From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: Neil Brown <neilb@suse.de>
Cc: linux-nfs@vger.kernel.org
Subject: Re: Another possible race in put_rpccred / rpcauth_unhash_cred
Date: Thu, 19 Nov 2009 10:33:38 -0500 [thread overview]
Message-ID: <1258644818.30333.13.camel@localhost> (raw)
In-Reply-To: <19203.18009.945354.446817-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
On Wed, 2009-11-18 at 11:56 +1100, Neil Brown wrote:
> Hi again Trond,
>
> I've been looking at a customer report of an oops in
> rpcauth_lookup_credcache.
> https://bugzilla.novell.com/show_bug.cgi?id=547137
>
> It appears that one of the hash chains in the cache has become
> corrupted.
>
> In trying to guess how this might happen, the one possibility I have
> found is that it might be possible for hlist_del_rcu to be called on
> an rpc_cred that is not hashed. This certainly could cause list
> corruption.
>
> put_rpccred checks if the cred is hashed (RPCAUTH_CRED_HASHED) and if
> not, it takes a lock and then - if the cred it not uptodate -
> calls rpcauth_unhash_cred which will call hlist_del_rcu.
> If some other thread unhashed the cred while this thread was waiting
> for rpc_credcache_lock, we could get list corruption.
>
> The kernel in question did not have commit 5f707eb429 which claims to
> fix a race in much the same place, however I don't think that patch
> would fix this problem.
>
> I think the simplest fix would be to use hlist_del_init_rcu in place
> of hlist_del_rcu as shown below. That version protects again
> deleting the same element multiple times.
>
> Do you agree with this fix?
>
> Thanks,
> NeilBrown
>
>
>
> diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c
> index 54a4e04..323eff6 100644
> --- a/net/sunrpc/auth.c
> +++ b/net/sunrpc/auth.c
> @@ -118,7 +118,7 @@ static DEFINE_SPINLOCK(rpc_credcache_lock);
> static void
> rpcauth_unhash_cred_locked(struct rpc_cred *cred)
> {
> - hlist_del_rcu(&cred->cr_hash);
> + hlist_del_init_rcu(&cred->cr_hash);
> smp_mb__before_clear_bit();
> clear_bit(RPCAUTH_CRED_HASHED, &cred->cr_flags);
> }
Hmm... Why not simply convert that 'clear_bit()' into a
'test_and_clear_bit()' and have it protect the hlist_del_rcu?
I can't see anything that would break if we do this. There doesn't seem
to be anything that explicitly depends on the ordering of those two
operations...
Cheers
Trond
next prev parent reply other threads:[~2009-11-19 15:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-11-18 0:56 Another possible race in put_rpccred / rpcauth_unhash_cred Neil Brown
[not found] ` <19203.18009.945354.446817-wvvUuzkyo1EYVZTmpyfIwg@public.gmane.org>
2009-11-19 15:33 ` Trond Myklebust [this message]
2009-11-20 16:48 ` Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1258644818.30333.13.camel@localhost \
--to=trond.myklebust@fys.uio.no \
--cc=linux-nfs@vger.kernel.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox