lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160118065434.GB459@swordfish>
Date:	Mon, 18 Jan 2016 15:54:34 +0900
From:	Sergey Senozhatsky <sergey.senozhatsky.work@...il.com>
To:	Minchan Kim <minchan@...nel.org>
Cc:	Junil Lee <junil0814.lee@....com>, ngupta@...are.org,
	sergey.senozhatsky.work@...il.com, akpm@...ux-foundation.org,
	linux-mm@...ck.org, linux-kernel@...r.kernel.org, vbabka@...e.cz
Subject: Re: [PATCH v3] zsmalloc: fix migrate_zspage-zs_free race condition

On (01/18/16 15:36), Minchan Kim wrote:
[..]
> > --- a/mm/zsmalloc.c
> > +++ b/mm/zsmalloc.c
> > @@ -1635,8 +1635,8 @@ static int migrate_zspage(struct zs_pool *pool, struct size_class *class,
> >  		free_obj = obj_malloc(d_page, class, handle);
> >  		zs_object_copy(free_obj, used_obj, class);
> >  		index++;
> > +		/* This also effectively unpins the handle */
> 
> As reply of Vlastimil, I relied that I guess it doesn't work.
> We shouldn't omit unpin_tag and we should add WRITE_ONCE in
> record_obj.
> 
> As well, it's worth to dobule check with locking guys.
> I will send updated version.

but would WRITE_ONCE() tell the compiler that there is a dependency?
__write_once_size() does not even issue a barrier for sizes <= 8 (our
case).

include/linux/compiler.h

static __always_inline void __write_once_size(volatile void *p, void *res, int size)
{
	switch (size) {
	case 1: *(volatile __u8 *)p = *(__u8 *)res; break;
	case 2: *(volatile __u16 *)p = *(__u16 *)res; break;
	case 4: *(volatile __u32 *)p = *(__u32 *)res; break;
	case 8: *(volatile __u64 *)p = *(__u64 *)res; break;
	default:
		barrier();
		__builtin_memcpy((void *)p, (const void *)res, size);
		barrier();
	}
}

#define WRITE_ONCE(x, val) \
({							\
	union { typeof(x) __val; char __c[1]; } __u =	\
		{ .__val = (__force typeof(x)) (val) }; \
	__write_once_size(&(x), __u.__c, sizeof(x));	\
	__u.__val;					\
})


so, even if clear_bit_unlock/test_and_set_bit_lock do smp_mb or
barrier(), there is no corresponding barrier from record_obj()->WRITE_ONCE().
so I don't think WRITE_ONCE() will help the compiler, or am I missing
something?

.... add a barrier() to record_obj()?

	-ss

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ