lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Nov 2014 22:48:57 -0800 From: Shaohua Li <shli@...nel.org> To: linux-kernel@...r.kernel.org Cc: Jens Axboe <axboe@...com>, Tejun Heo <tj@...nel.org>, Kent Overstreet <kmo@...erainc.com> Subject: [PATCH] percpu-ref: correctly get percpu pointer I saw randam system hang testing virtio with blk-mq enabled and cpu hotplug runing in the background. It turns out __ref_is_percpu() doesn't always return correct percpu pointer. percpu_ref_put() calls __ref_is_percpu(), which checks __PERCPU_REF_ATOMIC. After this check, the __PERCPU_REF_ATOMIC or __PERCPU_REF_DEAD might be set, so we must exclude the two bits from the percpu pointer. Fortunately we can still use percpu data for percpu_ref_put() even this happens, because the final transistion from percpu to atomic occurs at rcu context while __ref_is_percpu() is always called with rcu read lock protected. CC: Jens Axboe <axboe@...com> CC: Tejun Heo <tj@...nel.org> CC: Kent Overstreet <kmo@...erainc.com> Signed-off-by: Shaohua Li <shli@...com> --- include/linux/percpu-refcount.h | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/include/linux/percpu-refcount.h b/include/linux/percpu-refcount.h index d5c89e0..6beee08 100644 --- a/include/linux/percpu-refcount.h +++ b/include/linux/percpu-refcount.h @@ -136,7 +136,14 @@ static inline bool __ref_is_percpu(struct percpu_ref *ref, if (unlikely(percpu_ptr & __PERCPU_REF_ATOMIC)) return false; - *percpu_countp = (unsigned long __percpu *)percpu_ptr; + /* + * At this point ATOMIC or DEAD might be set when percpu_ref_kill() is + * running. It's still safe to use percpu here, because the final + * transition from percpu to atomic occurs at rcu context while this + * routine is protected with rcu read lock. + */ + *percpu_countp = (unsigned long __percpu *)(percpu_ptr & + ~__PERCPU_REF_ATOMIC_DEAD); return true; } -- 1.8.3.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists