From nobody Sat Aug 28 18:53:19 2021 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DF95A17ABEBC for ; Sat, 28 Aug 2021 18:53:28 +0000 (UTC) (envelope-from alexander.lochmann@tu-dortmund.de) Received: from unimail.uni-dortmund.de (mx1.hrz.uni-dortmund.de [129.217.128.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "unimail.tu-dortmund.de", Issuer "DFN-Verein Global Issuing CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Gxm1z6Pt7z3s4t for ; Sat, 28 Aug 2021 18:53:27 +0000 (UTC) (envelope-from alexander.lochmann@tu-dortmund.de) Received: from [192.168.111.102] (p2e513846.dip0.t-ipconnect.de [46.81.56.70]) (authenticated bits=0) by unimail.uni-dortmund.de (8.17.1/8.17.1) with ESMTPSA id 17SIrJJG016985 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT); Sat, 28 Aug 2021 20:53:19 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tu-dortmund.de; s=unimail; t=1630176800; bh=wviWJVRCqBclXtBTm3AguuZKWx2IbiYbNuTrfrYVuW0=; h=To:Cc:References:From:Subject:Date:In-Reply-To; b=fjFBKA7CK1gHUal7b9yhgwT/6EGXeHbMXAy3vY+Tx63IVDDRUBharKuglO6evMI4n 5AzKCWGVSAGb/PuVQFBiVBgJ5dc/maU68L6FGTQ/e4A82w8PthYCDHOPvpZCKnK1MN 2HqraW5NQapd2XX/aJVGaZ5PC2MaaKicS1lSsAFk= To: Konstantin Belousov Cc: freebsd-fs , Horst Schirmeier References: <55f3661e-2173-793e-4834-bbcd79d3d99e@tu-dortmund.de> From: Alexander Lochmann Subject: Re: Various unprotected accesses to buf and vnode Message-ID: <380bdcc8-bede-2a64-8e5e-031552231d82@tu-dortmund.de> Date: Sat, 28 Aug 2021 20:53:19 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0 List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-DE-1901 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 4Gxm1z6Pt7z3s4t X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tu-dortmund.de header.s=unimail header.b=fjFBKA7C; dmarc=none; spf=pass (mx1.freebsd.org: domain of alexander.lochmann@tu-dortmund.de designates 129.217.128.51 as permitted sender) smtp.mailfrom=alexander.lochmann@tu-dortmund.de X-Spamd-Result: default: False [-5.20 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; RWL_MAILSPIKE_GOOD(0.00)[129.217.128.51:from]; R_SPF_ALLOW(-0.20)[+ip4:129.217.128.0/24]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; TO_DN_ALL(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[129.217.128.51:from]; DKIM_TRACE(0.00)[tu-dortmund.de:+]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:680, ipnet:129.217.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[46.81.56.70:received]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[tu-dortmund.de:s=unimail]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[tu-dortmund.de]; DWL_DNSWL_LOW(-1.00)[tu-dortmund.de:dkim]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On 27.08.21 20:40, Konstantin Belousov wrote: >> - Read of buf.b_blkno in cluster_write(): >> According to the documentation b_lock is needed. >> Is b_blkno maybe a read-only element of struct buf? > No, b_blkno is not read-only, it is the disk block number for the block, > as opposed to b_lbklno which is logical file block number. The buffer > is instantiated with b_blkno == b_lblkno, and when the buffer is mapped > to the real disk block, b_blkno is updated. > > Could you show me the backtrace of the situation where cluster_write() > is called with unlocked buffer? > >> If you don't mind, you can find them here: https://thasos.cs.tu-dortmund.de/bugs/ctx-buf-b_blkno-r-cex.html (Pls ignore the line 'Hypothesis 1: ....'.) >> - Write to vnode.v_bufobj.bo_object: >> https://github.com/freebsd/freebsd-src/blob/main/sys/vm/vnode_pager.c#L291 >> According to the documentation, '[...] the vnode lock which embeds the >> bufobj' is needed. However, interlock is taken in line 276. >> Is the interlock equivalent to the vnode lock? >> (I assume 'the vnode lock' refers to vnode.v_lock.) > vnode_pager_alloc() must be called with the vnode exclusively locked. > This is asserted at the beginning of the function. > Yeah, I see that check: ASSERT_VOP_LOCKED(vp, "vnode_pager_alloc");. However, our data says otherwise: According to our trace, the shared lock is taken. You may have a look at https://thasos.cs.tu-dortmund.de/bugs/ctx-vnode-v_bufobj.bo_object-w-cex.html. 'EMBSAME(vnode.v_lock[r])' refers to the shared vnode lock. A click on each lock description, e.g., EMBSAME(vnode.v_lock[r]), leads to the code where it was taken. (Pls ignore the line 'Hypothesis 1: ....'.) >> >> - Is buf.b_bufobj a read-only element? > You should scope the question. > > While buffer is owned by a vnode, b_bufobj is constant. Since buffers are > type-stable, they migrate between vnodes as cache finds it required to > reclaim and reuse. There, b_bufobj is changed. > I'm referring to getdirtybuf(): msleep(&bp->b_xflags, BO_LOCKPTR(bp->b_bufobj),PRIBIO | PDROP, "getbuf", 0); -- Technische Universität Dortmund Alexander Lochmann PGP key: 0xBC3EF6FD Otto-Hahn-Str. 16 phone: +49.231.7556141 D-44227 Dortmund fax: +49.231.7556116 http://ess.cs.tu-dortmund.de/Staff/al