From owner-svn-src-all@FreeBSD.ORG Sun Mar 27 21:06:42 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 924D7106566B; Sun, 27 Mar 2011 21:06:42 +0000 (UTC) (envelope-from kostikbel@gmail.com) Received: from mail.zoral.com.ua (mx0.zoral.com.ua [91.193.166.200]) by mx1.freebsd.org (Postfix) with ESMTP id 2ECDB8FC13; Sun, 27 Mar 2011 21:06:41 +0000 (UTC) Received: from deviant.kiev.zoral.com.ua (root@deviant.kiev.zoral.com.ua [10.1.1.148]) by mail.zoral.com.ua (8.14.2/8.14.2) with ESMTP id p2RL6c53031406 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 28 Mar 2011 00:06:38 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: from deviant.kiev.zoral.com.ua (kostik@localhost [127.0.0.1]) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4) with ESMTP id p2RL6ccY068865; Mon, 28 Mar 2011 00:06:38 +0300 (EEST) (envelope-from kostikbel@gmail.com) Received: (from kostik@localhost) by deviant.kiev.zoral.com.ua (8.14.4/8.14.4/Submit) id p2RL6c9H068864; Mon, 28 Mar 2011 00:06:38 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: deviant.kiev.zoral.com.ua: kostik set sender to kostikbel@gmail.com using -f Date: Mon, 28 Mar 2011 00:06:38 +0300 From: Kostik Belousov To: Mikolaj Golub Message-ID: <20110327210638.GO78089@deviant.kiev.zoral.com.ua> References: <201103271956.p2RJutha067490@svn.freebsd.org> <20110327200804.GM78089@deviant.kiev.zoral.com.ua> <86fwq8e1bo.fsf@kopusha.home.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bF/koNWjw4RKgJoH" Content-Disposition: inline In-Reply-To: <86fwq8e1bo.fsf@kopusha.home.net> User-Agent: Mutt/1.4.2.3i X-Virus-Scanned: clamav-milter 0.95.2 at skuns.kiev.zoral.com.ua X-Virus-Status: Clean X-Spam-Status: No, score=-3.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00, DNS_FROM_OPENWHOIS autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on skuns.kiev.zoral.com.ua Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r220062 - head/sys/geom/gate X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Mar 2011 21:06:42 -0000 --bF/koNWjw4RKgJoH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Mar 27, 2011 at 11:49:15PM +0300, Mikolaj Golub wrote: >=20 > On Sun, 27 Mar 2011 23:08:04 +0300 Kostik Belousov wrote: >=20 > KB> On Sun, Mar 27, 2011 at 07:56:55PM +0000, Mikolaj Golub wrote: > >> Author: trociny > >> Date: Sun Mar 27 19:56:55 2011 > >> New Revision: 220062 > >> URL: http://svn.freebsd.org/changeset/base/220062 > >>=20 > >> Log: > >> In g_gate_create() there is a window between when g_gate_softc is > >> registered in g_gate_units array and when its sc_provider field is > >> filled. If during this period g_gate_units is accessed by another > >> thread that is checking for provider name collision the crash is > >> possible. > >> =20 > >> Fix this by adding sc_name field to struct g_gate_softc. In > >> g_gate_create() when g_gate_softc is created but sc_provider is sti= ll > >> not sc_name points to provider name stored in the local array. > >> =20 > >> Approved by: pjd (mentor) > >> Reported by: Freddie Cash > >> MFC after: 1 week > >>=20 > >> Modified: > >> head/sys/geom/gate/g_gate.c > >> head/sys/geom/gate/g_gate.h > >>=20 > >> Modified: head/sys/geom/gate/g_gate.c > >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D > >> --- head/sys/geom/gate/g_gate.c Sun Mar 27 19:29:18 2011 = (r220061) > >> +++ head/sys/geom/gate/g_gate.c Sun Mar 27 19:56:55 2011 = (r220062) > >> @@ -409,13 +409,14 @@ g_gate_create(struct g_gate_ctl_create * > >> for (unit =3D 0; unit < g_gate_maxunits; unit++) { > >> if (g_gate_units[unit] =3D=3D NULL) > >> continue; > >> - if (strcmp(name, g_gate_units[unit]->sc_provider->na= me) !=3D 0) > >> + if (strcmp(name, g_gate_units[unit]->sc_name) !=3D 0) > >> continue; > >> mtx_unlock(&g_gate_units_lock); > >> mtx_destroy(&sc->sc_queue_mtx); > >> free(sc, M_GATE); > >> return (EEXIST); > >> } > >> + sc->sc_name =3D name; > >> g_gate_units[sc->sc_unit] =3D sc; > >> g_gate_nunits++; > >> mtx_unlock(&g_gate_units_lock); > >> @@ -434,6 +435,9 @@ g_gate_create(struct g_gate_ctl_create * > >> sc->sc_provider =3D pp; > >> g_error_provider(pp, 0); > >> g_topology_unlock(); > >> + mtx_lock(&g_gate_units_lock); > >> + sc->sc_name =3D sc->sc_provider->name; > >> + mtx_unlock(&g_gate_units_lock); > KB> I think you do not need a mutex locked around the single assignment. > KB> As I understand, sc_provider->name is constant ? >=20 > Is the following scenario impossible? >=20 > Thread A is looking for name collision and is accessing > g_gate_units[unit]->sc_name of the unit that is being created by a thread= B, > so sc_name is pointing to thread B local buffer. At this time the thread B > creates provider, does sc->sc_name =3D sc->sc_provider->name and returns = from > g_gate_create(). Thread A, if it is still working with > g_gate_units[unit]->sc_name, is accessing invalid memory. Ok, name is local variable. Apparently, what you need is a barrier. It would be enough to do sc->sc_name =3D sc->sc_provider->name; mtx_lock(&g_gate_units_lock); mtx_unlock(&g_gate_units_lock); The change is fine as is. --bF/koNWjw4RKgJoH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iEYEARECAAYFAk2Ppt0ACgkQC3+MBN1Mb4gKPgCfVcIJo1XtYN4nG1gd/akhD2o9 KUYAnRIFG+ZjE+9FLCexAdSG7D+PCFo0 =797P -----END PGP SIGNATURE----- --bF/koNWjw4RKgJoH--