From owner-svn-src-all@FreeBSD.ORG Sun Mar 27 20:49:19 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5EE22106564A; Sun, 27 Mar 2011 20:49:19 +0000 (UTC) (envelope-from to.my.trociny@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9469F8FC14; Sun, 27 Mar 2011 20:49:18 +0000 (UTC) Received: by fxm11 with SMTP id 11so2838697fxm.13 for ; Sun, 27 Mar 2011 13:49:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:from:to:cc:subject:references:x-comment-to :sender:date:in-reply-to:message-id:user-agent:mime-version :content-type; bh=pHscf/kDwVDlYGckvhSnWOv1Isiy/Z4OCfODqVt4ioA=; b=BH8kZXhKDU8WFGGPYOpVU7vRcfYZLAA0sagicNwJOcEiymsZwFrYBdxTzYofUBbdvK fijyxNUnWngYSW0Xp3iRL92fRJ5Zpnvl2VlIphtF5enlveKqnEfxmJRx8M2ooTvb0JEL xBc2E3O0LEYkxsClWN55x1LL21A6UxEXQbEHw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:to:cc:subject:references:x-comment-to:sender:date:in-reply-to :message-id:user-agent:mime-version:content-type; b=UtMpXoWHhTuU3iHPeo99lrORDA6/CpmYDGuAsl+airV+kM8PO7NH960v/96UnQK/Wh FRLVNvlM5qB8eZwlRNQtwOqtEVwMOcC+lebcI2cAjpzB0X3wIsrvAbRY4LJCRlOxfvQ9 NBGEQsN1BvVXSsMI/nkLSQocDSSKYAOnTT6mQ= Received: by 10.223.29.4 with SMTP id o4mr3602524fac.27.1301258957502; Sun, 27 Mar 2011 13:49:17 -0700 (PDT) Received: from localhost ([95.69.172.154]) by mx.google.com with ESMTPS id e23sm1208644faa.18.2011.03.27.13.49.16 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 27 Mar 2011 13:49:16 -0700 (PDT) From: Mikolaj Golub To: Kostik Belousov References: <201103271956.p2RJutha067490@svn.freebsd.org> <20110327200804.GM78089@deviant.kiev.zoral.com.ua> X-Comment-To: Kostik Belousov Sender: Mikolaj Golub Date: Sun, 27 Mar 2011 23:49:15 +0300 In-Reply-To: <20110327200804.GM78089@deviant.kiev.zoral.com.ua> (Kostik Belousov's message of "Sun, 27 Mar 2011 23:08:04 +0300") Message-ID: <86fwq8e1bo.fsf@kopusha.home.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r220062 - head/sys/geom/gate X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Mar 2011 20:49:19 -0000 On Sun, 27 Mar 2011 23:08:04 +0300 Kostik Belousov wrote: KB> On Sun, Mar 27, 2011 at 07:56:55PM +0000, Mikolaj Golub wrote: >> Author: trociny >> Date: Sun Mar 27 19:56:55 2011 >> New Revision: 220062 >> URL: http://svn.freebsd.org/changeset/base/220062 >> >> Log: >> In g_gate_create() there is a window between when g_gate_softc is >> registered in g_gate_units array and when its sc_provider field is >> filled. If during this period g_gate_units is accessed by another >> thread that is checking for provider name collision the crash is >> possible. >> >> Fix this by adding sc_name field to struct g_gate_softc. In >> g_gate_create() when g_gate_softc is created but sc_provider is still >> not sc_name points to provider name stored in the local array. >> >> Approved by: pjd (mentor) >> Reported by: Freddie Cash >> MFC after: 1 week >> >> Modified: >> head/sys/geom/gate/g_gate.c >> head/sys/geom/gate/g_gate.h >> >> Modified: head/sys/geom/gate/g_gate.c >> ============================================================================== >> --- head/sys/geom/gate/g_gate.c Sun Mar 27 19:29:18 2011 (r220061) >> +++ head/sys/geom/gate/g_gate.c Sun Mar 27 19:56:55 2011 (r220062) >> @@ -409,13 +409,14 @@ g_gate_create(struct g_gate_ctl_create * >> for (unit = 0; unit < g_gate_maxunits; unit++) { >> if (g_gate_units[unit] == NULL) >> continue; >> - if (strcmp(name, g_gate_units[unit]->sc_provider->name) != 0) >> + if (strcmp(name, g_gate_units[unit]->sc_name) != 0) >> continue; >> mtx_unlock(&g_gate_units_lock); >> mtx_destroy(&sc->sc_queue_mtx); >> free(sc, M_GATE); >> return (EEXIST); >> } >> + sc->sc_name = name; >> g_gate_units[sc->sc_unit] = sc; >> g_gate_nunits++; >> mtx_unlock(&g_gate_units_lock); >> @@ -434,6 +435,9 @@ g_gate_create(struct g_gate_ctl_create * >> sc->sc_provider = pp; >> g_error_provider(pp, 0); >> g_topology_unlock(); >> + mtx_lock(&g_gate_units_lock); >> + sc->sc_name = sc->sc_provider->name; >> + mtx_unlock(&g_gate_units_lock); KB> I think you do not need a mutex locked around the single assignment. KB> As I understand, sc_provider->name is constant ? Is the following scenario impossible? Thread A is looking for name collision and is accessing g_gate_units[unit]->sc_name of the unit that is being created by a thread B, so sc_name is pointing to thread B local buffer. At this time the thread B creates provider, does sc->sc_name = sc->sc_provider->name and returns from g_gate_create(). Thread A, if it is still working with g_gate_units[unit]->sc_name, is accessing invalid memory. -- Mikolaj Golub