On Thu, 18 Oct 2018 15:32:35 +0000
Michael Kelley <mikelley@xxxxxxxxxxxxx> wrote:
> From Olaf Hering Sent: Thursday, October 18, 2018 8:20 AM
> >
> > > This extends existing vmbus related sysfs structure to provide per-channel
> > > state information. This is useful when diagnosing issues with multiple
> > > queues in networking and storage.
> >
> > > +++ b/drivers/hv/vmbus_drv.c
> > > +static ssize_t write_avail_show(const struct vmbus_channel *channel, char *buf)
> > > +{
> > > + const struct hv_ring_buffer_info *rbi = &channel->outbound;
> > > +
> > > + return sprintf(buf, "%u\n", hv_get_bytes_to_write(rbi));
> > > +}
> > > +VMBUS_CHAN_ATTR_RO(write_avail);
> >
> > This is upstream since a year.
> >
> > But I wonder how this can work if vmbus_device_register is called,
> > and then something reads the populated sysfs files before vmbus_open returns.
> > Nothing protects rbi->ring_buffer in this case, which remains NULL
> > until vmbus_open populates it.
> >
> > A simple reproduce, with a modular kernel, is to boot with init=/bin/bash
> > head /sys/bus/vmbus/devices/*/channels/*/*
> >
>
> There are multiple race conditions with this and other VMbus sysfs information.
> There's a race on the close path as well. I've got an action on my list to get it
> cleaned up.
>
> Michael
>
There is also a bunch of issues with code like:
static ssize_t id_show(struct device *dev, struct device_attribute *dev_attr,
char *buf)
{
struct hv_device *hv_dev = device_to_hv_device(dev);
if (!hv_dev->channel)
return -ENODEV;
return sprintf(buf, "%d\n", hv_dev->channel->offermsg.child_relid);
}
Which should be using ACCESS_ONCE on hv_dev->channel or doing proper RCU.
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
