From: Al Viro <viro@ZenIV.linux.org.uk>
To: hejianet <hejianet@gmail.com>
Cc: Feifei Xu <xufeifei@linux.vnet.ibm.com>,
linux-fsdevel@vger.kernel.org, xuhilar@gmail.com,
boqun.feng@gmail.com
Subject: Re: [Bug] fs/dcache.c: NULL pointer dereference on dentry_string_cmp
Date: Thu, 21 Jul 2016 05:18:57 +0100 [thread overview]
Message-ID: <20160721041857.GK2356@ZenIV.linux.org.uk> (raw)
In-Reply-To: <57903F70.5030206@gmail.com>
On Thu, Jul 21, 2016 at 11:20:16AM +0800, hejianet wrote:
> > I don't see any likely candidates for that bug - not in mainline, not in
> > the kernel you'd been running there. Basically, once we have obtained
> > a pointer to dentry (which should happen only in __d_alloc()[1]), it should
> > never have NULL in its ->d_name.name. Any path through __d_alloc() that
> > doesn't end up returning NULL will pass through
> > dname[name->len] = 0;
> >
> > /* Make sure we always see the terminating NUL character */
> > smp_wmb();
> > dentry->d_name.name = dname;
> > which obviously can't end up with dentry->d_name.name == NULL - dname would
> > have to be NULL as well, and that would oops in the first of the quoted lines.
> Maybe not
> This barrier is to guarantee that in dentry_cmp,
> if dentry->d_name.name is equal to dname (not NULL), then dname[name->len]
> should be equal to 0(dname is terminated with NULL).
> This barrier will NOT guarantee that dentry->d_name.name != NULL in dentry_cmp.
> So maybe we need to add a if statement to avoid this race condition?
>
> Is there anything wrong with my descriptions?
Hash insertion does smp_store_release(). Hash chain traversal -
smp_read_barrier_depends(). On ppc the former is lwsync, while the latter
is no-op, so it boils down to
store dentry->d_name.name
lwsync
store mangled address of dentry into hash chain
vs.
fetch mangled address of dentry
demangle it
fetch dentry->d_name.name
which should be enough - lwsync paired with address dependency gives the
ordering. IOW, it's not about the barriers in __d_alloc(), it's those in
hlist_bl_add_head_rcu() and hlist_bl_for_each_entry_rcu().
And it couldn't be a missing barrier anyway - crash dump shows that
sucker with NULL ->d_name.name.
next prev parent reply other threads:[~2016-07-21 4:19 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-14 13:25 [Bug] fs/dcache.c: NULL pointer dereference on dentry_string_cmp Feifei Xu
2016-07-20 5:59 ` Al Viro
2016-07-21 3:20 ` hejianet
2016-07-21 4:18 ` Al Viro [this message]
2016-07-21 5:57 ` Al Viro
2016-07-21 6:40 ` Feifei Xu
2016-07-21 7:42 ` Feifei Xu
2016-07-21 6:30 ` Feifei Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160721041857.GK2356@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=boqun.feng@gmail.com \
--cc=hejianet@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=xufeifei@linux.vnet.ibm.com \
--cc=xuhilar@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.