From: David Howells <dhowells@redhat.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: dhowells@redhat.com, amit@kernel.org, arnd@arndb.de,
syzbot <syzbot+d37abaade33a934f16f2@syzkaller.appspotmail.com>,
gregkh@linuxfoundation.org, jannh@google.com,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
miklos@szeredi.hu, rostedt@goodmis.org,
syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk,
virtualization@lists.linux-foundation.org, willy@infradead.org
Subject: Re: kernel BUG at fs/pipe.c:LINE!
Date: Thu, 05 Dec 2019 13:06:30 +0000 [thread overview]
Message-ID: <27081.1575551190@warthog.procyon.org.uk> (raw)
In-Reply-To: <20191205072838.GA3237@sol.localdomain>
Eric Biggers <ebiggers@kernel.org> wrote:
> static __poll_t
> pipe_poll(struct file *filp, poll_table *wait)
> {
> __poll_t mask;
> struct pipe_inode_info *pipe = filp->private_data;
> unsigned int head = READ_ONCE(pipe->head);
> unsigned int tail = READ_ONCE(pipe->tail);
>
> poll_wait(filp, &pipe->wait, wait);
>
> BUG_ON(pipe_occupancy(head, tail) > pipe->ring_size);
>
> It's not holding the pipe mutex, right? So 'head', 'tail' and 'ring_size' can
> all be changed concurrently, and they aren't read atomically with respect to
> each other.
>
> How do you propose to implement poll() correctly with the new head + tail
> approach? Just take the mutex?
Firstly, the BUG_ON() check probably isn't necessary here - the same issue
with occupancy being seen to be greater than the queue depth existed
previously (there was no locking around the read of pipe->nrbufs and
pipe->buffers). I added a sanity check.
Secondly, it should be possible to make it such that just the spinlock
suffices. The following few patches make the main pipe read/write routines
use the spinlock so as not to be interfered with by notification insertion.
I didn't roll the spinlock out to splice and suchlike since I prohibit
splicing to a notifications pipe because of the iov_iter_revert() fun.
David
prev parent reply other threads:[~2019-12-05 13:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-02 6:45 kernel BUG at fs/pipe.c:LINE! syzbot
2019-12-05 5:40 ` Eric Biggers
2019-12-05 7:28 ` Eric Biggers
2019-12-05 13:06 ` David Howells [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=27081.1575551190@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=amit@kernel.org \
--cc=arnd@arndb.de \
--cc=ebiggers@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=rostedt@goodmis.org \
--cc=syzbot+d37abaade33a934f16f2@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
--cc=virtualization@lists.linux-foundation.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox