| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191206160238.GE2889@paulmck-ThinkPad-P72>
Date: Fri, 6 Dec 2019 08:02:38 -0800
From: "Paul E. McKenney" <paulmck@...nel.org>
To: madhuparnabhowmik04@...il.com
Cc: trond.myklebust@...merspace.com, anna.schumaker@...app.com,
joel@...lfernandes.org, linux-nfs@...r.kernel.org,
rcu@...r.kernel.org,
linux-kernel-mentees@...ts.linuxfoundation.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] fs: nfs: dir.c: Fix sparse error
On Fri, Dec 06, 2019 at 08:46:40PM +0530, madhuparnabhowmik04@...il.com wrote:
> From: Madhuparna Bhowmik <madhuparnabhowmik04@...il.com>
>
> This patch fixes the following errors:
> fs/nfs/dir.c:2353:14: error: incompatible types in comparison expression (different address spaces):
> fs/nfs/dir.c:2353:14: struct list_head [noderef] <asn:4> *
> fs/nfs/dir.c:2353:14: struct list_head *
>
> caused due to directly accessing the prev pointer of
> a RCU protected list.
> Accessing the pointer using the macro list_prev_rcu() fixes this error.
>
> Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik04@...il.com>
> ---
> fs/nfs/dir.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c
> index e180033e35cf..2035254cc283 100644
> --- a/fs/nfs/dir.c
> +++ b/fs/nfs/dir.c
> @@ -2350,7 +2350,7 @@ static int nfs_access_get_cached_rcu(struct inode *inode, const struct cred *cre
> rcu_read_lock();
> if (nfsi->cache_validity & NFS_INO_INVALID_ACCESS)
> goto out;
> - lh = rcu_dereference(nfsi->access_cache_entry_lru.prev);
> + lh = rcu_dereference(list_prev_rcu(&nfsi->access_cache_entry_lru));
And as noted in the earlier email, what is preventing concurrent
insertions into and deletions from this list?
o This use of list_move_tail() is OK because it does not poison.
Though it isn't being all that friendly to lockless access to
->prev -- no WRITE_ONCE() in list_move_tail().
o The use of list_add_tail() is not safe with RCU readers, though
they do at least partially compensate via use of smp_wmb()
in nfs_access_add_cache() before calling nfs_access_add_rbtree().
o The list_del() near the end of nfs_access_add_rbtree() will
poison the ->prev pointer. I don't see how this is safe given the
possibility of a concurrent call to nfs_access_get_cached_rcu().
> cache = list_entry(lh, struct nfs_access_entry, lru);
> if (lh == &nfsi->access_cache_entry_lru ||
> cred != cache->cred)
And a few lines below here, it really does dereference the pointer
obtained from ->prev!
So how to really fix this? Here is one possibility, but we of course
need to get the NFS developers' and maintainers' thoughts:
o Create a list that is safe for bidirectional RCU traversal.
This can use list_head, and would need these functions,
give or take the exact names:
list_add_tail_rcuprev(): This is like list_add_tail_rcu(),
but also has smp_store_release() for ->prev. (As in there is
also a __list_add_rcuprev() helper that actually contains the
additional smp_store_release().)
list_del_rcuprev(): This can be exactly __list_del_entry(),
but with the assignment to ->prev in __list_del() becoming
WRITE_ONCE(). And it looks like callers to __list_del_entry()
and __list_del() might need some attention! And these might
result in additional users of *_rcuprev().
list_prev_rcu() as in your first patch, but with READ_ONCE().
Otherwise DEC Alpha can fail. And more subtle compiler issues
can appear on other architectures.
Note that list_move_tail() will be OK give or take *_ONCE().
It might be better to define a list_move_tail_rcuprev(), given
the large number of users of list_move_tail() -- some of these
users might not like even the possibility of added overhead due
to volatile accesses. ;-)
Or am I missing something subtle here?
Thanx, Paul
Powered by blists - more mailing lists