All of lore.kernel.org
 help / color / mirror / Atom feed
* [Race] data race between pip_lock_nested() and put_pipe_info()
@ 2020-11-30 14:53 Gong, Sishuai
  0 siblings, 0 replies; only message in thread
From: Gong, Sishuai @ 2020-11-30 14:53 UTC (permalink / raw)
  To: viro; +Cc: linux-fsdevel

Hi,

We found a data race in linux kernel 5.3.11 that we are able to reproduce in x86 under specific interleavings. Currently, we are not sure about the consequence of this race but we noticed that the reader is not protected while the writer is. Thus, we would like to confirm with the community if this is a harmful bug. 

------------------------------------------
Writer site

/tmp/tmp.B7zb7od2zE-5.3.11/extract/linux-5.3.11/fs/pipe.c:575
       570      static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe)
       571      {
       572              int kill = 0;
       573
       574              spin_lock(&inode->i_lock);
==>    575              if (!--pipe->files) {
       576                      inode->i_pipe = NULL;
       577                      kill = 1;
       578              }
       579              spin_unlock(&inode->i_lock);
       580
       581              if (kill)
       582                      free_pipe_info(pipe);
       583      }

------------------------------------------
Reader site

/tmp/tmp.B7zb7od2zE-5.3.11/extract/linux-5.3.11/fs/pipe.c:62
        60      static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
        61      {
==>     62              if (pipe->files)
        63                      mutex_lock_nested(&pipe->mutex, subclass);
        64      }

------------------------------------------
Writer calling trace

- exit_to_usermode_loop
-- tracehook_notify_resume
--- task_work_run
---- __fput()
----- pipe_release()
------ put_pipe_info

------------------------------------------
Reader calling trace

- do_epoll_wait
-- schedule_hrtimeout_range
--- schedule_hrtimeout_range_clock
---- schedule
----- pipe_lock
——— 
pipe_lock_nested




Thanks,
Sishuai


^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2020-11-30 14:53 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-30 14:53 [Race] data race between pip_lock_nested() and put_pipe_info() Gong, Sishuai

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.