Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3203978imu; Wed, 7 Nov 2018 06:46:40 -0800 (PST) X-Google-Smtp-Source: AJdET5c8KgEgmGMIGShAVa+HEpddtRw7Jko1SQKpMWCTwBOMAilgt2Yg8yQGyb+kN5oyyx5/44R1 X-Received: by 2002:a17:902:4324:: with SMTP id i33-v6mr496852pld.253.1541602000924; Wed, 07 Nov 2018 06:46:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541602000; cv=none; d=google.com; s=arc-20160816; b=oMTjcYKW2auqFwRIxwvjN5NjoeNwercTJiC3d6GEXOA6Iz/EG9rsaoTEDQrgtjG+Xr EY4Jm3sDlPvrmV1ZPZ+6rYc/dm5Y3+6jDvNK5uoQIZwymxJka567AMGkcGUqBmFm8jnN A6TTOZwqNnq+SrM6Y00MnuJUWanZmtA6YToEtAsaFcCfA41UBkECegqF98RMwtRrF3+I S6dRJBxX1soQzda/xBOLjiX/mo2piofvf7oz7IGaQAp9QFyj5Omuvagrg52oB/IQe6am /4IBXhvlN1/CIuhODVeX1XbeRWiGNZg7NHViQ01RGGudOw162KRu2pXbEEKM5J33pyxQ 5BBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=5HtoEEObkIbud56Wa3SqTaoQbCyHLlq31Jxs9qh14aI=; b=NaYgb4ifmWYMcIYnianAhHHz0/38c8W8q3ZHsB8AneIP40UwvFAxC1xxa9vdmQzMrW bDq+DPDBOe1acNE2vP5GpdzjJn+TtVkdpC8N1hEub4wWWg2y/ONTH6DzrSrRc/2gtRr8 Ujac8IqROr2AofUgKFFYhpQe1SzdZudQA3GMDz/a2sja0d5zGcPiqC9IZICXeQ8ztXNX 5G0fgFklTyZueSqUoKjkVSeY8gnpMqYpnPhtrn+PHQ6psnqOomdhQlZS1u32Ac+I4CyU 2f1ddkdRHlTJ3EtcV6sx3ThRYQ/gyqpgpICF22M/TjaQSK+vsTgl/pR9fAU5DK0cuaYY w+Fg== ARC-Authentication-Results: i=1; mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=ljTooiTT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w16si749349pga.328.2018.11.07.06.46.25; Wed, 07 Nov 2018 06:46:40 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=ljTooiTT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731092AbeKHAQg (ORCPT + 99 others); Wed, 7 Nov 2018 19:16:36 -0500 Received: from mail-io1-f65.google.com ([209.85.166.65]:34744 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727709AbeKHAQg (ORCPT ); Wed, 7 Nov 2018 19:16:36 -0500 Received: by mail-io1-f65.google.com with SMTP id d80-v6so12078851iof.1 for ; Wed, 07 Nov 2018 06:45:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=szeredi.hu; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5HtoEEObkIbud56Wa3SqTaoQbCyHLlq31Jxs9qh14aI=; b=ljTooiTTEcSfTTWoun1kg/asmDKrlz9HLUytOVsRRHKm+qhrNSQUK4V8VYPGr4izth sZu9kW57euF4mGEB8uBYR6ZgmdPdD5Ev6rgaZpYoKpyRyYgCeMxf2h6NB1giax3iOM+y MBhTMpQ1br4y7nQ6ck1eLBZuymiP0cCwHQL0w= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5HtoEEObkIbud56Wa3SqTaoQbCyHLlq31Jxs9qh14aI=; b=j+rW73fEHw0HwwnxM/TaXjiEh5GvO2xbcmcWfBWU2w/0Ezt+UY3rtahK+A7l4Cl1Rf m/Ao8VN/Gq/Pa/ov1OZoQ3OLwNv65vP5wrtGDCj1+vMxgOo8YIRmxPMptJDn/T/IBUlr mbCQ9Uhlmc7gYM7D5bj0SVCUqTcCTvR+HaCIyt/R0VpJJCdxyRaJmyA4Rf60YtpvFSiR 2kRwVq3ZWWwD2anPvAhDsFSWPKA3bOwfOKopfBtuOjYDY6cnQCGWwzt+OSvPAISVVx0w VcTymeDzxUfNQ4uBWdNUlXUcXuRG34YqIAvU06iwe7Y7IIbeYkV4FYxKDU7SprmAHg12 uQGg== X-Gm-Message-State: AGRZ1gJiUZvSOPLbN5zaoQqde46Dde01YMN7Cw/MDqhEXIqzt1AAWY5U fxUM3PrjksymqMFNRAZ14/oTJ18XSzrM+WeNHLnLcQ== X-Received: by 2002:a5e:8b42:: with SMTP id z2-v6mr377479iom.144.1541601956953; Wed, 07 Nov 2018 06:45:56 -0800 (PST) MIME-Version: 1.0 Received: by 2002:a6b:ac42:0:0:0:0:0 with HTTP; Wed, 7 Nov 2018 06:45:55 -0800 (PST) X-Originating-IP: [212.96.48.140] In-Reply-To: <6f27b5a5-0092-b23f-b28e-341ae093a241@virtuozzo.com> References: <154149586524.17764.5252013294539109287.stgit@localhost.localdomain> <154149666097.17764.12092615786683141764.stgit@localhost.localdomain> <6f27b5a5-0092-b23f-b28e-341ae093a241@virtuozzo.com> From: Miklos Szeredi Date: Wed, 7 Nov 2018 15:45:55 +0100 Message-ID: Subject: Re: [PATCH 6/6] fuse: Verify userspace asks to requeue interrupt that we really sent To: Kirill Tkhai Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Nov 7, 2018 at 3:25 PM, Kirill Tkhai wrote: > On 07.11.2018 16:55, Miklos Szeredi wrote: >> On Tue, Nov 6, 2018 at 10:31 AM, Kirill Tkhai wrote: >>> When queue_interrupt() is called from fuse_dev_do_write(), >>> it came from userspace directly. Userspace may pass any >>> request id, even the request's we have not interrupted >>> (or even background's request). This patch adds sanity >>> check to make kernel safe against that. >> >> Okay, I understand this far. >> >>> The problem is real interrupt may be queued and requeued >>> by two tasks on two cpus. This case, the requeuer has not >>> guarantees it sees FR_INTERRUPTED bit on its cpu (since >>> we know nothing about the way userspace manages requests >>> between its threads and whether it uses smp barriers). >> >> This sounds like BS. There's an explicit smp_mb__after_atomic() >> after the set_bit(FR_INTERRUPTED,...). Which means FR_INTERRUPTED is >> going to be visible on all CPU's after this, no need to fool around >> with setting FR_INTERRUPTED again, etc... > > Hm, but how does it make the bit visible on all CPUS? > > The problem is that smp_mb_xxx() barrier on a cpu has a sense > only in pair with the appropriate barrier on the second cpu. > There is no guarantee for visibility, if second cpu does not > have a barrier: > > CPU 1 CPU2 CPU3 CPU4 CPU5 > > set FR_INTERRUPTED set FR_SENT > > test FR_SENT (== 0) test FR_INTERRUPTED (==1) > list_add[&req->intr_entry] read[req by intr_entry] > > goto userspace > write in userspace buffer > read from userspace buffer > write to userspace buffer > read from userspace buffer > enter kernel > > test FR_INTERRUPTED <- Not visible > > The sequence: > > set_bit(FR_INTERRUPTED, ...) > smp_mb__after_atomic(); > test_bit(FR_SENT, &req->flags) > > just guarantees the expected order on CPU2, which uses , > but CPU5 does not have any guarantees. What you are missing is that there are other things that synchronize memory access besides the memory barrier. In your example the ordering will be guaranteed by the fiq->waitq.lock in queue_interrupt() on CPU2: the set_bit() cannot move past the one-way barrier provided by the spin_unlock(). Thanks, Miklos