lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <a3d58f0b-145f-1e70-434f-e97e1f08ebcf@redhat.com>
Date:   Sat, 11 Jan 2020 12:03:30 +0100
From:   David Hildenbrand <david@...hat.com>
To:     Dan Williams <dan.j.williams@...el.com>
Cc:     Andrew Morton <akpm@...ux-foundation.org>,
        stable <stable@...r.kernel.org>,
        Vishal Verma <vishal.l.verma@...el.com>,
        Pavel Tatashin <pasha.tatashin@...een.com>,
        Michal Hocko <mhocko@...e.com>,
        Dave Hansen <dave.hansen@...ux.intel.com>,
        Linux MM <linux-mm@...ck.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Greg KH <gregkh@...uxfoundation.org>
Subject: Re: [PATCH v4] mm/memory_hotplug: Fix remove_memory() lockdep splat

>>> Cc: <stable@...r.kernel.org>
>>
>> I am not convinced this can actually happen. I explained somewhere else
>> already why a similar locksplat (reported by Pavel IIRC) on the ordinary
>> memory removal path is a false positive (because the device hotplug lock
>> actually protects us from such conditions). Can you elaborate why this
>> is stable material (and explain my tired eyes how the issue will
>> actually happen in real life)?
> 
> I don't mind waiting for it to soak a while upstream before heading
> back to -stable, and it's possible the kn->count entanglement is on a
> kobject in a different part of the sysfs hierarchy, but I haven't
> proven that. So, it's a toss up. I think the backport risk is low, but
> we can validate that with some upstream soak time.

So I just remember why I think this (and the previously reported done
for ACPI DIMMs) are false positives. The actual locking order is

onlining/offlining from user space:

kn->count -> device_hotplug_lock -> cpu_hotplug_lock -> mem_hotplug_lock

memory removal:

device_hotplug_lock -> cpu_hotplug_lock -> mem_hotplug_lock -> kn->count


This looks like a locking inversion - but it's not. Whenever we come via
user space we do a mutex_trylock(), which resolves this issue by backing
up. The device_hotplug_lock will prevent

I have no clue why the device_hotplug_lock does not pop up in the
lockdep report here. Sounds wrong to me.

I think this is a false positive and not stable material.

> 
>>
>> [...]
>>>
>>>  When adding/removing memory that uses memory block devices (i.e. ordinary RAM),
>>> -the device_hotplug_lock should be held to:
>>> +the device_hotplug_lock is held to:
>>>
>>>  - synchronize against online/offline requests (e.g. via sysfs). This way, memory
>>>    block devices can only be accessed (.online/.state attributes) by user
>>> -  space once memory has been fully added. And when removing memory, we
>>> -  know nobody is in critical sections.
>>> +  space once memory has been fully added. And when removing memory, the
>>> +  memory block device is invalidated (mem->section count set to 0) under the
>>> +  lock to abort any in-flight online requests.
>>
>> I don't think this is needed. See below.
>>
>>>  - synchronize against CPU hotplug and similar (e.g. relevant for ACPI and PPC)
>>>
>>>  Especially, there is a possible lock inversion that is avoided using
>>> @@ -112,7 +113,13 @@ can result in a lock inversion.
>>>
>>>  onlining/offlining of memory should be done via device_online()/
>>>  device_offline() - to make sure it is properly synchronized to actions
>>> -via sysfs. Holding device_hotplug_lock is advised (to e.g. protect online_type)
>>> +via sysfs. Holding device_hotplug_lock is required to prevent online racing
>>> +removal. The device_hotplug_lock and memblock invalidation allows
>>> +remove_memory_block_devices() to run outside of mem_hotplug_lock to avoid lock
>>> +dependency conflicts with memblock-sysfs teardown. The add_memory() path
>>> +performs create_memory_block_devices() under mem_hotplug_lock so that if it
>>> +fails it can perform an arch_remove_memory() cleanup. There are no known lock
>>> +dependency problems with memblock-sysfs setup.
>>>
>>>  When adding/removing/onlining/offlining memory or adding/removing
>>>  heterogeneous/device memory, we should always hold the mem_hotplug_lock in
>>> diff --git a/drivers/base/core.c b/drivers/base/core.c
>>> index 42a672456432..5d5036370c92 100644
>>> --- a/drivers/base/core.c
>>> +++ b/drivers/base/core.c
>>> @@ -1146,6 +1146,11 @@ void unlock_device_hotplug(void)
>>>       mutex_unlock(&device_hotplug_lock);
>>>  }
>>>
>>> +void assert_held_device_hotplug(void)
>>> +{
>>> +     lockdep_assert_held(&device_hotplug_lock);
>>> +}
>>> +
>>>  int lock_device_hotplug_sysfs(void)
>>>  {
>>>       if (mutex_trylock(&device_hotplug_lock))
>>> diff --git a/drivers/base/memory.c b/drivers/base/memory.c
>>> index 799b43191dea..91c6fbd2383e 100644
>>> --- a/drivers/base/memory.c
>>> +++ b/drivers/base/memory.c
>>> @@ -280,6 +280,10 @@ static int memory_subsys_online(struct device *dev)
>>>       if (mem->state == MEM_ONLINE)
>>>               return 0;
>>>
>>> +     /* online lost the race with hot-unplug, abort */
>>> +     if (!mem->section_count)
>>> +             return -ENXIO;
>>> +
>>
>> Huh, why is that needed? There is pages_correctly_probed(), which checks
>> that all sections are present already (but I also have a patch to rework
>> that in my queue, because it looks like it's not needed in the current
>> state).
> 
> I chose "mem->section_count = 0" as the invalidation event because
> that attribute is tied to the memory block itself and for symmetry
> with the offline path. More below...
> 
>>
>> (Especially, I don't see why this is necessary in the context of this
>> patch - nothing changed in that regard. Also, checks against "device
>> already removed" should logically belong into
>> device_online()/device_offline().
> 
> The scenario is that userspace races two threads one calling offline
> and the other calling online. Likely no, possible yes. Offline thread
> wins the race, but not before online thread gets to the lock in
> state_store(). Offline thread completes the teardown and unlocks.
> Online thread starts operating on a zombie memory-block-device until
> it notices the memory associated with that device is not suitable to
> online.
> 
> For symmetry with memory_subsys_offline() (that prevents the loser of
> a race of 2 threads running offline from continuing to operate on a
> zombie memory-block with a ->section_count check) I added a
> ->section_count check to memory_subsys_online().

1. The section_count check is in place to disallow offlining memory
blocks with missing sections. (see 26bbe7ef6d5c ("drivers/base/memory.c:
prohibit offlining of memory blocks with missing sections")). Not to
deal with any races/zombie blocks.

2. offlining/onlining racing is completely irrelevant. state_store() and
online_store() do a lock_device_hotplug_sysfs(), which is a trylock. The
looser will simply back off. device_online() and device_offline()
properly deal with the block already being in the desired state.

3. zombie blocks are interesting, but I am not convinced yet this is an
actual issue - we've never seen it happening. I *think* it could work
due to the trylock correctly (pending requests will back off while
another thread is removing them), but I am not convinced there is no
tiny little race. Anyhow, we have pages_correctly_probed() which will
bail out properly already if the sections have been removed in the
meantime. Also, I think we should deal with zombie blocks differently if
required (more below).

I think this hunk does logically not belong into this patch and is also
not needed (due to pages_correctly_probed() in memory_block_action()).
Please drop it from this patch (including the documentation update
regarding this).

> 
>> Other subsystems should have similar issues, no?)
> 
> Not many subsystems have a sysfs attribute that can trigger the
> unregistration of the self same attribute, but yes, I've seen it cause
> problems.
> 
> For example, async device probing and registration causes similar
> issues and was only recently fixed:
> 
> 3451a495ef24 driver core: Establish order of operations for device_add
> and device_del via bitflag

I feel like we should have a -> removed property on devices and check
against that in device_online() and device_offline(). But only if there
isn't another magical mechanism that deals with zombie devices and
pending online/offline requests.

> 
>>
>>>       /*
>>>        * If we are called from state_store(), online_type will be
>>>        * set >= 0 Otherwise we were called from the device online
>>> @@ -736,8 +740,6 @@ int create_memory_block_devices(unsigned long start, unsigned long size)
>>>   * Remove memory block devices for the given memory area. Start and size
>>>   * have to be aligned to memory block granularity. Memory block devices
>>>   * have to be offline.
>>> - *
>>> - * Called under device_hotplug_lock.
>>>   */
>>
>> Why is that change needed? Especially with the radix tree rework, this
>> lock is required on this call path. Removing this looks wrong to me.
> 
> I'm not removing the dependency I'm trading the comment for a call to
> assert_held_device_hotplug(). I'm ok with keeping the comment, but the
> explicit lockdep assertion helps the future developer that refactors
> and inadvertently misses the comment.
> 

Ah, I missed that you placed the assert into that function, sorry
(thought it would be in the caller). We document it for most other
functions in that file now, so I'd prefer to just keep it. Whatever you
prefer.


-- 
Thanks,

David / dhildenb

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ