* Re: [patch 103/147] lib/string: optimized memset [not found] ` <CAHk-=wjza9+kJJfDXtnQ4YkS637+8H4QZ1tTGRfr39_abkSV-A@mail.gmail.com> @ 2021-09-09 10:27 ` Matteo Croce 0 siblings, 0 replies; 3+ messages in thread From: Matteo Croce @ 2021-09-09 10:27 UTC (permalink / raw) To: Linus Torvalds Cc: linux-kernel, Andrew Morton, David Laight, drew, Guo Ren, Christoph Hellwig, kernel, Linux-MM, mcroce, mick, mm-commits, Nick Desaulniers, Palmer Dabbelt On Wed, 8 Sep 2021 11:34:27 -0700 Linus Torvalds <torvalds@linux-foundation.org> wrote: > I'm dropping this one just to be consistent, although for memset() > it's possibly a bit more reasonable to fall back on some default. > > But probably not. memcpy and memset really are *so* special that these > generic versions should be considered to be "stupid placeholders for > bringup, and nothing more". > > On Tue, Sep 7, 2021 at 7:58 PM Andrew Morton > <akpm@linux-foundation.org> wrote: > > > > On a RISC-V machine the speed goes from 140 Mb/s to 241 Mb/s, and > > this the binary size increase according to bloat-o-meter: > > I also react to the benchmark numbers: RISC-V already has > > #define __HAVE_ARCH_MEMSET > #define __HAVE_ARCH_MEMCPY > #define __HAVE_ARCH_MEMMOVE > > in its <asm/string.h> file, so these are just odd. > > Did you benchmark these generic functions on their own, rather than > the ones that actually get *used*? > > Linus I benchmarked against the generic routines. The RISC-V specific are even slower than the generic ones, because generates lot of unaligned accesses. That was the whole point of the series initially. These C routines should have replaced the risc-v specific assembly ones, but then it was proposed to use them as generic: https://lore.kernel.org/linux-riscv/YNChl0tkofSGzvIX@infradead.org/ -- per aspera ad upstream ^ permalink raw reply [flat|nested] 3+ messages in thread
[parent not found: <20210908030026.2dLZCmkE4%akpm@linux-foundation.org>]
* Re: [patch 136/147] nilfs2: use refcount_dec_and_lock() to fix potential UAF [not found] ` <20210908030026.2dLZCmkE4%akpm@linux-foundation.org> @ 2021-09-24 10:35 ` Pavel Machek 2021-09-24 11:09 ` Ryusuke Konishi 0 siblings, 1 reply; 3+ messages in thread From: Pavel Machek @ 2021-09-24 10:35 UTC (permalink / raw) To: linux-kernel, stable Cc: akpm, konishi.ryusuke, linux-mm, mm-commits, thunder.leizhen, torvalds [-- Attachment #1: Type: text/plain, Size: 2087 bytes --] Hi! > From: Zhen Lei <thunder.leizhen@huawei.com> > Subject: nilfs2: use refcount_dec_and_lock() to fix potential UAF > > When the refcount is decreased to 0, the resource reclamation branch is > entered. Before CPU0 reaches the race point (1), CPU1 may obtain the > spinlock and traverse the rbtree to find 'root', see nilfs_lookup_root(). > Although CPU1 will call refcount_inc() to increase the refcount, it is > obviously too late. CPU0 will release 'root' directly, CPU1 then accesses > 'root' and triggers UAF. > > Use refcount_dec_and_lock() to ensure that both the operations of decrease > refcount to 0 and link deletion are lock protected eliminates this risk. > > CPU0 CPU1 > nilfs_put_root(): > <-------- (1) > spin_lock(&nilfs->ns_cptree_lock); > rb_erase(&root->rb_node, &nilfs->ns_cptree); > spin_unlock(&nilfs->ns_cptree_lock); > > kfree(root); > <-------- use-after-free > There is no reproduction program, and the above is only theoretical > analysis. Ok, so we have a theoretical bug, and fix already on its way to stable. But ... is it correct? > +++ a/fs/nilfs2/the_nilfs.c > @@ -792,14 +792,13 @@ nilfs_find_or_create_root(struct the_nil > > void nilfs_put_root(struct nilfs_root *root) > { > - if (refcount_dec_and_test(&root->count)) { > - struct the_nilfs *nilfs = root->nilfs; > + struct the_nilfs *nilfs = root->nilfs; > > - nilfs_sysfs_delete_snapshot_group(root); > - > - spin_lock(&nilfs->ns_cptree_lock); > + if (refcount_dec_and_lock(&root->count, &nilfs->ns_cptree_lock)) { > rb_erase(&root->rb_node, &nilfs->ns_cptree); > spin_unlock(&nilfs->ns_cptree_lock); > + > + nilfs_sysfs_delete_snapshot_group(root); > iput(root->ifile); > > kfree(root); spin_lock() is deleted, but spin_unlock() is not affected. This means unbalanced locking, right? Best regards, Pavel -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [patch 136/147] nilfs2: use refcount_dec_and_lock() to fix potential UAF 2021-09-24 10:35 ` [patch 136/147] nilfs2: use refcount_dec_and_lock() to fix potential UAF Pavel Machek @ 2021-09-24 11:09 ` Ryusuke Konishi 0 siblings, 0 replies; 3+ messages in thread From: Ryusuke Konishi @ 2021-09-24 11:09 UTC (permalink / raw) To: Pavel Machek Cc: LKML, stable, Andrew Morton, linux-mm, mm-commits, Zhen Lei, Linus Torvalds Hi, On Fri, Sep 24, 2021 at 7:35 PM Pavel Machek <pavel@denx.de> wrote: > > Hi! > > > From: Zhen Lei <thunder.leizhen@huawei.com> > > Subject: nilfs2: use refcount_dec_and_lock() to fix potential UAF > > > > When the refcount is decreased to 0, the resource reclamation branch is > > entered. Before CPU0 reaches the race point (1), CPU1 may obtain the > > spinlock and traverse the rbtree to find 'root', see nilfs_lookup_root(). > > Although CPU1 will call refcount_inc() to increase the refcount, it is > > obviously too late. CPU0 will release 'root' directly, CPU1 then accesses > > 'root' and triggers UAF. > > > > Use refcount_dec_and_lock() to ensure that both the operations of decrease > > refcount to 0 and link deletion are lock protected eliminates this risk. > > > > CPU0 CPU1 > > nilfs_put_root(): > > <-------- (1) > > spin_lock(&nilfs->ns_cptree_lock); > > rb_erase(&root->rb_node, &nilfs->ns_cptree); > > spin_unlock(&nilfs->ns_cptree_lock); > > > > kfree(root); > > <-------- use-after-free > > > There is no reproduction program, and the above is only theoretical > > analysis. > > Ok, so we have a theoretical bug, and fix already on its way to > stable. But ... is it correct? > > > +++ a/fs/nilfs2/the_nilfs.c > > @@ -792,14 +792,13 @@ nilfs_find_or_create_root(struct the_nil > > > > void nilfs_put_root(struct nilfs_root *root) > > { > > - if (refcount_dec_and_test(&root->count)) { > > - struct the_nilfs *nilfs = root->nilfs; > > + struct the_nilfs *nilfs = root->nilfs; > > > > - nilfs_sysfs_delete_snapshot_group(root); > > - > > - spin_lock(&nilfs->ns_cptree_lock); > > + if (refcount_dec_and_lock(&root->count, &nilfs->ns_cptree_lock)) { > > rb_erase(&root->rb_node, &nilfs->ns_cptree); > > spin_unlock(&nilfs->ns_cptree_lock); > > + > > + nilfs_sysfs_delete_snapshot_group(root); > > iput(root->ifile); > > > > kfree(root); > > spin_lock() is deleted, but spin_unlock() is not affected. This means > unbalanced locking, right? It's okay. spin_lock() is integrated into refcount_dec_and_lock(), which was originally refcount_dec_and_test(). Thanks, Ryusuke Konishi > > Best regards, > Pavel > -- > DENX Software Engineering GmbH, Managing Director: Wolfgang Denk > HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-09-24 11:09 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20210907195226.14b1d22a07c085b22968b933@linux-foundation.org>
[not found] ` <20210908025845.cwXLsq_Uo%akpm@linux-foundation.org>
[not found] ` <CAHk-=wjza9+kJJfDXtnQ4YkS637+8H4QZ1tTGRfr39_abkSV-A@mail.gmail.com>
2021-09-09 10:27 ` [patch 103/147] lib/string: optimized memset Matteo Croce
[not found] ` <20210908030026.2dLZCmkE4%akpm@linux-foundation.org>
2021-09-24 10:35 ` [patch 136/147] nilfs2: use refcount_dec_and_lock() to fix potential UAF Pavel Machek
2021-09-24 11:09 ` Ryusuke Konishi
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox