From nobody Tue Aug 23 04:56:23 2022 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MBcQ05mX6z4ZNSg for ; Tue, 23 Aug 2022 04:56:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MBcQ02PdQz3SGy for ; Tue, 23 Aug 2022 04:56:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MBcQ01Ps1zHdj for ; Tue, 23 Aug 2022 04:56:24 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 27N4uOvT000542 for ; Tue, 23 Aug 2022 04:56:24 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 27N4uOGI000541 for bugs@FreeBSD.org; Tue, 23 Aug 2022 04:56:24 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 265997] compat10 semaphore interface internal race may lead to application hang Date: Tue, 23 Aug 2022 04:56:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: kern X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: firk@cantconnect.ru X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661230584; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4OUjHOW798yi4TwEz/Y+BwOB0UTBLPpgVUb4NV/fGWk=; b=TP3TjH7xm9jxBzyLBRPQWss1HNLa1rIhcpAlsgEwUUby6M2dKY92qYHAbIpdNVtuPwo76B 8ykUdZ+NfXjHgiKqLIJCsKOLGuoS3sab6jE7/KQPHXnEj7WG/CeLPIcFN4Wb9fq1u1MSUi 2P9Ey3Tj+aj6L7yHzybxqaVbh1TEqlQvj48Nm+AE/VCEdVKMjdElfjTqk3OWIxJbLCgASc w4oOr0KoTVbzgH7bhcow+TvE00RS7bCYMeyvT77HIOpk93EUGgNbGaEy+i7y9fofr5+cr6 sGJFcFIMAmH+ajtFhP20Moee7pDyOxNhY9ui+SWZMNzu8SIf4DLJlTN3umnDmg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1661230584; a=rsa-sha256; cv=none; b=sH9YWUcKE+PnW7LYU/TPW6WfkaXl4kEf/k43jfl2z9/jlxXFECNh4LPZI85d+rSPI8Y3zO fmfP0DitF5EIdjfldgEvcVQp9cO3H+FcH5XHx8rJF2icWAv+wcbDISVGBz9kWkuslmetuf Bv7foLhMrEcQ53uwsx1u0Ho7xuHLjxS/c+8DZl7ug1ttjkCX7+P0aC2bU/Xd7JbZoviVMy a2GAdDYJohaKiTk3G9toHYM7O6cvqqK4uGoccfDElgaKUDPHZ/L7IA7luPL/ym5AZ8cbq+ bPLEEeBRuUw6X/IkxSH7+9ySzYZdUekyC6MVR29Pjc43eveaZjwKZkw512EMvg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D265997 Bug ID: 265997 Summary: compat10 semaphore interface internal race may lead to application hang Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: firk@cantconnect.ru The bug was introduced in r349951 r350478 which was also MFCed to 12.x as r351789 Previously, any unexpected cases will lead to just exiting syscall, leaving the decision to the userspace sem wrapper (which was done that correctly). After these patches, non-zero sem->_has_waiters will lead to going straight= ly to umtxq_sleep() without checking if sem->_count is non-zero. Non-zero sem->_has_waiters may happen spuriously due to the same code: it doesn't clear this flag after cancelling sleep due to non-zero sem->_count. 1. make sem_wait() and sem_post() race: - sem_wait() check _count in userspace, sees it is zero, calls kernel -> do_sem_wait() - sem_post() sets _count to 1 and calls do_sem_wake() which does nothing because waiter-thread still not in queue - do_sem_wait() sets _has_waiters=3D1, then sees _count=3D=3D1 and exits - userspace sem_wait() decrements _count back to 0 _has_waiters left non-ze= ro 2. make them race again: - sem_wait() check _count in userspace, sees it is zero, calls kernel -> do_sem_wait() - sem_post() sets _count to 1 again, not touching _has_waiters, and calls do_sem_wake() which does nothing again, because waiter-thread not in queue - do_sem_wait() fails to set _has_waiters 0->1 because it already non-zero,= and then goes to umtxq_sleep() - umtxq_sleep() has no chance to wake up without another sem_post(), despite the fact that _count=3D=3D1 --=20 You are receiving this mail because: You are the assignee for the bug.=