that only the first patch can be backported to stable kernels.

The smaller patch is less likely to produce conflicts (or bugs introduced 
by incorrectly resolved conflicts) when being backported.

Mikulas


> Author: Joe Thornber <ejt@...hat.com>
> Date:   Fri Jun 27 15:49:29 2014 +0100
> 
>     [dm-io] Fix a race condition in the wake up code for sync_io
>     
>     There's a race condition between the atomic_dec_and_test(&io->count)
>     in dec_count() and the waking of the sync_io() thread.  If the thread
>     is spuriously woken immediately after the decrement it may exit,
>     making the on the stack io struct invalid, yet the dec_count could
>     still be using it.
>     
>     There are smaller fixes than the one here (eg, just take the io object
>     off the stack).  But I feel this code could use a clean up.
>     
>     - simplify dec_count().
>     
>       - It always calls a callback fn now.
>       - It always frees the io object back to the pool.
>     
>     - sync_io()
>     
>       - Take the io object off the stack and allocate it from the pool the
>         same as async_io.
>       - Use a completion object rather than an explicit io_schedule()
>         loop.  The callback triggers the completion.
>     
>     Reported by: Minfei Huang
> 
> diff --git a/drivers/md/dm-io.c b/drivers/md/dm-io.c
> index 3842ac7..a0982e81 100644
> --- a/drivers/md/dm-io.c
> +++ b/drivers/md/dm-io.c
> @@ -10,6 +10,7 @@
>  #include <linux/device-mapper.h>
>  
>  #include <linux/bio.h>
> +#include <linux/completion.h>
>  #include <linux/mempool.h>
>  #include <linux/module.h>
>  #include <linux/sched.h>
> @@ -32,7 +33,6 @@ struct dm_io_client {
>  struct io {
>  	unsigned long error_bits;
>  	atomic_t count;
> -	struct task_struct *sleeper;
>  	struct dm_io_client *client;
>  	io_notify_fn callback;
>  	void *context;
> @@ -111,28 +111,27 @@ static void retrieve_io_and_region_from_bio(struct bio *bio, struct io **io,
>   * We need an io object to keep track of the number of bios that
>   * have been dispatched for a particular io.
>   *---------------------------------------------------------------*/
> -static void dec_count(struct io *io, unsigned int region, int error)
> +static void complete_io(struct io *io)
>  {
> -	if (error)
> -		set_bit(region, &io->error_bits);
> +	unsigned long error_bits = io->error_bits;
> +	io_notify_fn fn = io->callback;
> +	void *context = io->context;
>  
> -	if (atomic_dec_and_test(&io->count)) {
> -		if (io->vma_invalidate_size)
> -			invalidate_kernel_vmap_range(io->vma_invalidate_address,
> -						     io->vma_invalidate_size);
> +	if (io->vma_invalidate_size)
> +		invalidate_kernel_vmap_range(io->vma_invalidate_address,
> +					     io->vma_invalidate_size);
>  
> -		if (io->sleeper)
> -			wake_up_process(io->sleeper);
> +	mempool_free(io, io->client->pool);
> +	fn(error_bits, context);
> +}
>  
> -		else {
> -			unsigned long r = io->error_bits;
> -			io_notify_fn fn = io->callback;
> -			void *context = io->context;
> +static void dec_count(struct io *io, unsigned int region, int error)
> +{
> +	if (error)
> +		set_bit(region, &io->error_bits);
>  
> -			mempool_free(io, io->client->pool);
> -			fn(r, context);
> -		}
> -	}
> +	if (atomic_dec_and_test(&io->count))
> +		complete_io(io);
>  }
>  
>  static void endio(struct bio *bio, int error)
> @@ -375,48 +374,49 @@ static void dispatch_io(int rw, unsigned int num_regions,
>  	dec_count(io, 0, 0);
>  }
>  
> +struct sync_io {
> +	unsigned long error_bits;
> +	struct completion complete;
> +};
> +
> +static void sync_complete(unsigned long error, void *context)
> +{
> +	struct sync_io *sio = context;
> +	sio->error_bits = error;
> +	complete(&sio->complete);
> +}
> +
>  static int sync_io(struct dm_io_client *client, unsigned int num_regions,
>  		   struct dm_io_region *where, int rw, struct dpages *dp,
>  		   unsigned long *error_bits)
>  {
> -	/*
> -	 * gcc <= 4.3 can't do the alignment for stack variables, so we must
> -	 * align it on our own.
> -	 * volatile prevents the optimizer from removing or reusing
> -	 * "io_" field from the stack frame (allowed in ANSI C).
> -	 */
> -	volatile char io_[sizeof(struct io) + __alignof__(struct io) - 1];
> -	struct io *io = (struct io *)PTR_ALIGN(&io_, __alignof__(struct io));
> +	struct io *io;
> +	struct sync_io sio;
>  
>  	if (num_regions > 1 && (rw & RW_MASK) != WRITE) {
>  		WARN_ON(1);
>  		return -EIO;
>  	}
>  
> +	init_completion(&sio.complete);
> +
> +	io = mempool_alloc(client->pool, GFP_NOIO);
>  	io->error_bits = 0;
>  	atomic_set(&io->count, 1); /* see dispatch_io() */
> -	io->sleeper = current;
> +	io->callback = sync_complete;
> +	io->context = &sio;
>  	io->client = client;
>  
>  	io->vma_invalidate_address = dp->vma_invalidate_address;
>  	io->vma_invalidate_size = dp->vma_invalidate_size;
>  
>  	dispatch_io(rw, num_regions, where, dp, io, 1);
> -
> -	while (1) {
> -		set_current_state(TASK_UNINTERRUPTIBLE);
> -
> -		if (!atomic_read(&io->count))
> -			break;
> -
> -		io_schedule();
> -	}
> -	set_current_state(TASK_RUNNING);
> +	wait_for_completion_io(&sio.complete);
>  
>  	if (error_bits)
> -		*error_bits = io->error_bits;
> +		*error_bits = sio.error_bits;
>  
> -	return io->error_bits ? -EIO : 0;
> +	return sio.error_bits ? -EIO : 0;
>  }
>  
>  static int async_io(struct dm_io_client *client, unsigned int num_regions,
> @@ -434,7 +434,6 @@ static int async_io(struct dm_io_client *client, unsigned int num_regions,
>  	io = mempool_alloc(client->pool, GFP_NOIO);
>  	io->error_bits = 0;
>  	atomic_set(&io->count, 1); /* see dispatch_io() */
> -	io->sleeper = NULL;
>  	io->client = client;
>  	io->callback = fn;
>  	io->context = context;
> 
> --
> dm-devel mailing list
> dm-devel@...hat.com
> https://www.redhat.com/mailman/listinfo/dm-devel
> 
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ