From: Daniel Jordan <daniel.m.jordan@oracle.com>
To: Ben Hutchings <ben@decadent.org.uk>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Daniel Jordan <daniel.m.jordan@oracle.com>,
Steffen Klassert <steffen.klassert@secunet.com>,
linux-crypto@vger.kernel.org, stable <stable@vger.kernel.org>
Subject: Re: Backporting "padata: Remove broken queue flushing"
Date: Tue, 19 May 2020 16:00:18 -0400 [thread overview]
Message-ID: <20200519200018.5vuyuxmjy5ypgi3w@ca-dmjordan1.us.oracle.com> (raw)
In-Reply-To: <0b158b60fe621552c327e9d822bc3245591a4bd6.camel@decadent.org.uk>
Hello Ben,
On Tue, May 19, 2020 at 02:53:05PM +0100, Ben Hutchings wrote:
> I noticed that commit 07928d9bfc81 "padata: Remove broken queue
> flushing" has been backported to most stable branches, but commit
> 6fc4dbcf0276 "padata: Replace delayed timer with immediate workqueue in
> padata_reorder" has not.
>
> Is this correct? What prevents the parallel_data ref-count from
> dropping to 0 while the timer is scheduled?
Doesn't seem like anything does, looking at 4.19.
I can see a race where the timer function uses a parallel_data after free
whether or not the refcount goes to 0. Don't think it's likely to happen in
practice because of how small the window is between the serial callback
finishing and the timer being deactivated.
task1:
padata_reorder
task2:
padata_do_serial
// object arrives in reorder queue
// sees reorder_objects > 0,
// set timer for 1 second
mod_timer
return
padata_reorder
// queue serial work, which finishes
// (now possibly no more objects
// left)
|
task1: |
// pd is freed one of two ways: |
// 1) pcrypt is unloaded |
// 2) padata_replace triggered |
// from userspace | (small window)
|
task3: |
padata_reorder_timer |
// uses pd after free |
|
del_timer // too late
If I got this right we might want to backport the commit you mentioned to be on
the safe side.
next prev parent reply other threads:[~2020-05-19 20:00 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-19 13:53 Backporting "padata: Remove broken queue flushing" Ben Hutchings
2020-05-19 20:00 ` Daniel Jordan [this message]
2020-05-20 14:33 ` Ben Hutchings
2020-05-21 8:00 ` Greg Kroah-Hartman
2020-05-21 13:32 ` Daniel Jordan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200519200018.5vuyuxmjy5ypgi3w@ca-dmjordan1.us.oracle.com \
--to=daniel.m.jordan@oracle.com \
--cc=ben@decadent.org.uk \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).