From owner-freebsd-hackers@freebsd.org Tue Oct 11 11:10:47 2016 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BE9F2C0DE5F for ; Tue, 11 Oct 2016 11:10:47 +0000 (UTC) (envelope-from oliver.pinter@balabit.com) Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 859CEEAC for ; Tue, 11 Oct 2016 11:10:47 +0000 (UTC) (envelope-from oliver.pinter@balabit.com) Received: by mail-qk0-x236.google.com with SMTP id o68so26920545qkf.3 for ; Tue, 11 Oct 2016 04:10:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=balabit-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ZgP7+ZucgGo0z2mDCYbYIFZMTABuBdjYzkb5qlEsTRQ=; b=qqndJYdmaP17vPi0zA0jb/UUGgmWVEh90edbEvzlReEZpF05bwXNdMfhi5+8fMSO/6 LDrj/leCEIMD8RDRWoq/R/2Ma2TzyxDcf2CqeupPauB1iD7VlNiB7dp4p9gsaAN5WKsR +RCoa10x+0BT9wNgbye0M2xG30SiMHXeNzrGBbcf9By/vixTfUp4aNqIMJKefeKopOnr 4wEgY5LMx446nrfLhpp8LxoHqwBVdlAK5NhPMu2uzhPB/JlbLubkTpVoQOeRIuc4LWPi l6xsaKTJuTlOk6mNIAd5UdLHUySlGNm+G1B0SaXyyRe24jbGoabIVikkNgq7MBFt1vp5 RCKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ZgP7+ZucgGo0z2mDCYbYIFZMTABuBdjYzkb5qlEsTRQ=; b=lAURPZvFkdPYRH+cWVBFNUQi8yzihxObaKYVLjQTD3dHGQmvAmyM9NxkPmx7fhJqA1 3Sk6Q2YaGvz1SuR7I2soZA8sXS953sL0xlQh3HxjzZUwkmGTw3qkRSBDTL08ZPjgr+Bt aDqSH12WQa0gysXAFjtFNAWin2myEtMDeuTYSI9zx1SdaOlvhgPXMfk254d5xiyRmu5j 5CnkmAcB2E563SX6X1zRf9od76+d3gTbXVmiWyUqiL07I+G9KIrVOgQtc77cY0KhYUgh jeCjR8DHWx0jJ8rLGo3q0NatyJlQo3Hvz5kPAuVtdRmFJDyXeA3ZYUCPW+3p8Y4qR4yX ezNA== X-Gm-Message-State: AA6/9RkMCRDgAjUkSAZ2FqFXTFVxsp/kwpwfFIEkMespqnNzEIuDUFD2+lmkJsW5PRc/Ru76lZ1o8tVlfPE2Ocem X-Received: by 10.194.220.232 with SMTP id pz8mr4215320wjc.154.1476184246566; Tue, 11 Oct 2016 04:10:46 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.162.103 with HTTP; Tue, 11 Oct 2016 04:10:45 -0700 (PDT) In-Reply-To: <0f543bb5-468e-e559-1bd8-8e2cf3f8bbc3@freebsd.org> References: <7b732876-8cc3-a638-7ff1-e664060d4907@freebsd.org> <0f543bb5-468e-e559-1bd8-8e2cf3f8bbc3@freebsd.org> From: =?UTF-8?B?UGludMOpciwgT2xpdsOpcg==?= Date: Tue, 11 Oct 2016 13:10:45 +0200 Message-ID: Subject: Re: fix for use-after-free problem in 10.x To: Julian Elischer Cc: Oliver Pinter , freebsd , FreeBSD Stable X-Mailman-Approved-At: Tue, 11 Oct 2016 11:33:25 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Oct 2016 11:10:47 -0000 On Mon, Oct 10, 2016 at 7:07 AM, Julian Elischer wrote: > On 8/10/2016 5:36 AM, Oliver Pinter wrote: > >> On 10/5/16, Julian Elischer wrote: >> >>> In 11 and 12 the taskqueue code has been rewritten in this area but >>> under 10 this bug still occurs. >>> >>> On our appliances this bug stops the system from mounting the ZFS >>> root, so it is quite severe. >>> Basically while the thread is sleeping during the ZFS mount of root >>> (in the while loop), another thread can free the 'task' item it is >>> checking in that while loop and it can be reused or filled with >>> 'deadcode' etc., with the waiting code unaware of the change.. The fix >>> is to refetch the item at the end of the queue each time around the loop. >>> I don't really want to do the bigger change of MFCing the change in >>> 11, as it is more extensive, though if someone else does, that's ok by >>> me. (If it's ABI compatible) >>> >>> Any comments or suggestions? >>> >> Yes, please commit them. This patch fixes the ZFS + GELI + INVARIANTS >> problem for us. >> There is the FreeBSD PR about the issue: >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209580 >> > > I committed a slightly better version to stable/10 > should I ask for a merge to releng/10.3? Yes, it would be really nice! Thanks your effort! > > > > > >> here's the fix in diff form: >>> >>> >>> [robot@porridge /usr/src]$ p4 diff -du ... >>> --- //depot/pbranches/jelischer/FreeBSD-PZ/10.3/sys/kern/subr_ta >>> skqueue.c >>> 2016-09-27 09:14:59.000000000 -0700 >>> +++ /usr/src/sys/kern/subr_taskqueue.c 2016-09-27 09:14:59.000000000 >>> -0700 >>> @@ -441,9 +441,10 @@ >>> >>> TQ_LOCK(queue); >>> task = STAILQ_LAST(&queue->tq_queue, task, ta_link); >>> - if (task != NULL) >>> - while (task->ta_pending != 0) >>> - TQ_SLEEP(queue, task, &queue->tq_mutex, PWAIT, >>> "-", >>> 0); >>> + while (task != NULL && task->ta_pending != 0) { >>> + TQ_SLEEP(queue, task, &queue->tq_mutex, PWAIT, "-", 0); >>> + task = STAILQ_LAST(&queue->tq_queue, task, ta_link); >>> + } >>> taskqueue_drain_running(queue); >>> KASSERT(STAILQ_EMPTY(&queue->tq_queue), >>> ("taskqueue queue is not empty after draining")); >>> >>> _______________________________________________ >>> freebsd-hackers@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@f >>> reebsd.org" >>> >>> > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >