While backporting Michael's "pipe: fix limit handling" [1] patchset to a
distro-kernel, Mikulas noticed that current upstream pipe limit handling
contains a few problems:
1 - round_pipe_size() nr_pages overflow on 32bit: this would
subsequently try roundup_pow_of_two(0), which is undefined.
2 - visible non-rounded pipe-max-size value: there is no mutual
exclusion or protection between the time pipe_max_size is assigned
a raw value from proc_dointvec_minmax() and when it is rounded.
3 - procfs signed wrap: echo'ing a large number into
/proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
negative value.
This RFC serves as a bug report and a contains a few possible fixes.
There may be better / more consistent ways to fix the overflows and
procfs bugs, but I figured I'd throw an RFC w/code out there for initial
conversation. Suggestions welcome!
-- Joe
Testing
=======
Patch 1 - 32bit overflow
------------------------
>From userspace:
fcntl(fd, F_SETPIPE_SZ, 0xffffffff);
- Before the fix, return value was 4096 as pipe size overflowed and
was set to 4096
- After the fix, returns -1 and sets errno EINVAL, pipe size remains
untouched
Patch 2 - non-rounded pipe-max-size value
-----------------------------------------
Keep plugging in values that need to be rounded:
while (true); do echo 1048570 > /proc/sys/fs/pipe-max-size; done
and in another terminal, loop around reading the value:
time (while (true); do SIZE=$(cat /proc/sys/fs/pipe-max-size); [[ $(( $SIZE % 4096 )) -ne 0 ]] && break; done; echo "$SIZE")
1048570
real 0m46.213s
user 0m29.688s
sys 0m20.042s
after the fix, the test loop never encountered a non-page-rounded value.
Patch 3 - procfs signed wrap
----------------------------
Before:
% echo 2147483647 >/proc/sys/fs/pipe-max-size
% cat /proc/sys/fs/pipe-max-size
-2147483648
After:
% echo 2147483647 >/proc/sys/fs/pipe-max-size
% cat /proc/sys/fs/pipe-max-size
2147483648
Joe Lawrence (3):
pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
pipe: protect pipe_max_size access with a mutex
pipe: match pipe_max_size data type with procfs
fs/pipe.c | 48 +++++++++++++++++++++++++++++++++++++++++-------
kernel/sysctl.c | 2 +-
2 files changed, 42 insertions(+), 8 deletions(-)
--
1.8.3.1
pipe_max_size is assigned directly via procfs sysctl:
static struct ctl_table fs_table[] = {
...
{
.procname = "pipe-max-size",
.data = &pipe_max_size,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = &pipe_proc_fn,
.extra1 = &pipe_min_size,
},
...
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
...
ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
...
and then later rounded in-place a few statements later:
...
pipe_max_size = round_pipe_size(pipe_max_size);
...
This leaves a window of time between initial assignment and rounding
that may be visible to other threads. (For example, one thread sets a
non-rounded value to pipe_max_size while another reads its value.)
Similar reads of pipe_max_size are potentially racey:
pipe.c :: alloc_pipe_info()
pipe.c :: pipe_set_size()
Protect them and the procfs sysctl assignment with a mutex.
Reported-by: Mikulas Patocka <[email protected]>
Signed-off-by: Joe Lawrence <[email protected]>
---
fs/pipe.c | 28 ++++++++++++++++++++++++----
1 file changed, 24 insertions(+), 4 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index fa28910b3c59..33bb11b0d78e 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -35,6 +35,11 @@
unsigned int pipe_max_size = 1048576;
/*
+ * Provide mutual exclusion around access to pipe_max_size
+ */
+static DEFINE_MUTEX(pipe_max_mutex);
+
+/*
* Minimum pipe size, as required by POSIX
*/
unsigned int pipe_min_size = PAGE_SIZE;
@@ -623,13 +628,18 @@ struct pipe_inode_info *alloc_pipe_info(void)
unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
struct user_struct *user = get_current_user();
unsigned long user_bufs;
+ unsigned int max_size;
pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL_ACCOUNT);
if (pipe == NULL)
goto out_free_uid;
- if (pipe_bufs * PAGE_SIZE > pipe_max_size && !capable(CAP_SYS_RESOURCE))
- pipe_bufs = pipe_max_size >> PAGE_SHIFT;
+ mutex_lock(&pipe_max_mutex);
+ max_size = pipe_max_size;
+ mutex_unlock(&pipe_max_mutex);
+
+ if (pipe_bufs * PAGE_SIZE > max_size && !capable(CAP_SYS_RESOURCE))
+ pipe_bufs = max_size >> PAGE_SHIFT;
user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
@@ -1039,6 +1049,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
struct pipe_buffer *bufs;
unsigned int size, nr_pages;
unsigned long user_bufs;
+ unsigned int max_size;
long ret = 0;
size = round_pipe_size(arg);
@@ -1056,8 +1067,11 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
* Decreasing the pipe capacity is always permitted, even
* if the user is currently over a limit.
*/
+ mutex_lock(&pipe_max_mutex);
+ max_size = pipe_max_size;
+ mutex_unlock(&pipe_max_mutex);
if (nr_pages > pipe->buffers &&
- size > pipe_max_size && !capable(CAP_SYS_RESOURCE))
+ size > max_size && !capable(CAP_SYS_RESOURCE))
return -EPERM;
user_bufs = account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
@@ -1131,18 +1145,24 @@ int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
unsigned int rounded_pipe_max_size;
int ret;
+ mutex_lock(&pipe_max_mutex);
orig_pipe_max_size = pipe_max_size;
ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
- if (ret < 0 || !write)
+ if (ret < 0 || !write) {
+ mutex_unlock(&pipe_max_mutex);
return ret;
+ }
rounded_pipe_max_size = round_pipe_size(pipe_max_size);
if (rounded_pipe_max_size == 0) {
pipe_max_size = orig_pipe_max_size;
+ mutex_unlock(&pipe_max_mutex);
return -EINVAL;
}
pipe_max_size = rounded_pipe_max_size;
+ mutex_unlock(&pipe_max_mutex);
+
return ret;
}
--
1.8.3.1
The round_pipe_size() function contains a right-bit-shift expression
which may overflow, which would cause undefined results in a subsequent
roundup_pow_of_two() call.
static inline unsigned int round_pipe_size(unsigned int size)
{
unsigned long nr_pages;
nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
}
PAGE_SIZE is defined as (1UL << PAGE_SHIFT), so:
- 4 bytes wide on 32-bit (0 to 0xffffffff)
- 8 bytes wide on 64-bit (0 to 0xffffffffffffffff)
That means that 32-bit round_pipe_size(), nr_pages may overflow to 0:
size=0x00000000 nr_pages=0x0
size=0x00000001 nr_pages=0x1
size=0xfffff000 nr_pages=0xfffff
size=0xfffff001 nr_pages=0x0 << !
size=0xffffffff nr_pages=0x0 << !
This is bad because roundup_pow_of_two(n) is undefined when n == 0!
64-bit is not a problem* as the unsigned int size is 4 bytes wide
(similar to 32-bit) and the larger, 8 byte wide unsigned long, is
sufficient to handle the largest value of the bit shift expression:
size=0xffffffff nr_pages=100000
(*On 64-bit, round_pipe_size(0xffffffff) will later overflow when the
result of roundup_pow_of_two(0x100000) is shifted left by PAGE_SHIFT.
This behavior is at least defined by the language, so callers can safely
sanity-check a 0 return value from round_pipe_size.)
Modify round_pipe_size() to return 0 if n == 0, reset the original
pipe_max_size value, and update callers to handle accordingly.
Reported-by: Mikulas Patocka <[email protected]>
Signed-off-by: Joe Lawrence <[email protected]>
---
fs/pipe.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index 97e5be897753..fa28910b3c59 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1017,13 +1017,16 @@ static int fifo_open(struct inode *inode, struct file *filp)
/*
* Currently we rely on the pipe array holding a power-of-2 number
- * of pages.
+ * of pages. Returns 0 on error.
*/
static inline unsigned int round_pipe_size(unsigned int size)
{
unsigned long nr_pages;
nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ if (nr_pages == 0)
+ return 0;
+
return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
}
@@ -1039,6 +1042,8 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
long ret = 0;
size = round_pipe_size(arg);
+ if (size == 0)
+ return -EINVAL;
nr_pages = size >> PAGE_SHIFT;
if (!nr_pages)
@@ -1122,13 +1127,22 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
+ unsigned int orig_pipe_max_size;
+ unsigned int rounded_pipe_max_size;
int ret;
+ orig_pipe_max_size = pipe_max_size;
ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
if (ret < 0 || !write)
return ret;
- pipe_max_size = round_pipe_size(pipe_max_size);
+ rounded_pipe_max_size = round_pipe_size(pipe_max_size);
+ if (rounded_pipe_max_size == 0) {
+ pipe_max_size = orig_pipe_max_size;
+ return -EINVAL;
+ }
+
+ pipe_max_size = rounded_pipe_max_size;
return ret;
}
--
1.8.3.1
pipe_max_size is defined as an unsigned int:
unsigned int pipe_max_size = 1048576;
but its procfs/sysctl representation is an integer:
static struct ctl_table fs_table[] = {
...
{
.procname = "pipe-max-size",
.data = &pipe_max_size,
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = &pipe_proc_fn,
.extra1 = &pipe_min_size,
},
...
that is signed:
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
...
ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
This leads to signed results via procfs for large values of
pipe_max_size:
% echo 2147483647 >/proc/sys/fs/pipe-max-size
% cat /proc/sys/fs/pipe-max-size
-2147483648
Use unsigned operations on this variable to avoid such negative values.
Reported-by: Mikulas Patocka <[email protected]>
Signed-off-by: Joe Lawrence <[email protected]>
---
fs/pipe.c | 2 +-
kernel/sysctl.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/pipe.c b/fs/pipe.c
index 33bb11b0d78e..3b10d39cc5d1 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1147,7 +1147,7 @@ int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
mutex_lock(&pipe_max_mutex);
orig_pipe_max_size = pipe_max_size;
- ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
+ ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
if (ret < 0 || !write) {
mutex_unlock(&pipe_max_mutex);
return ret;
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 6648fbbb8157..c976719bf37a 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1825,7 +1825,7 @@ static int sysrq_sysctl_handler(struct ctl_table *table, int write,
{
.procname = "pipe-max-size",
.data = &pipe_max_size,
- .maxlen = sizeof(int),
+ .maxlen = sizeof(pipe_max_size),
.mode = 0644,
.proc_handler = &pipe_proc_fn,
.extra1 = &pipe_min_size,
--
1.8.3.1
Hello Joe,
On 5 September 2017 at 16:44, Joe Lawrence <[email protected]> wrote:
> While backporting Michael's "pipe: fix limit handling" [1] patchset to a
> distro-kernel, Mikulas noticed that current upstream pipe limit handling
> contains a few problems:
>
> 1 - round_pipe_size() nr_pages overflow on 32bit: this would
> subsequently try roundup_pow_of_two(0), which is undefined.
>
> 2 - visible non-rounded pipe-max-size value: there is no mutual
> exclusion or protection between the time pipe_max_size is assigned
> a raw value from proc_dointvec_minmax() and when it is rounded.
>
> 3 - procfs signed wrap: echo'ing a large number into
> /proc/sys/fs/pipe-max-size and then cat'ing it back out shows a
> negative value.
>
>
> This RFC serves as a bug report and a contains a few possible fixes.
> There may be better / more consistent ways to fix the overflows and
> procfs bugs, but I figured I'd throw an RFC w/code out there for initial
> conversation. Suggestions welcome!
Thank for working on this. I have no improvements to suggest. The
patches all look sane to me. For the whole series:
Reviewed-by: MIchael Kerrisk <[email protected]>
Cheers,
Michael
> Testing
> =======
>
> Patch 1 - 32bit overflow
> ------------------------
> From userspace:
>
> fcntl(fd, F_SETPIPE_SZ, 0xffffffff);
>
> - Before the fix, return value was 4096 as pipe size overflowed and
> was set to 4096
>
> - After the fix, returns -1 and sets errno EINVAL, pipe size remains
> untouched
>
>
> Patch 2 - non-rounded pipe-max-size value
> -----------------------------------------
> Keep plugging in values that need to be rounded:
>
> while (true); do echo 1048570 > /proc/sys/fs/pipe-max-size; done
>
> and in another terminal, loop around reading the value:
>
> time (while (true); do SIZE=$(cat /proc/sys/fs/pipe-max-size); [[ $(( $SIZE % 4096 )) -ne 0 ]] && break; done; echo "$SIZE")
> 1048570
>
> real 0m46.213s
> user 0m29.688s
> sys 0m20.042s
>
> after the fix, the test loop never encountered a non-page-rounded value.
>
>
> Patch 3 - procfs signed wrap
> ----------------------------
> Before:
>
> % echo 2147483647 >/proc/sys/fs/pipe-max-size
> % cat /proc/sys/fs/pipe-max-size
> -2147483648
>
> After:
>
> % echo 2147483647 >/proc/sys/fs/pipe-max-size
> % cat /proc/sys/fs/pipe-max-size
> 2147483648
>
>
> Joe Lawrence (3):
> pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
> pipe: protect pipe_max_size access with a mutex
> pipe: match pipe_max_size data type with procfs
>
> fs/pipe.c | 48 +++++++++++++++++++++++++++++++++++++++++-------
> kernel/sysctl.c | 2 +-
> 2 files changed, 42 insertions(+), 8 deletions(-)
>
> --
> 1.8.3.1
>
--
Michael Kerrisk
Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/
Linux/UNIX System Programming Training: http://man7.org/training/
On 09/14/17 06:26, Michael Kerrisk (man-pages) wrote:
> Hello Joe,
>
> On 5 September 2017 at 16:44, Joe Lawrence <[email protected]> wrote:
>> While backporting Michael's "pipe: fix limit handling" [1] patchset to a
>> distro-kernel, Mikulas noticed that current upstream pipe limit handling
>> contains a few problems:
>>
>> 1 - round_pipe_size() nr_pages overflow on 32bit: this would
>> subsequently try roundup_pow_of_two(0), which is undefined.
Hi,
Sorry I missed the initial posting of this.
The man page for F_SETPIPE_SZ (http://man7.org/linux/man-pages/man2/fcntl.2.html)
says:
"Attempts to set the pipe capacity below the page size are
silently rounded up to the page size."
That implies to me that setting pipe size to 0 would round up to PAGE_SIZE.
Doesn't patch 1/3 change that to return -EINVAL?
Otherwise all 3 patches look good to me.
thanks,
--
~Randy
On 09/14/2017 12:57 PM, Randy Dunlap wrote:
> On 09/14/17 06:26, Michael Kerrisk (man-pages) wrote:
>> Hello Joe,
>>
>> On 5 September 2017 at 16:44, Joe Lawrence <[email protected]> wrote:
>>> While backporting Michael's "pipe: fix limit handling" [1] patchset to a
>>> distro-kernel, Mikulas noticed that current upstream pipe limit handling
>>> contains a few problems:
>>>
>>> 1 - round_pipe_size() nr_pages overflow on 32bit: this would
>>> subsequently try roundup_pow_of_two(0), which is undefined.
>
> Hi,
> Sorry I missed the initial posting of this.
>
> The man page for F_SETPIPE_SZ (http://man7.org/linux/man-pages/man2/fcntl.2.html)
> says:
> "Attempts to set the pipe capacity below the page size are
> silently rounded up to the page size."
>
> That implies to me that setting pipe size to 0 would round up to PAGE_SIZE.
> Doesn't patch 1/3 change that to return -EINVAL?
Good catch. How about something like this:
/*
* Minimum pipe size, as required by POSIX
*/
unsigned int pipe_min_size = PAGE_SIZE;
...
static inline unsigned int round_pipe_size(unsigned int size)
{
unsigned long nr_pages;
+ if (size < pipe_min_size)
+ size = pipe_min_size;
+
nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
if (nr_pages == 0)
return 0;
>
> Otherwise all 3 patches look good to me.
If the above is good, I can fold this into patch 1 and respin the set.
Thanks,
-- Joe
On 09/14/17 12:19, Joe Lawrence wrote:
> On 09/14/2017 12:57 PM, Randy Dunlap wrote:
>> On 09/14/17 06:26, Michael Kerrisk (man-pages) wrote:
>>> Hello Joe,
>>>
>>> On 5 September 2017 at 16:44, Joe Lawrence <[email protected]> wrote:
>>>> While backporting Michael's "pipe: fix limit handling" [1] patchset to a
>>>> distro-kernel, Mikulas noticed that current upstream pipe limit handling
>>>> contains a few problems:
>>>>
>>>> 1 - round_pipe_size() nr_pages overflow on 32bit: this would
>>>> subsequently try roundup_pow_of_two(0), which is undefined.
>>
>> Hi,
>> Sorry I missed the initial posting of this.
>>
>> The man page for F_SETPIPE_SZ (http://man7.org/linux/man-pages/man2/fcntl.2.html)
>> says:
>> "Attempts to set the pipe capacity below the page size are
>> silently rounded up to the page size."
>>
>> That implies to me that setting pipe size to 0 would round up to PAGE_SIZE.
>> Doesn't patch 1/3 change that to return -EINVAL?
>
> Good catch. How about something like this:
>
> /*
> * Minimum pipe size, as required by POSIX
> */
> unsigned int pipe_min_size = PAGE_SIZE;
>
> ...
>
> static inline unsigned int round_pipe_size(unsigned int size)
> {
> unsigned long nr_pages;
>
> + if (size < pipe_min_size)
> + size = pipe_min_size;
> +
> nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
> if (nr_pages == 0)
> return 0;
>
>>
>> Otherwise all 3 patches look good to me.
>
> If the above is good, I can fold this into patch 1 and respin the set.
Yes, looks good to me. Thanks.
--
~Randy
I think this mutex is too heavy - if multiple processes simultaneously
create a pipe, the mutex would cause performance degradation.
You can call do_proc_dointvec with a custom callback "conv" function that
does the rounding of the pipe size value.
Mikulas
On Tue, 5 Sep 2017, Joe Lawrence wrote:
> pipe_max_size is assigned directly via procfs sysctl:
>
> static struct ctl_table fs_table[] = {
> ...
> {
> .procname = "pipe-max-size",
> .data = &pipe_max_size,
> .maxlen = sizeof(int),
> .mode = 0644,
> .proc_handler = &pipe_proc_fn,
> .extra1 = &pipe_min_size,
> },
> ...
>
> int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
> size_t *lenp, loff_t *ppos)
> {
> ...
> ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
> ...
>
> and then later rounded in-place a few statements later:
>
> ...
> pipe_max_size = round_pipe_size(pipe_max_size);
> ...
>
> This leaves a window of time between initial assignment and rounding
> that may be visible to other threads. (For example, one thread sets a
> non-rounded value to pipe_max_size while another reads its value.)
>
> Similar reads of pipe_max_size are potentially racey:
>
> pipe.c :: alloc_pipe_info()
> pipe.c :: pipe_set_size()
>
> Protect them and the procfs sysctl assignment with a mutex.
>
> Reported-by: Mikulas Patocka <[email protected]>
> Signed-off-by: Joe Lawrence <[email protected]>
> ---
> fs/pipe.c | 28 ++++++++++++++++++++++++----
> 1 file changed, 24 insertions(+), 4 deletions(-)
>
> diff --git a/fs/pipe.c b/fs/pipe.c
> index fa28910b3c59..33bb11b0d78e 100644
> --- a/fs/pipe.c
> +++ b/fs/pipe.c
> @@ -35,6 +35,11 @@
> unsigned int pipe_max_size = 1048576;
>
> /*
> + * Provide mutual exclusion around access to pipe_max_size
> + */
> +static DEFINE_MUTEX(pipe_max_mutex);
> +
> +/*
> * Minimum pipe size, as required by POSIX
> */
> unsigned int pipe_min_size = PAGE_SIZE;
> @@ -623,13 +628,18 @@ struct pipe_inode_info *alloc_pipe_info(void)
> unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
> struct user_struct *user = get_current_user();
> unsigned long user_bufs;
> + unsigned int max_size;
>
> pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL_ACCOUNT);
> if (pipe == NULL)
> goto out_free_uid;
>
> - if (pipe_bufs * PAGE_SIZE > pipe_max_size && !capable(CAP_SYS_RESOURCE))
> - pipe_bufs = pipe_max_size >> PAGE_SHIFT;
> + mutex_lock(&pipe_max_mutex);
> + max_size = pipe_max_size;
> + mutex_unlock(&pipe_max_mutex);
> +
> + if (pipe_bufs * PAGE_SIZE > max_size && !capable(CAP_SYS_RESOURCE))
> + pipe_bufs = max_size >> PAGE_SHIFT;
>
> user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
>
> @@ -1039,6 +1049,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
> struct pipe_buffer *bufs;
> unsigned int size, nr_pages;
> unsigned long user_bufs;
> + unsigned int max_size;
> long ret = 0;
>
> size = round_pipe_size(arg);
> @@ -1056,8 +1067,11 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
> * Decreasing the pipe capacity is always permitted, even
> * if the user is currently over a limit.
> */
> + mutex_lock(&pipe_max_mutex);
> + max_size = pipe_max_size;
> + mutex_unlock(&pipe_max_mutex);
> if (nr_pages > pipe->buffers &&
> - size > pipe_max_size && !capable(CAP_SYS_RESOURCE))
> + size > max_size && !capable(CAP_SYS_RESOURCE))
> return -EPERM;
>
> user_bufs = account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
> @@ -1131,18 +1145,24 @@ int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
> unsigned int rounded_pipe_max_size;
> int ret;
>
> + mutex_lock(&pipe_max_mutex);
> orig_pipe_max_size = pipe_max_size;
> ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
> - if (ret < 0 || !write)
> + if (ret < 0 || !write) {
> + mutex_unlock(&pipe_max_mutex);
> return ret;
> + }
>
> rounded_pipe_max_size = round_pipe_size(pipe_max_size);
> if (rounded_pipe_max_size == 0) {
> pipe_max_size = orig_pipe_max_size;
> + mutex_unlock(&pipe_max_mutex);
> return -EINVAL;
> }
>
> pipe_max_size = rounded_pipe_max_size;
> + mutex_unlock(&pipe_max_mutex);
> +
> return ret;
> }
>
> --
> 1.8.3.1
>
On 09/14/2017 07:09 PM, Mikulas Patocka wrote:
> On Tue, 5 Sep 2017, Joe Lawrence wrote:
>> pipe_max_size is assigned directly via procfs sysctl:
>>
>> static struct ctl_table fs_table[] = {
>> ...
>> {
>> .procname = "pipe-max-size",
>> .data = &pipe_max_size,
>> .maxlen = sizeof(int),
>> .mode = 0644,
>> .proc_handler = &pipe_proc_fn,
>> .extra1 = &pipe_min_size,
>> },
>> ...
>>
>> int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
>> size_t *lenp, loff_t *ppos)
>> {
>> ...
>> ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
>> ...
>>
>> and then later rounded in-place a few statements later:
>>
>> ...
>> pipe_max_size = round_pipe_size(pipe_max_size);
>> ...
>>
>> This leaves a window of time between initial assignment and rounding
>> that may be visible to other threads. (For example, one thread sets a
>> non-rounded value to pipe_max_size while another reads its value.)
>>
>> Similar reads of pipe_max_size are potentially racey:
>>
>> pipe.c :: alloc_pipe_info()
>> pipe.c :: pipe_set_size()
>>
>> Protect them and the procfs sysctl assignment with a mutex.
>>
>> Reported-by: Mikulas Patocka <[email protected]>
>> Signed-off-by: Joe Lawrence <[email protected]>
>> ---
>> fs/pipe.c | 28 ++++++++++++++++++++++++----
>> 1 file changed, 24 insertions(+), 4 deletions(-)
>>
>> diff --git a/fs/pipe.c b/fs/pipe.c
>> index fa28910b3c59..33bb11b0d78e 100644
>> --- a/fs/pipe.c
>> +++ b/fs/pipe.c
>> @@ -35,6 +35,11 @@
>> unsigned int pipe_max_size = 1048576;
>>
>> /*
>> + * Provide mutual exclusion around access to pipe_max_size
>> + */
>> +static DEFINE_MUTEX(pipe_max_mutex);
>> +
>> +/*
>> * Minimum pipe size, as required by POSIX
>> */
>> unsigned int pipe_min_size = PAGE_SIZE;
>> @@ -623,13 +628,18 @@ struct pipe_inode_info *alloc_pipe_info(void)
>> unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
>> struct user_struct *user = get_current_user();
>> unsigned long user_bufs;
>> + unsigned int max_size;
>>
>> pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL_ACCOUNT);
>> if (pipe == NULL)
>> goto out_free_uid;
>>
>> - if (pipe_bufs * PAGE_SIZE > pipe_max_size && !capable(CAP_SYS_RESOURCE))
>> - pipe_bufs = pipe_max_size >> PAGE_SHIFT;
>> + mutex_lock(&pipe_max_mutex);
>> + max_size = pipe_max_size;
>> + mutex_unlock(&pipe_max_mutex);
>> +
>> + if (pipe_bufs * PAGE_SIZE > max_size && !capable(CAP_SYS_RESOURCE))
>> + pipe_bufs = max_size >> PAGE_SHIFT;
>>
>> user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
>>
>> @@ -1039,6 +1049,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
>> struct pipe_buffer *bufs;
>> unsigned int size, nr_pages;
>> unsigned long user_bufs;
>> + unsigned int max_size;
>> long ret = 0;
>>
>> size = round_pipe_size(arg);
>> @@ -1056,8 +1067,11 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
>> * Decreasing the pipe capacity is always permitted, even
>> * if the user is currently over a limit.
>> */
>> + mutex_lock(&pipe_max_mutex);
>> + max_size = pipe_max_size;
>> + mutex_unlock(&pipe_max_mutex);
>> if (nr_pages > pipe->buffers &&
>> - size > pipe_max_size && !capable(CAP_SYS_RESOURCE))
>> + size > max_size && !capable(CAP_SYS_RESOURCE))
>> return -EPERM;
>>
>> user_bufs = account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
>> @@ -1131,18 +1145,24 @@ int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
>> unsigned int rounded_pipe_max_size;
>> int ret;
>>
>> + mutex_lock(&pipe_max_mutex);
>> orig_pipe_max_size = pipe_max_size;
>> ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
>> - if (ret < 0 || !write)
>> + if (ret < 0 || !write) {
>> + mutex_unlock(&pipe_max_mutex);
>> return ret;
>> + }
>>
>> rounded_pipe_max_size = round_pipe_size(pipe_max_size);
>> if (rounded_pipe_max_size == 0) {
>> pipe_max_size = orig_pipe_max_size;
>> + mutex_unlock(&pipe_max_mutex);
>> return -EINVAL;
>> }
>>
>> pipe_max_size = rounded_pipe_max_size;
>> + mutex_unlock(&pipe_max_mutex);
>> +
>> return ret;
>> }
>>
>> --
>> 1.8.3.1
>>
> I think this mutex is too heavy - if multiple processes simultaneously
> create a pipe, the mutex would cause performance degradation.
>
> You can call do_proc_dointvec with a custom callback "conv" function that
> does the rounding of the pipe size value.
>
> Mikulas
>
Hi Mikulas,
I'm not strong when it comes to memory barriers, but one of the
side-effects of using the mutex is that pipe_set_size() and
alloc_pipe_info() should have a consistent view of pipe_max_size.
If I remove the mutex (and assume that I implement a custom
do_proc_dointvec "conv" callback), is it safe for these routines to
directly use pipe_max_size as they had done before?
If not, is it safe to alias through a temporary stack variable (ie,
could the compiler re-read pipe_max_size multiple times in the function)?
Would READ_ONCE() help in any way?
The mutex covered up some confusion on my part here.
OTOH, since pipe_max_size is read-only for pipe_set_size() and
alloc_pipe_info() and only updated occasionally by pipe_proc_fn(), would
rw_semaphore or RCU be a fit here?
Regards,
-- Joe
On Fri, 15 Sep 2017, Joe Lawrence wrote:
> On 09/14/2017 07:09 PM, Mikulas Patocka wrote:
> > On Tue, 5 Sep 2017, Joe Lawrence wrote:
> >> pipe_max_size is assigned directly via procfs sysctl:
> >>
> >> static struct ctl_table fs_table[] = {
> >> ...
> >> {
> >> .procname = "pipe-max-size",
> >> .data = &pipe_max_size,
> >> .maxlen = sizeof(int),
> >> .mode = 0644,
> >> .proc_handler = &pipe_proc_fn,
> >> .extra1 = &pipe_min_size,
> >> },
> >> ...
> >>
> >> int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
> >> size_t *lenp, loff_t *ppos)
> >> {
> >> ...
> >> ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
> >> ...
> >>
> >> and then later rounded in-place a few statements later:
> >>
> >> ...
> >> pipe_max_size = round_pipe_size(pipe_max_size);
> >> ...
> >>
> >> This leaves a window of time between initial assignment and rounding
> >> that may be visible to other threads. (For example, one thread sets a
> >> non-rounded value to pipe_max_size while another reads its value.)
> >>
> >> Similar reads of pipe_max_size are potentially racey:
> >>
> >> pipe.c :: alloc_pipe_info()
> >> pipe.c :: pipe_set_size()
> >>
> >> Protect them and the procfs sysctl assignment with a mutex.
> >>
> >> Reported-by: Mikulas Patocka <[email protected]>
> >> Signed-off-by: Joe Lawrence <[email protected]>
> >> ---
> >> fs/pipe.c | 28 ++++++++++++++++++++++++----
> >> 1 file changed, 24 insertions(+), 4 deletions(-)
> >>
> >> diff --git a/fs/pipe.c b/fs/pipe.c
> >> index fa28910b3c59..33bb11b0d78e 100644
> >> --- a/fs/pipe.c
> >> +++ b/fs/pipe.c
> >> @@ -35,6 +35,11 @@
> >> unsigned int pipe_max_size = 1048576;
> >>
> >> /*
> >> + * Provide mutual exclusion around access to pipe_max_size
> >> + */
> >> +static DEFINE_MUTEX(pipe_max_mutex);
> >> +
> >> +/*
> >> * Minimum pipe size, as required by POSIX
> >> */
> >> unsigned int pipe_min_size = PAGE_SIZE;
> >> @@ -623,13 +628,18 @@ struct pipe_inode_info *alloc_pipe_info(void)
> >> unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
> >> struct user_struct *user = get_current_user();
> >> unsigned long user_bufs;
> >> + unsigned int max_size;
> >>
> >> pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL_ACCOUNT);
> >> if (pipe == NULL)
> >> goto out_free_uid;
> >>
> >> - if (pipe_bufs * PAGE_SIZE > pipe_max_size && !capable(CAP_SYS_RESOURCE))
> >> - pipe_bufs = pipe_max_size >> PAGE_SHIFT;
> >> + mutex_lock(&pipe_max_mutex);
> >> + max_size = pipe_max_size;
> >> + mutex_unlock(&pipe_max_mutex);
> >> +
> >> + if (pipe_bufs * PAGE_SIZE > max_size && !capable(CAP_SYS_RESOURCE))
> >> + pipe_bufs = max_size >> PAGE_SHIFT;
> >>
> >> user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
> >>
> >> @@ -1039,6 +1049,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
> >> struct pipe_buffer *bufs;
> >> unsigned int size, nr_pages;
> >> unsigned long user_bufs;
> >> + unsigned int max_size;
> >> long ret = 0;
> >>
> >> size = round_pipe_size(arg);
> >> @@ -1056,8 +1067,11 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
> >> * Decreasing the pipe capacity is always permitted, even
> >> * if the user is currently over a limit.
> >> */
> >> + mutex_lock(&pipe_max_mutex);
> >> + max_size = pipe_max_size;
> >> + mutex_unlock(&pipe_max_mutex);
> >> if (nr_pages > pipe->buffers &&
> >> - size > pipe_max_size && !capable(CAP_SYS_RESOURCE))
> >> + size > max_size && !capable(CAP_SYS_RESOURCE))
> >> return -EPERM;
> >>
> >> user_bufs = account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
> >> @@ -1131,18 +1145,24 @@ int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
> >> unsigned int rounded_pipe_max_size;
> >> int ret;
> >>
> >> + mutex_lock(&pipe_max_mutex);
> >> orig_pipe_max_size = pipe_max_size;
> >> ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
> >> - if (ret < 0 || !write)
> >> + if (ret < 0 || !write) {
> >> + mutex_unlock(&pipe_max_mutex);
> >> return ret;
> >> + }
> >>
> >> rounded_pipe_max_size = round_pipe_size(pipe_max_size);
> >> if (rounded_pipe_max_size == 0) {
> >> pipe_max_size = orig_pipe_max_size;
> >> + mutex_unlock(&pipe_max_mutex);
> >> return -EINVAL;
> >> }
> >>
> >> pipe_max_size = rounded_pipe_max_size;
> >> + mutex_unlock(&pipe_max_mutex);
> >> +
> >> return ret;
> >> }
> >>
> >> --
> >> 1.8.3.1
> >>
> > I think this mutex is too heavy - if multiple processes simultaneously
> > create a pipe, the mutex would cause performance degradation.
> >
> > You can call do_proc_dointvec with a custom callback "conv" function that
> > does the rounding of the pipe size value.
> >
> > Mikulas
> >
>
> Hi Mikulas,
>
> I'm not strong when it comes to memory barriers, but one of the
> side-effects of using the mutex is that pipe_set_size() and
> alloc_pipe_info() should have a consistent view of pipe_max_size.
>
> If I remove the mutex (and assume that I implement a custom
> do_proc_dointvec "conv" callback), is it safe for these routines to
> directly use pipe_max_size as they had done before?
>
> If not, is it safe to alias through a temporary stack variable (ie,
> could the compiler re-read pipe_max_size multiple times in the function)?
>
> Would READ_ONCE() help in any way?
Theoretically re-reading the variable is possible and you should use
ACCESS_ONCE or READ_ONCE+WRITE_ONCE on that variable.
In practice, ACCESS_ONCE/READ_ONCE/WRITE_ONCE is missing at a lot of
kernel variables that could be modified asynchronously and no one is
complaining about it and no one is making any systematic effort to fix it.
That re-reading happens (I have some test code that makes the gcc
optimizer re-read a variable), but it happens very rarely.
Another theoretical problem is that when reading or writing a variable
without ACCESS_ONCE, the compiler could read and write the variable using
multiple smaller memory accesses. But in practice, it happens only on some
non-common architectures.
> The mutex covered up some confusion on my part here.
>
> OTOH, since pipe_max_size is read-only for pipe_set_size() and
> alloc_pipe_info() and only updated occasionally by pipe_proc_fn(), would
> rw_semaphore or RCU be a fit here?
RW semaphore causes cache-line ping-pong between CPUs, it slows down the
kernel just like a normal spinlock or mutex.
RCU would be useless here (i.e. you don't want to allocate memory and
atomically assign it with rcu_assign_pointer).
> Regards,
>
> -- Joe
Mikulas
On 09/19/2017 03:53 AM, Mikulas Patocka wrote:
> On Fri, 15 Sep 2017, Joe Lawrence wrote:
> [ ... snip ... ]
>> Hi Mikulas,
>>
>> I'm not strong when it comes to memory barriers, but one of the
>> side-effects of using the mutex is that pipe_set_size() and
>> alloc_pipe_info() should have a consistent view of pipe_max_size.
>>
>> If I remove the mutex (and assume that I implement a custom
>> do_proc_dointvec "conv" callback), is it safe for these routines to
>> directly use pipe_max_size as they had done before?
>>
>> If not, is it safe to alias through a temporary stack variable (ie,
>> could the compiler re-read pipe_max_size multiple times in the function)?
>>
>> Would READ_ONCE() help in any way?
>
> Theoretically re-reading the variable is possible and you should use
> ACCESS_ONCE or READ_ONCE+WRITE_ONCE on that variable.
>
> In practice, ACCESS_ONCE/READ_ONCE/WRITE_ONCE is missing at a lot of
> kernel variables that could be modified asynchronously and no one is
> complaining about it and no one is making any systematic effort to fix it.
>
> That re-reading happens (I have some test code that makes the gcc
> optimizer re-read a variable), but it happens very rarely.
This would be interesting to look at if you are willing to share (can
send offlist).
> Another theoretical problem is that when reading or writing a variable
> without ACCESS_ONCE, the compiler could read and write the variable using
> multiple smaller memory accesses. But in practice, it happens only on some
> non-common architectures.
Smaller access than word size?
>> The mutex covered up some confusion on my part here.
>>
>> OTOH, since pipe_max_size is read-only for pipe_set_size() and
>> alloc_pipe_info() and only updated occasionally by pipe_proc_fn(), would
>> rw_semaphore or RCU be a fit here?
>
> RW semaphore causes cache-line ping-pong between CPUs, it slows down the
> kernel just like a normal spinlock or mutex.
Ah right.
> RCU would be useless here (i.e. you don't want to allocate memory and
> atomically assign it with rcu_assign_pointer).
And good point here.
Thanks for the explanations, they confirm and expand what I as already
thinking in this space.
--- Joe
On 09/14/2017 07:09 PM, Mikulas Patocka wrote:
> On Tue, 5 Sep 2017, Joe Lawrence wrote:
>
>> pipe_max_size is assigned directly via procfs sysctl:
>>
>> static struct ctl_table fs_table[] = {
>> ...
>> {
>> .procname = "pipe-max-size",
>> .data = &pipe_max_size,
>> .maxlen = sizeof(int),
>> .mode = 0644,
>> .proc_handler = &pipe_proc_fn,
>> .extra1 = &pipe_min_size,
>> },
>> ...
>>
>> int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
>> size_t *lenp, loff_t *ppos)
>> {
>> ...
>> ret = proc_dointvec_minmax(table, write, buf, lenp, ppos)
>> ...
>>
>> and then later rounded in-place a few statements later:
>>
>> ...
>> pipe_max_size = round_pipe_size(pipe_max_size);
>> ...
>>
>> This leaves a window of time between initial assignment and rounding
>> that may be visible to other threads. (For example, one thread sets a
>> non-rounded value to pipe_max_size while another reads its value.)
>>
>> Similar reads of pipe_max_size are potentially racey:
>>
>> pipe.c :: alloc_pipe_info()
>> pipe.c :: pipe_set_size()
>>
>> Protect them and the procfs sysctl assignment with a mutex.
>>
>> Reported-by: Mikulas Patocka <[email protected]>
>> Signed-off-by: Joe Lawrence <[email protected]>
>> ---
>> fs/pipe.c | 28 ++++++++++++++++++++++++----
>> 1 file changed, 24 insertions(+), 4 deletions(-)
>>
>> diff --git a/fs/pipe.c b/fs/pipe.c
>> index fa28910b3c59..33bb11b0d78e 100644
>> --- a/fs/pipe.c
>> +++ b/fs/pipe.c
>> @@ -35,6 +35,11 @@
>> unsigned int pipe_max_size = 1048576;
>>
>> /*
>> + * Provide mutual exclusion around access to pipe_max_size
>> + */
>> +static DEFINE_MUTEX(pipe_max_mutex);
>> +
>> +/*
>> * Minimum pipe size, as required by POSIX
>> */
>> unsigned int pipe_min_size = PAGE_SIZE;
>> @@ -623,13 +628,18 @@ struct pipe_inode_info *alloc_pipe_info(void)
>> unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
>> struct user_struct *user = get_current_user();
>> unsigned long user_bufs;
>> + unsigned int max_size;
>>
>> pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL_ACCOUNT);
>> if (pipe == NULL)
>> goto out_free_uid;
>>
>> - if (pipe_bufs * PAGE_SIZE > pipe_max_size && !capable(CAP_SYS_RESOURCE))
>> - pipe_bufs = pipe_max_size >> PAGE_SHIFT;
>> + mutex_lock(&pipe_max_mutex);
>> + max_size = pipe_max_size;
>> + mutex_unlock(&pipe_max_mutex);
>> +
>> + if (pipe_bufs * PAGE_SIZE > max_size && !capable(CAP_SYS_RESOURCE))
>> + pipe_bufs = max_size >> PAGE_SHIFT;
>>
>> user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
>>
>> @@ -1039,6 +1049,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
>> struct pipe_buffer *bufs;
>> unsigned int size, nr_pages;
>> unsigned long user_bufs;
>> + unsigned int max_size;
>> long ret = 0;
>>
>> size = round_pipe_size(arg);
>> @@ -1056,8 +1067,11 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
>> * Decreasing the pipe capacity is always permitted, even
>> * if the user is currently over a limit.
>> */
>> + mutex_lock(&pipe_max_mutex);
>> + max_size = pipe_max_size;
>> + mutex_unlock(&pipe_max_mutex);
>> if (nr_pages > pipe->buffers &&
>> - size > pipe_max_size && !capable(CAP_SYS_RESOURCE))
>> + size > max_size && !capable(CAP_SYS_RESOURCE))
>> return -EPERM;
>>
>> user_bufs = account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
>> @@ -1131,18 +1145,24 @@ int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
>> unsigned int rounded_pipe_max_size;
>> int ret;
>>
>> + mutex_lock(&pipe_max_mutex);
>> orig_pipe_max_size = pipe_max_size;
>> ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
>> - if (ret < 0 || !write)
>> + if (ret < 0 || !write) {
>> + mutex_unlock(&pipe_max_mutex);
>> return ret;
>> + }
>>
>> rounded_pipe_max_size = round_pipe_size(pipe_max_size);
>> if (rounded_pipe_max_size == 0) {
>> pipe_max_size = orig_pipe_max_size;
>> + mutex_unlock(&pipe_max_mutex);
>> return -EINVAL;
>> }
>>
>> pipe_max_size = rounded_pipe_max_size;
>> + mutex_unlock(&pipe_max_mutex);
>> +
>> return ret;
>> }
>>
>> --
>> 1.8.3.1
>>
> I think this mutex is too heavy - if multiple processes simultaneously
> create a pipe, the mutex would cause performance degradation.
>
> You can call do_proc_dointvec with a custom callback "conv" function
> that does the rounding of the pipe size value.
Okay, that would consolidate the fiddling with pipe_max_size into a
single place / assignment.
Implementation wise, are you suggesting something like the following
(work in progress). round_pipe_size() would still be used by
fs/pipe.c::pipe_set_size() so it would need to be visible to both source
files. The proc_do... function would be pipe-max-size specific as it's
basically:
- proc_douintvec_minmax, but
- without the "max" check
- with an added PAGE_SIZE floor
- PAGE_SIZE increment
and exported for pipe.c to call.
Plumbing in the opposite direction (export do_proc_douintvec() and stick
the new conv implementation in fs/pipe.c) might be a little easier, but
seems like the same ick-factor in the end.
Regards,
-- Joe
-->8-- -->8-- -->8-- -->8--
diff --git a/fs/pipe.c b/fs/pipe.c
index 8cbc97d97753..4db3cd2d139c 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1019,7 +1019,7 @@ static int fifo_open(struct inode *inode, struct
file *filp)
* Currently we rely on the pipe array holding a power-of-2 number
* of pages. Returns 0 on error.
*/
-static inline unsigned int round_pipe_size(unsigned int size)
+unsigned int round_pipe_size(unsigned int size)
{
unsigned long nr_pages;
@@ -1130,19 +1130,7 @@ static long pipe_set_size(struct pipe_inode_info
*pipe, unsigned long arg)
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
- unsigned int rounded_pipe_max_size;
- int ret;
-
- ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
- if (ret < 0 || !write)
- return ret;
-
- rounded_pipe_max_size = round_pipe_size(pipe_max_size);
- if (rounded_pipe_max_size == 0)
- return -EINVAL;
-
- pipe_max_size = rounded_pipe_max_size;
- return ret;
+ return proc_dopipe_max_size(table, write, buf, lenp, ppos);
}
/*
diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
index e7497c9dde7f..485cf7a7aa8f 100644
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -190,5 +190,6 @@ static inline int pipe_buf_steal(struct
pipe_inode_info *pipe,
struct pipe_inode_info *get_pipe_info(struct file *file);
int create_pipe_files(struct file **, int);
+unsigned int round_pipe_size(unsigned int size);
#endif
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 1d4dba490fb6..ba24ca72800c 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -50,6 +50,9 @@ extern int proc_dointvec_minmax(struct ctl_table *, int,
extern int proc_douintvec_minmax(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp,
loff_t *ppos);
+extern int proc_dopipe_max_size(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp,
+ loff_t *ppos);
extern int proc_dointvec_jiffies(struct ctl_table *, int,
void __user *, size_t *, loff_t *);
extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index c976719bf37a..7a2913c5546e 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -67,6 +67,7 @@
#include <linux/kexec.h>
#include <linux/bpf.h>
#include <linux/mount.h>
+#include <linux/pipe_fs_i.h>
#include <linux/uaccess.h>
#include <asm/processor.h>
@@ -2631,6 +2632,47 @@ int proc_douintvec_minmax(struct ctl_table
*table, int write,
do_proc_douintvec_minmax_conv, ¶m);
}
+struct do_proc_dopipe_max_size_conv_param {
+ unsigned int *min;
+};
+
+static int do_proc_dopipe_max_size_conv(unsigned long *lvalp,
+ unsigned int *valp,
+ int write, void *data)
+{
+ struct do_proc_dopipe_max_size_conv_param *param = data;
+
+ if (write) {
+ unsigned int val = round_pipe_size(*lvalp);
+
+ if (val == 0)
+ return -EINVAL;
+
+ if (param->min && *param->min > val)
+ return -ERANGE;
+
+ if (*lvalp > UINT_MAX)
+ return -EINVAL;
+
+ *valp = val;
+ } else {
+ unsigned int val = *valp;
+ *lvalp = (unsigned long) val;
+ }
+
+ return 0;
+}
+
+int proc_dopipe_max_size(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
+{
+ struct do_proc_dopipe_max_size_conv_param param = {
+ .min = (unsigned int *) table->extra1,
+ };
+ return do_proc_douintvec(table, write, buffer, lenp, ppos,
+ do_proc_dopipe_max_size_conv, ¶m);
+}
+
static void validate_coredump_safety(void)
{
#ifdef CONFIG_COREDUMP
@@ -3179,6 +3221,7 @@ int proc_doulongvec_ms_jiffies_minmax(struct
ctl_table *table, int write,
EXPORT_SYMBOL(proc_dointvec_jiffies);
EXPORT_SYMBOL(proc_dointvec_minmax);
EXPORT_SYMBOL_GPL(proc_douintvec_minmax);
+EXPORT_SYMBOL_GPL(proc_dopipe_max_size);
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
EXPORT_SYMBOL(proc_dostring);
--
1.8.3.1
On Tue, 19 Sep 2017, Joe Lawrence wrote:
> On 09/19/2017 03:53 AM, Mikulas Patocka wrote:
> > On Fri, 15 Sep 2017, Joe Lawrence wrote:
> > [ ... snip ... ]
> >> Hi Mikulas,
> >>
> >> I'm not strong when it comes to memory barriers, but one of the
> >> side-effects of using the mutex is that pipe_set_size() and
> >> alloc_pipe_info() should have a consistent view of pipe_max_size.
> >>
> >> If I remove the mutex (and assume that I implement a custom
> >> do_proc_dointvec "conv" callback), is it safe for these routines to
> >> directly use pipe_max_size as they had done before?
> >>
> >> If not, is it safe to alias through a temporary stack variable (ie,
> >> could the compiler re-read pipe_max_size multiple times in the function)?
> >>
> >> Would READ_ONCE() help in any way?
> >
> > Theoretically re-reading the variable is possible and you should use
> > ACCESS_ONCE or READ_ONCE+WRITE_ONCE on that variable.
> >
> > In practice, ACCESS_ONCE/READ_ONCE/WRITE_ONCE is missing at a lot of
> > kernel variables that could be modified asynchronously and no one is
> > complaining about it and no one is making any systematic effort to fix it.
> >
> > That re-reading happens (I have some test code that makes the gcc
> > optimizer re-read a variable), but it happens very rarely.
>
> This would be interesting to look at if you are willing to share (can
> send offlist).
struct s {
unsigned a, b, c, d;
};
unsigned fn(struct s *s)
{
unsigned a = s->a;
s->b = a;
asm("nop":::"ebx","ecx","edx","esi","edi","ebp");
s->c = a;
return s->d;
}
This piece of code makes gcc read the variable s->a twice (although it is
read only once in the source code). Compile it with -m32 -O2. The result
is this:
00000000 <fn>:
0: 55 push %ebp
1: 57 push %edi
2: 56 push %esi
3: 53 push %ebx
4: 8b 44 24 14 mov 0x14(%esp),%eax
8: 8b 10 mov (%eax),%edx <--- 1st load of s->a
a: 89 50 04 mov %edx,0x4(%eax)
d: 90 nop
e: 8b 08 mov (%eax),%ecx <--- 2nd load of s->a
10: 89 48 08 mov %ecx,0x8(%eax)
13: 8b 40 0c mov 0xc(%eax),%eax
16: 5b pop %ebx
17: 5e pop %esi
18: 5f pop %edi
19: 5d pop %ebp
1a: c3 ret
> > Another theoretical problem is that when reading or writing a variable
> > without ACCESS_ONCE, the compiler could read and write the variable using
> > multiple smaller memory accesses. But in practice, it happens only on some
> > non-common architectures.
>
> Smaller access than word size?
Yes. The file Documentation/memory-barriers.txt says:
(*) For aligned memory locations whose size allows them to be accessed
with a single memory-reference instruction, prevents "load tearing"
and "store tearing," in which a single large access is replaced by
multiple smaller accesses. For example, given an architecture having
16-bit store instructions with 7-bit immediate fields, the compiler
might be tempted to use two 16-bit store-immediate instructions to
implement the following 32-bit store:
p = 0x00010002;
Please note that GCC really does use this sort of optimization,
which is not surprising given that it would likely take more
than two instructions to build the constant and then store it.
But it doesn't say on which architecture gcc does it.
Mikulas
On Tue, 19 Sep 2017, Joe Lawrence wrote:
> On 09/14/2017 07:09 PM, Mikulas Patocka wrote:
> >
> > I think this mutex is too heavy - if multiple processes simultaneously
> > create a pipe, the mutex would cause performance degradation.
> >
> > You can call do_proc_dointvec with a custom callback "conv" function
> > that does the rounding of the pipe size value.
>
> Okay, that would consolidate the fiddling with pipe_max_size into a
> single place / assignment.
>
> Implementation wise, are you suggesting something like the following
> (work in progress). round_pipe_size() would still be used by
> fs/pipe.c::pipe_set_size() so it would need to be visible to both source
> files. The proc_do... function would be pipe-max-size specific as it's
> basically:
>
> - proc_douintvec_minmax, but
> - without the "max" check
> - with an added PAGE_SIZE floor
> - PAGE_SIZE increment
>
> and exported for pipe.c to call.
>
> Plumbing in the opposite direction (export do_proc_douintvec() and stick
> the new conv implementation in fs/pipe.c) might be a little easier, but
> seems like the same ick-factor in the end.
>
> Regards,
>
> -- Joe
Yes. I think this is correct.
Reviewed-by: Mikulas Patocka <[email protected]>
> -->8-- -->8-- -->8-- -->8--
>
> diff --git a/fs/pipe.c b/fs/pipe.c
> index 8cbc97d97753..4db3cd2d139c 100644
> --- a/fs/pipe.c
> +++ b/fs/pipe.c
> @@ -1019,7 +1019,7 @@ static int fifo_open(struct inode *inode, struct
> file *filp)
> * Currently we rely on the pipe array holding a power-of-2 number
> * of pages. Returns 0 on error.
> */
> -static inline unsigned int round_pipe_size(unsigned int size)
> +unsigned int round_pipe_size(unsigned int size)
> {
> unsigned long nr_pages;
>
> @@ -1130,19 +1130,7 @@ static long pipe_set_size(struct pipe_inode_info
> *pipe, unsigned long arg)
> int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
> size_t *lenp, loff_t *ppos)
> {
> - unsigned int rounded_pipe_max_size;
> - int ret;
> -
> - ret = proc_douintvec_minmax(table, write, buf, lenp, ppos);
> - if (ret < 0 || !write)
> - return ret;
> -
> - rounded_pipe_max_size = round_pipe_size(pipe_max_size);
> - if (rounded_pipe_max_size == 0)
> - return -EINVAL;
> -
> - pipe_max_size = rounded_pipe_max_size;
> - return ret;
> + return proc_dopipe_max_size(table, write, buf, lenp, ppos);
> }
>
> /*
> diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
> index e7497c9dde7f..485cf7a7aa8f 100644
> --- a/include/linux/pipe_fs_i.h
> +++ b/include/linux/pipe_fs_i.h
> @@ -190,5 +190,6 @@ static inline int pipe_buf_steal(struct
> pipe_inode_info *pipe,
> struct pipe_inode_info *get_pipe_info(struct file *file);
>
> int create_pipe_files(struct file **, int);
> +unsigned int round_pipe_size(unsigned int size);
>
> #endif
> diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
> index 1d4dba490fb6..ba24ca72800c 100644
> --- a/include/linux/sysctl.h
> +++ b/include/linux/sysctl.h
> @@ -50,6 +50,9 @@ extern int proc_dointvec_minmax(struct ctl_table *, int,
> extern int proc_douintvec_minmax(struct ctl_table *table, int write,
> void __user *buffer, size_t *lenp,
> loff_t *ppos);
> +extern int proc_dopipe_max_size(struct ctl_table *table, int write,
> + void __user *buffer, size_t *lenp,
> + loff_t *ppos);
> extern int proc_dointvec_jiffies(struct ctl_table *, int,
> void __user *, size_t *, loff_t *);
> extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index c976719bf37a..7a2913c5546e 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -67,6 +67,7 @@
> #include <linux/kexec.h>
> #include <linux/bpf.h>
> #include <linux/mount.h>
> +#include <linux/pipe_fs_i.h>
>
> #include <linux/uaccess.h>
> #include <asm/processor.h>
> @@ -2631,6 +2632,47 @@ int proc_douintvec_minmax(struct ctl_table
> *table, int write,
> do_proc_douintvec_minmax_conv, ¶m);
> }
>
> +struct do_proc_dopipe_max_size_conv_param {
> + unsigned int *min;
> +};
> +
> +static int do_proc_dopipe_max_size_conv(unsigned long *lvalp,
> + unsigned int *valp,
> + int write, void *data)
> +{
> + struct do_proc_dopipe_max_size_conv_param *param = data;
> +
> + if (write) {
> + unsigned int val = round_pipe_size(*lvalp);
> +
> + if (val == 0)
> + return -EINVAL;
> +
> + if (param->min && *param->min > val)
> + return -ERANGE;
> +
> + if (*lvalp > UINT_MAX)
> + return -EINVAL;
> +
> + *valp = val;
> + } else {
> + unsigned int val = *valp;
> + *lvalp = (unsigned long) val;
> + }
> +
> + return 0;
> +}
> +
> +int proc_dopipe_max_size(struct ctl_table *table, int write,
> + void __user *buffer, size_t *lenp, loff_t *ppos)
> +{
> + struct do_proc_dopipe_max_size_conv_param param = {
> + .min = (unsigned int *) table->extra1,
> + };
> + return do_proc_douintvec(table, write, buffer, lenp, ppos,
> + do_proc_dopipe_max_size_conv, ¶m);
> +}
> +
> static void validate_coredump_safety(void)
> {
> #ifdef CONFIG_COREDUMP
> @@ -3179,6 +3221,7 @@ int proc_doulongvec_ms_jiffies_minmax(struct
> ctl_table *table, int write,
> EXPORT_SYMBOL(proc_dointvec_jiffies);
> EXPORT_SYMBOL(proc_dointvec_minmax);
> EXPORT_SYMBOL_GPL(proc_douintvec_minmax);
> +EXPORT_SYMBOL_GPL(proc_dopipe_max_size);
> EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
> EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
> EXPORT_SYMBOL(proc_dostring);
> --
> 1.8.3.1
>