Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2177477pxj; Sun, 9 May 2021 18:12:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzcMfeG28yPGmpbXdzYm8ywB682gQg4RN8AkiPeK7Ix6KXPdEDcfbFhCyFOTP5ar0dlRWLD X-Received: by 2002:a05:6e02:144f:: with SMTP id p15mr19104823ilo.143.1620609168616; Sun, 09 May 2021 18:12:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620609168; cv=none; d=google.com; s=arc-20160816; b=hvwDNvrplp8PuZZNBMl9rGENJ37FsDRKGr3RYk0H7I0Jh9bw8rVseK/LNnhqbfBweg UW8b6f3mPGBQoEFQdi9yCkiMUfRCFgIAbmms1mFK/zOCsAQferz2r3eXiYcd4C7VCb5d mnfIFaMCHvIij079xs5mqkfxN2gJfERHETP5dK5HWfhnqam1hVtgBnkQOFuRJPcF6k8P qfh9n17w+z5acglv+XdI7jsnzO9DjpoF+UHbuthOcacFgDTH6lC/lmOj+sHqeWbXE6hT 9b8EPLo1Jwfna/AyAzwBPDF5blB/WfPwzxF3a/8qbRAklWq/aE4ehck3eoNEZTPQVb1/ JGkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:organization :message-id:user-agent:references:in-reply-to:subject:cc:to:from :date:mime-version; bh=IumRwP9nWhseOvMUwoyT6TY6KHh30qENRjMG8RqbsEE=; b=Lf7TQPz1pVsS/RiUgRQXFqJo2FPjd8BODzur77Xr8DRbgnRZKLWihUyBclzLHn/KuS FdIYVPdoEkday+1dn6Qy+1stSnt5zCXYS5Wf+ZkIl4lrHR079TWeJ6NT3NNQRIXKCtE4 HMhtyKuUOM+KMjQ0z1SR+VwX+xDwfkKi2EMGOWS3Glqok3fxRVeMrDiTqV8vmw8OJl9s zVsnGKEj6vv7mZ8vgKnX4g/yr5DpX3hZUvjUO06OA4lch81/Q8dDkiG80IAZNlnOjEHd p2urU/L2u2WY9KyBsyTEqPwmQ0ZAp8RYUpcPbfBtpGRuheVmQAcZQb/svYkGk4pY0ijf 3kQQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id k5si14260982ils.114.2021.05.09.18.12.36; Sun, 09 May 2021 18:12:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230129AbhEJBMD (ORCPT + 99 others); Sun, 9 May 2021 21:12:03 -0400 Received: from mx2.suse.de ([195.135.220.15]:34484 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229941AbhEJBMD (ORCPT ); Sun, 9 May 2021 21:12:03 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 8656EAE63; Mon, 10 May 2021 01:10:58 +0000 (UTC) MIME-Version: 1.0 Date: Sun, 09 May 2021 18:10:57 -0700 From: Davidlohr Bueso To: Manfred Spraul Cc: Varad Gautam , linux-kernel@vger.kernel.org, Matthias von Faber , stable@vger.kernel.org, Christian Brauner , Oleg Nesterov , "Eric W. Biederman" , Andrew Morton , James Morris , Serge Hallyn Subject: Re: [PATCH v3] ipc/mqueue: Avoid relying on a stack reference past its expiry In-Reply-To: <71c74711-75d6-494e-6ff7-2be49b274477@colorfullife.com> References: <20210507133805.11678-1-varad.gautam@suse.com> <71c74711-75d6-494e-6ff7-2be49b274477@colorfullife.com> User-Agent: Roundcube Webmail Message-ID: <6d36d89bc8f299a76efe8fce9c07e7b5@suse.de> X-Sender: dbueso@suse.de Organization: SUSE Labs Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-05-08 12:23, Manfred Spraul wrote: > Hi Varad, > > On 5/7/21 3:38 PM, Varad Gautam wrote: >> @@ -1005,11 +1022,9 @@ static inline void __pipelined_op(struct >> wake_q_head *wake_q, >> struct ext_wait_queue *this) >> { >> list_del(&this->list); >> - get_task_struct(this->task); >> - >> + wake_q_add(wake_q, this->task); >> /* see MQ_BARRIER for purpose/pairing */ >> smp_store_release(&this->state, STATE_READY); >> - wake_q_add_safe(wake_q, this->task); >> } >> /* pipelined_send() - send a message directly to the task waiting >> in > > First, I was too fast: I had assumed that wake_q_add() before > smp_store_release() would be a potential lost wakeup. Yeah you need wake_up_q() to actually wake anything up. > > As __pipelined_op() is called within spin_lock(&info->lock), and as > wq_sleep() will reread this->state after acquiring > spin_lock(&info->lock), I do not see a bug anymore. Right, and when I proposed this version of the fix I was mostly focusing on STATE_READY being set as the last operation, but the fact of the matter is we had moved to the wake_q_add_safe() version for two reasons: (1) Ensuring the ->state = STATE_READY is done after the reference count and avoid racing with exit. In mqueue's original use of wake_q we were relying on the call's implied barrier from wake_q_add() in order to avoid reordering of setting the state. But this turned out to be insufficient hence the explicit smp_store_release(). (2) In order to prevent a potential lost wakeup when the blocked task is already queued for wakeup by another task (the failed cmpxchg case in wake_q_add), and therefore we need to set the return condition (->state = STATE_READY) before adding the task to the wake_q. But I'm not seeing how race (2) can happen in mqueue. The race was always theoretical to begin with, with the exception of rwsems[1] in which actually the wakee task could end up in the waker's wake_q without actually blocking. So all in all I now agree that we should keep the order of how we currently have things, just to be on the safer side, if nothing else. [1] https://lore.kernel.org/lkml/1543495830-2644-1-git-send-email-xieyongji@baidu.com Thanks, Davidlohr