From owner-freebsd-stable@freebsd.org Sat Oct 8 12:36:25 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4358AF75BF for ; Sat, 8 Oct 2016 12:36:25 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 37B798EB for ; Sat, 8 Oct 2016 12:36:25 +0000 (UTC) (envelope-from oliver.pinter@hardenedbsd.org) Received: by mail-wm0-x22c.google.com with SMTP id f193so75651990wmg.0 for ; Sat, 08 Oct 2016 05:36:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hardenedbsd-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PlIU+eEFuO1X71ulcYJb32kQlMN149jk4XphWhyE8NE=; b=fsNWP1i+C774Db51049bUZhVpAgVotHmfh9GeHBtUxrIlcR052CHT3l7S70b2MBgRf MA6dP1MHjpK++65RidKDw9QplLZeEV6erW16zIolXf1p40c1ocQffS3IOAcNSNMJu8Pl Yh2y2OOMN4ZqrIuJYa6tEH6H7/t242Ze+qtXYAyOkTue83zdvgyr20vWJR2va3CUDuxo 1BLVCdHIvD7vJLp57apHCvdmANGa6Gg3ADju+HnMvPVGKKEJ7fXCIFqLZELpazz3Ogtq TXVQjx8n8ZvgquQycU31BW+Z+PYyzPsgLxgIfYClm6wf4w9Za4LOD1s8ebyCBvEB/3q+ yNzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PlIU+eEFuO1X71ulcYJb32kQlMN149jk4XphWhyE8NE=; b=DFx0rqungJd5SEMzp+TeNqrKQqtv1WC5sZ57YqGbq6f2xpgtQb3mmo2C+IQ1hwcdiX 0hu6robVzEchvlljEji0sZaH87MaJvyO90YKC/i2sokrjUFiLp80xxX7WKW9W44wVXbP of8/N500m0y0p6HvxOpDgSIUr4s6sIZBqPDFnyVtOx49nJflgu9z/Py3vVn3cwQ2o2Tc ZVuznn3HwlcMJPASNp4Ghr6C/YhB17DE8XZsLK51kWstkSgqk5h7zDKxZ3UlzrSugQcZ TRDkZvoA/ljDwx18vL/OVGKjK4XVii/WPIG4esmuErB5ZNFgQD9w8Av534TwmQjiv8u3 /e9Q== X-Gm-Message-State: AA6/9RnweNgGyeNM2N94tMpEvwhdvMxJJHhZAddfDighxaPyT5AGLpT+SyaDh1vARRqHlvNG1wQ8JEQ6m+MpuzNr X-Received: by 10.28.150.211 with SMTP id y202mr3248646wmd.6.1475930182900; Sat, 08 Oct 2016 05:36:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.80.146.35 with HTTP; Sat, 8 Oct 2016 05:36:22 -0700 (PDT) In-Reply-To: <7b732876-8cc3-a638-7ff1-e664060d4907@freebsd.org> References: <7b732876-8cc3-a638-7ff1-e664060d4907@freebsd.org> From: Oliver Pinter Date: Sat, 8 Oct 2016 14:36:22 +0200 Message-ID: Subject: Re: fix for use-after-free problem in 10.x To: Julian Elischer Cc: FreeBSD Stable , freebsd Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 Oct 2016 12:36:25 -0000 On 10/5/16, Julian Elischer wrote: > In 11 and 12 the taskqueue code has been rewritten in this area but > under 10 this bug still occurs. > > On our appliances this bug stops the system from mounting the ZFS > root, so it is quite severe. > Basically while the thread is sleeping during the ZFS mount of root > (in the while loop), another thread can free the 'task' item it is > checking in that while loop and it can be reused or filled with > 'deadcode' etc., with the waiting code unaware of the change.. The fix > is to refetch the item at the end of the queue each time around the loop. > I don't really want to do the bigger change of MFCing the change in > 11, as it is more extensive, though if someone else does, that's ok by > me. (If it's ABI compatible) > > Any comments or suggestions? Yes, please commit them. This patch fixes the ZFS + GELI + INVARIANTS problem for us. There is the FreeBSD PR about the issue: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209580 > > here's the fix in diff form: > > > [robot@porridge /usr/src]$ p4 diff -du ... > --- //depot/pbranches/jelischer/FreeBSD-PZ/10.3/sys/kern/subr_taskqueue.c > 2016-09-27 09:14:59.000000000 -0700 > +++ /usr/src/sys/kern/subr_taskqueue.c 2016-09-27 09:14:59.000000000 -0700 > @@ -441,9 +441,10 @@ > > TQ_LOCK(queue); > task = STAILQ_LAST(&queue->tq_queue, task, ta_link); > - if (task != NULL) > - while (task->ta_pending != 0) > - TQ_SLEEP(queue, task, &queue->tq_mutex, PWAIT, "-", > 0); > + while (task != NULL && task->ta_pending != 0) { > + TQ_SLEEP(queue, task, &queue->tq_mutex, PWAIT, "-", 0); > + task = STAILQ_LAST(&queue->tq_queue, task, ta_link); > + } > taskqueue_drain_running(queue); > KASSERT(STAILQ_EMPTY(&queue->tq_queue), > ("taskqueue queue is not empty after draining")); > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >