freebsd-nq/module/zfs/zrlock.c
Chunwei Chen 9470cbd4f9 Fix race in trace point in zrl_add_impl
We hit an illegal memory access in the zrlock trace point. The problem
is that zrl->zr_owner and zrl->zr_caller are assigned locklessly. And if
zrl->zr_owner got assigned a longer string between when __string()
calculate the strlen, and when __assign_str() does strcpy. The copy will
overflow the buffer.

==
For example:

Initial condition:
zrl->zr_owner = A
zrl->zr_caller = "abc"

Thread A                                 Thread B
-------------------------------------------------
if (zrl->zr_owner == A) {
  DTRACE_PROBE2() {
    __string() {
      strlen(zrl->zr_caller) -> 3
      allocate buf[4]
    }

                                        zrl->zr_owner = B
				        zrl->zr_caller = "abcd"

    __assign_str() {
      strcpy(buf, zrl->zr_caller) <- buffer overflow
==

Dereferencing zrl->zr_owner->pid may also be problematic, in that the
zrl->zr_owner got changed to other task, and that task exits, freeing
the task_struct. This should be very unlikely, as the other task need to
zrl_remove and exit between the dereferencing zr->zr_owner and
zr->zr_owner->pid. Nevertheless, we'll deal with it as well.

To fix the zrl->zr_caller issue, instead of copy the string content, we
just copy the pointer, this is safe because it always points to
__func__, which is static. As for the zrl->zr_owner issue, we pass in
curthread instead of using zrl->zr_owner.

Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Closes #7291
2018-03-12 11:27:02 -07:00

198 lines
4.6 KiB
C

/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* or http://www.opensolaris.org/os/licensing.
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2014, 2015 by Delphix. All rights reserved.
* Copyright 2016 The MathWorks, Inc. All rights reserved.
*/
/*
* A Zero Reference Lock (ZRL) is a reference count that can lock out new
* references only when the count is zero and only without waiting if the count
* is not already zero. It is similar to a read-write lock in that it allows
* multiple readers and only a single writer, but it does not allow a writer to
* block while waiting for readers to exit, and therefore the question of
* reader/writer priority is moot (no WRWANT bit). Since the equivalent of
* rw_enter(&lock, RW_WRITER) is disallowed and only tryenter() is allowed, it
* is perfectly safe for the same reader to acquire the same lock multiple
* times. The fact that a ZRL is reentrant for readers (through multiple calls
* to zrl_add()) makes it convenient for determining whether something is
* actively referenced without the fuss of flagging lock ownership across
* function calls.
*/
#include <sys/zrlock.h>
#include <sys/trace_zrlock.h>
/*
* A ZRL can be locked only while there are zero references, so ZRL_LOCKED is
* treated as zero references.
*/
#define ZRL_LOCKED -1
#define ZRL_DESTROYED -2
void
zrl_init(zrlock_t *zrl)
{
mutex_init(&zrl->zr_mtx, NULL, MUTEX_DEFAULT, NULL);
zrl->zr_refcount = 0;
cv_init(&zrl->zr_cv, NULL, CV_DEFAULT, NULL);
#ifdef ZFS_DEBUG
zrl->zr_owner = NULL;
zrl->zr_caller = NULL;
#endif
}
void
zrl_destroy(zrlock_t *zrl)
{
ASSERT0(zrl->zr_refcount);
mutex_destroy(&zrl->zr_mtx);
zrl->zr_refcount = ZRL_DESTROYED;
cv_destroy(&zrl->zr_cv);
}
void
zrl_add_impl(zrlock_t *zrl, const char *zc)
{
for (;;) {
uint32_t n = (uint32_t)zrl->zr_refcount;
while (n != ZRL_LOCKED) {
uint32_t cas = atomic_cas_32(
(uint32_t *)&zrl->zr_refcount, n, n + 1);
if (cas == n) {
ASSERT3S((int32_t)n, >=, 0);
#ifdef ZFS_DEBUG
if (zrl->zr_owner == curthread) {
DTRACE_PROBE3(zrlock__reentry,
zrlock_t *, zrl,
kthread_t *, curthread,
uint32_t, n);
}
zrl->zr_owner = curthread;
zrl->zr_caller = zc;
#endif
return;
}
n = cas;
}
mutex_enter(&zrl->zr_mtx);
while (zrl->zr_refcount == ZRL_LOCKED) {
cv_wait(&zrl->zr_cv, &zrl->zr_mtx);
}
mutex_exit(&zrl->zr_mtx);
}
}
void
zrl_remove(zrlock_t *zrl)
{
uint32_t n;
#ifdef ZFS_DEBUG
if (zrl->zr_owner == curthread) {
zrl->zr_owner = NULL;
zrl->zr_caller = NULL;
}
#endif
n = atomic_dec_32_nv((uint32_t *)&zrl->zr_refcount);
ASSERT3S((int32_t)n, >=, 0);
}
int
zrl_tryenter(zrlock_t *zrl)
{
uint32_t n = (uint32_t)zrl->zr_refcount;
if (n == 0) {
uint32_t cas = atomic_cas_32(
(uint32_t *)&zrl->zr_refcount, 0, ZRL_LOCKED);
if (cas == 0) {
#ifdef ZFS_DEBUG
ASSERT3P(zrl->zr_owner, ==, NULL);
zrl->zr_owner = curthread;
#endif
return (1);
}
}
ASSERT3S((int32_t)n, >, ZRL_DESTROYED);
return (0);
}
void
zrl_exit(zrlock_t *zrl)
{
ASSERT3S(zrl->zr_refcount, ==, ZRL_LOCKED);
mutex_enter(&zrl->zr_mtx);
#ifdef ZFS_DEBUG
ASSERT3P(zrl->zr_owner, ==, curthread);
zrl->zr_owner = NULL;
membar_producer(); /* make sure the owner store happens first */
#endif
zrl->zr_refcount = 0;
cv_broadcast(&zrl->zr_cv);
mutex_exit(&zrl->zr_mtx);
}
int
zrl_refcount(zrlock_t *zrl)
{
ASSERT3S(zrl->zr_refcount, >, ZRL_DESTROYED);
int n = (int)zrl->zr_refcount;
return (n <= 0 ? 0 : n);
}
int
zrl_is_zero(zrlock_t *zrl)
{
ASSERT3S(zrl->zr_refcount, >, ZRL_DESTROYED);
return (zrl->zr_refcount <= 0);
}
int
zrl_is_locked(zrlock_t *zrl)
{
ASSERT3S(zrl->zr_refcount, >, ZRL_DESTROYED);
return (zrl->zr_refcount == ZRL_LOCKED);
}
#ifdef ZFS_DEBUG
kthread_t *
zrl_owner(zrlock_t *zrl)
{
return (zrl->zr_owner);
}
#endif
#if defined(_KERNEL) && defined(HAVE_SPL)
EXPORT_SYMBOL(zrl_add_impl);
EXPORT_SYMBOL(zrl_remove);
#endif