From owner-freebsd-fs@freebsd.org  Mon Apr 19 19:43:53 2021
Return-Path: <owner-freebsd-fs@freebsd.org>
Delivered-To: freebsd-fs@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3742C5FD44E
 for <freebsd-fs@mailman.nyi.freebsd.org>; Mon, 19 Apr 2021 19:43:53 +0000 (UTC)
 (envelope-from alexander.lochmann@tu-dortmund.de)
Received: from unimail.uni-dortmund.de (mx1.hrz.uni-dortmund.de
 [129.217.128.51])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (2048 bits) client-digest SHA256)
 (Client CN "unimail.tu-dortmund.de",
 Issuer "DFN-Verein Global Issuing CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4FPHLb71vmz4nJf
 for <freebsd-fs@freebsd.org>; Mon, 19 Apr 2021 19:43:51 +0000 (UTC)
 (envelope-from alexander.lochmann@tu-dortmund.de)
Received: from [192.168.111.113] (p4fd97aed.dip0.t-ipconnect.de
 [79.217.122.237]) (authenticated bits=0)
 by unimail.uni-dortmund.de (8.16.1/8.16.1) with ESMTPSA id 13JJhmsi008604
 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT);
 Mon, 19 Apr 2021 21:43:48 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tu-dortmund.de;
 s=unimail; t=1618861428;
 bh=lJ8bhncpnVixS1NUmAyY32mjHEKThFj0EVQHa992mzE=;
 h=Subject:To:Cc:References:From:Date:In-Reply-To;
 b=FLBtF8VHfYNxQxLLqhxzwGyc6OFUexL4/egBlLJWKEQXeOS2gvlVT2c3vwIWCidI7
 nKoI3SnXd2kB77gt7TO6+azM3vWHKit4vL2IQZci0ynyx9D22Elxz6zzFkHp8+eIEK
 FXybdU3neYX3PHv+LUWRfUbJgtDVBhlw2Qy+CG78=
Subject: Re: [struct buf] Unlocked access to b_vflags?
To: Konstantin Belousov <kostikbel@gmail.com>
Cc: freebsd-fs@freebsd.org
References: <792c8a3d-8ea6-073f-3fda-b3eb793ef2b9@tu-dortmund.de>
 <YHVxfMrU9lmw3sG9@kib.kiev.ua>
From: Alexander Lochmann <alexander.lochmann@tu-dortmund.de>
Message-ID: <4ade0f5d-d4f4-616a-b198-fc58f947070d@tu-dortmund.de>
Date: Mon, 19 Apr 2021 21:43:47 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <YHVxfMrU9lmw3sG9@kib.kiev.ua>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="MRvfc5qisZWaZafXXSPKFbyRmKvisJENe"
X-Rspamd-Queue-Id: 4FPHLb71vmz4nJf
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=tu-dortmund.de header.s=unimail header.b=FLBtF8VH;
 dmarc=none;
 spf=pass (mx1.freebsd.org: domain of alexander.lochmann@tu-dortmund.de
 designates 129.217.128.51 as permitted sender)
 smtp.mailfrom=alexander.lochmann@tu-dortmund.de
X-Spamd-Result: default: False [-6.30 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[];
 TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:129.217.128.0/24];
 HAS_ATTACHMENT(0.00)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
 RWL_MAILSPIKE_GOOD(0.00)[129.217.128.51:from];
 RCVD_IN_DNSWL_MED(-0.20)[129.217.128.51:from];
 RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[tu-dortmund.de:+];
 SIGNED_PGP(-2.00)[]; FREEMAIL_TO(0.00)[gmail.com];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~];
 SUBJECT_ENDS_QUESTION(1.00)[];
 ASN(0.00)[asn:680, ipnet:129.217.0.0/16, country:DE];
 MID_RHS_MATCH_FROM(0.00)[];
 RECEIVED_SPAMHAUS_PBL(0.00)[79.217.122.237:received];
 ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000];
 R_DKIM_ALLOW(-0.20)[tu-dortmund.de:s=unimail];
 FROM_HAS_DN(0.00)[]; NEURAL_HAM_SHORT(-1.00)[-1.000];
 NEURAL_HAM_LONG(-1.00)[-1.000];
 MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain];
 DMARC_NA(0.00)[tu-dortmund.de];
 DWL_DNSWL_LOW(-1.00)[tu-dortmund.de:dkim];
 TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_COUNT_TWO(0.00)[2];
 RCVD_TLS_ALL(0.00)[]; MAILMAN_DEST(0.00)[freebsd-fs]
X-BeenThere: freebsd-fs@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Filesystems <freebsd-fs.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-fs/>
List-Post: <mailto:freebsd-fs@freebsd.org>
List-Help: <mailto:freebsd-fs-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-fs>,
 <mailto:freebsd-fs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 19:43:53 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--MRvfc5qisZWaZafXXSPKFbyRmKvisJENe
Content-Type: multipart/mixed; boundary="A3ypNaQRaCga4xnx721QhScM0k7JIFCph";
 protected-headers="v1"
From: Alexander Lochmann <alexander.lochmann@tu-dortmund.de>
To: Konstantin Belousov <kostikbel@gmail.com>
Cc: freebsd-fs@freebsd.org
Message-ID: <4ade0f5d-d4f4-616a-b198-fc58f947070d@tu-dortmund.de>
Subject: Re: [struct buf] Unlocked access to b_vflags?
References: <792c8a3d-8ea6-073f-3fda-b3eb793ef2b9@tu-dortmund.de>
 <YHVxfMrU9lmw3sG9@kib.kiev.ua>
In-Reply-To: <YHVxfMrU9lmw3sG9@kib.kiev.ua>

--A3ypNaQRaCga4xnx721QhScM0k7JIFCph
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: de-DE
Content-Transfer-Encoding: quoted-printable

Out of curiosity: What's the path from function entry to the access in=20
line 759?
The lock is acquired upon function entry in line 7197, and never=20
released afterwards (except for the lines 7212 and 7217).

- Alex

On 13.04.21 12:25, Konstantin Belousov wrote:
> On Mon, Apr 12, 2021 at 11:19:05PM +0200, Alexander Lochmann wrote:
>> Hi folks,
>>
>> I'm was digging through our data set when I encountered a strange situ=
ation:
>> According to the code in trunc_dependencies() in sys/ufs/ffs/ffs_softd=
ep.c,
>> the bo_lock should be held. At least that's how I read the code.
>> However, we see several thousands of accesses to b_vflags without the
>> bo_lock held.
>> At least the own b_lock is acquired.
>> The access happens in line 7549: bp->b_vflags |=3D BV_SCANNED; [1]
>> Can you please shed some light on this situation?
>> Is the b_lock sufficeint, and somehow overrules the bo_lock?
>> Am I missing something?
> I think you found a valid race.  There is one more place where BV_SCANN=
ED
> was manipulated without owning bufobj lock.  Patch below should fix bot=
h.
>=20
> commit a678470b1307542c5a46b930c119b2358863e0d2
> Author: Konstantin Belousov <kib@FreeBSD.org>
> Date:   Tue Apr 13 13:22:56 2021 +0300
>=20
>      b_vflags update requries bufobj lock
>     =20
>      Reported by:    Alexander Lochmann <alexander.lochmann@tu-dortmund=
=2Ede> (trunc_dependencies())
>=20
> diff --git a/sys/ufs/ffs/ffs_softdep.c b/sys/ufs/ffs/ffs_softdep.c
> index 0091b5dcd3b8..23c0cf6e128b 100644
> --- a/sys/ufs/ffs/ffs_softdep.c
> +++ b/sys/ufs/ffs/ffs_softdep.c
> @@ -7546,7 +7546,9 @@ trunc_dependencies(ip, freeblks, lastlbn, lastoff=
, flags)
>   			BO_LOCK(bo);
>   			goto cleanrestart;
>   		}
> +		BO_LOCK(bo);
>   		bp->b_vflags |=3D BV_SCANNED;
> +		BO_UNLOCK(bo);
>   		bremfree(bp);
>   		if (blkoff !=3D 0) {
>   			allocbuf(bp, blkoff);
> diff --git a/sys/ufs/ffs/ffs_vnops.c b/sys/ufs/ffs/ffs_vnops.c
> index dc638595eb7b..05eb19c0ee13 100644
> --- a/sys/ufs/ffs/ffs_vnops.c
> +++ b/sys/ufs/ffs/ffs_vnops.c
> @@ -321,8 +321,9 @@ ffs_syncvnode(struct vnode *vp, int waitfor, int fl=
ags)
>   			if (BUF_LOCK(bp,
>   			    LK_EXCLUSIVE | LK_SLEEPFAIL | LK_INTERLOCK,
>   			    BO_LOCKPTR(bo)) !=3D 0) {
> +				BO_LOCK(bo);
>   				bp->b_vflags &=3D ~BV_SCANNED;
> -				goto next;
> +				goto next_locked;
>   			}
>   		} else
>   			continue;
> @@ -385,6 +386,7 @@ ffs_syncvnode(struct vnode *vp, int waitfor, int fl=
ags)
>   		 * to start from a known point.
>   		 */
>   		BO_LOCK(bo);
> +next_locked:
>   		nbp =3D TAILQ_FIRST(&bo->bo_dirty.bv_hd);
>   	}
>   	if (waitfor !=3D MNT_WAIT) {
>=20

--=20
Technische Universit=C3=A4t Dortmund
Alexander Lochmann                PGP key: 0xBC3EF6FD
Otto-Hahn-Str. 16                 phone:  +49.231.7556141
D-44227 Dortmund                  fax:    +49.231.7556116
http://ess.cs.tu-dortmund.de/Staff/al


--A3ypNaQRaCga4xnx721QhScM0k7JIFCph--

--MRvfc5qisZWaZafXXSPKFbyRmKvisJENe
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEElhZsUHzVP0dbkjCRWT7tBbw+9v0FAmB93XMFAwAAAAAACgkQWT7tBbw+9v2Z
RhAAhOy5JpO/uLgFsTuW6e+QpeeIdWJIhppqC1FB6wdL4kUrqcYqTUwMs4CsGL3SGHE5JvGPRjKu
2i8i3aZ6pBnWhjloS1ZRJ8miZ6Jk1ChX4ZXfEOzxh4RAC7JKbiLw6I6Eb8u6k3pDBp8InPMpTaBi
V2ase+KOYYjZlVVDmByWZybPweEJD85iWInSlrMpcnCamsA5cvJwXbu2eIBCtMHAQWXVfi55agmU
fTEVileE7Sm4kW+ohQEC/U/h2hFgtMbvD3k6mn8UYiLKquU8ZG1AusyOCCXcPa/REk7nE13y/YYx
1Z0W0lT0+lHUix9E1wj5Bku7TAh3GUCn83A3bzHI2j851RG6+OL7s83hTGScL4l9mKdR8xjv6CUd
B5k3HGMyfDlex9usiiwDHFhjWEIKt7wZbJYFxTmeZ9+wgtYwAHsGSzhr2uo6Lr4FU2uqFyb33GVz
B2T2v+BzpUg9yVBXEkJqessQ/tECLRg4lQbQZSVFIfKeLWntV4sETgMXlzEfv8jK37RhoehHH6kr
tMmb03fx6DrSN8sSiTsmvfSHKk0iS3fEHnRiNPGZbEiRXJ2cTv2VvZrEN3w+dp+icRUqHQAI33Nz
ZATqnxkK08OaYRiWMNi6JCdOHCeRHsw90SJWvC49jIv0LT0vpkb/iVl7TtKrN6YAygY1ZErtyJcB
hhA=
=BdVe
-----END PGP SIGNATURE-----

--MRvfc5qisZWaZafXXSPKFbyRmKvisJENe--