lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20180718104408.GA15068@krava>
Date:   Wed, 18 Jul 2018 12:44:08 +0200
From:   Jiri Olsa <jolsa@...hat.com>
To:     Namhyung Kim <namhyung@...nel.org>
Cc:     Jiri Olsa <jolsa@...nel.org>,
        Arnaldo Carvalho de Melo <acme@...nel.org>,
        lkml <linux-kernel@...r.kernel.org>,
        Ingo Molnar <mingo@...nel.org>,
        David Ahern <dsahern@...il.com>,
        Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
        Peter Zijlstra <a.p.zijlstra@...llo.nl>,
        Kan Liang <kan.liang@...el.com>,
        Andi Kleen <ak@...ux.intel.com>,
        Lukasz Odzioba <lukasz.odzioba@...el.com>,
        Wang Nan <wangnan0@...wei.com>, kernel-team@....com
Subject: Re: [PATCH 1/4] perf tools: Fix struct comm_str removal crash

On Tue, Jul 17, 2018 at 11:02:45AM +0200, Jiri Olsa wrote:

SNIP

> +/*
> + * Pure refs increase without any chec/warn.
> + */
> +static inline void refcount_inc_no_warn(refcount_t *r)
> +{
> +	atomic_inc(&r->refs);
> +}
> +
>  /*
>   * Similar to atomic_dec_and_test(), it will WARN on underflow and fail to
>   * decrement when saturated at UINT_MAX.
> diff --git a/tools/perf/util/comm.c b/tools/perf/util/comm.c
> index 7798a2cc8a86..a2e338cf29d7 100644
> --- a/tools/perf/util/comm.c
> +++ b/tools/perf/util/comm.c
> @@ -21,7 +21,7 @@ static struct rw_semaphore comm_str_lock = {.lock = PTHREAD_RWLOCK_INITIALIZER,}
>  static struct comm_str *comm_str__get(struct comm_str *cs)
>  {
>  	if (cs)
> -		refcount_inc(&cs->refcnt);
> +		refcount_inc_no_warn(&cs->refcnt);
>  	return cs;
>  }
>  
> @@ -29,10 +29,12 @@ static void comm_str__put(struct comm_str *cs)
>  {
>  	if (cs && refcount_dec_and_test(&cs->refcnt)) {
>  		down_write(&comm_str_lock);
> -		rb_erase(&cs->rb_node, &comm_str_root);
> +		if (refcount_read(&cs->refcnt) == 0) {
> +			rb_erase(&cs->rb_node, &comm_str_root);
> +			zfree(&cs->str);
> +			free(cs);
> +		}
>  		up_write(&comm_str_lock);
> -		zfree(&cs->str);
> -		free(cs);
>  	}
>  }
>  

I'm still getting crashes with this code, there's another race
in comm_str__put, consider following paths (with 'cs' struct comm_str data):

thread 0:
  ...
  comm_str__put
    refcount_dec_and_test(&cs->refcnt) == true
    down_write(&comm_str_lock);
--> cs->refcnt == 0, but we are blocked and waiting for the lock to remove cs, and meanwhile:

	thread 1:
	  ...
	  __comm_str__findnew(...
	    comm_str__get(cs)
----------> cs->refcnt == 1

	thread 2:
	  ...
	  comm_str__put
	    refcount_dec_and_test(&cs->refcnt) == true
----------> cs->refcnt == 0, thread 2 gets the lock and removes cs
	  ...


thread 0:
  ...
--> comm_str__put gets the lock and removes 'cs' which aborts with double free


we don't have this problem if we ignore objects that dropped to
refcnt == 0, which was what my previous change was doing

jirka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ