| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  * CDDL HEADER START | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * The contents of this file are subject to the terms of the | 
					
						
							|  |  |  |  * Common Development and Distribution License (the "License"). | 
					
						
							|  |  |  |  * You may not use this file except in compliance with the License. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE | 
					
						
							|  |  |  |  * or http://www.opensolaris.org/os/licensing.
 | 
					
						
							|  |  |  |  * See the License for the specific language governing permissions | 
					
						
							|  |  |  |  * and limitations under the License. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * When distributing Covered Code, include this CDDL HEADER in each | 
					
						
							|  |  |  |  * file and include the License file at usr/src/OPENSOLARIS.LICENSE. | 
					
						
							|  |  |  |  * If applicable, add the following below this CDDL HEADER, with the | 
					
						
							|  |  |  |  * fields enclosed by brackets "[]" replaced with your own identifying | 
					
						
							|  |  |  |  * information: Portions Copyright [yyyy] [name of copyright owner] | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * CDDL HEADER END | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. | 
					
						
							| 
									
										
										
										
											2017-01-23 21:35:58 +03:00
										 |  |  |  * Copyright (c) 2014, 2015 by Delphix. All rights reserved. | 
					
						
							|  |  |  |  * Copyright 2016 The MathWorks, Inc. All rights reserved. | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * A Zero Reference Lock (ZRL) is a reference count that can lock out new | 
					
						
							|  |  |  |  * references only when the count is zero and only without waiting if the count | 
					
						
							|  |  |  |  * is not already zero. It is similar to a read-write lock in that it allows | 
					
						
							|  |  |  |  * multiple readers and only a single writer, but it does not allow a writer to | 
					
						
							|  |  |  |  * block while waiting for readers to exit, and therefore the question of | 
					
						
							|  |  |  |  * reader/writer priority is moot (no WRWANT bit). Since the equivalent of | 
					
						
							|  |  |  |  * rw_enter(&lock, RW_WRITER) is disallowed and only tryenter() is allowed, it | 
					
						
							|  |  |  |  * is perfectly safe for the same reader to acquire the same lock multiple | 
					
						
							|  |  |  |  * times. The fact that a ZRL is reentrant for readers (through multiple calls | 
					
						
							|  |  |  |  * to zrl_add()) makes it convenient for determining whether something is | 
					
						
							|  |  |  |  * actively referenced without the fuss of flagging lock ownership across | 
					
						
							|  |  |  |  * function calls. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | #include <sys/zrlock.h>
 | 
					
						
							| 
									
										
										
										
											2014-12-13 05:07:39 +03:00
										 |  |  | #include <sys/trace_zrlock.h>
 | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * A ZRL can be locked only while there are zero references, so ZRL_LOCKED is | 
					
						
							|  |  |  |  * treated as zero references. | 
					
						
							|  |  |  |  */ | 
					
						
							| 
									
										
										
										
											2015-04-27 01:29:43 +03:00
										 |  |  | #define	ZRL_LOCKED	-1
 | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | #define	ZRL_DESTROYED	-2
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void | 
					
						
							|  |  |  | zrl_init(zrlock_t *zrl) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	mutex_init(&zrl->zr_mtx, NULL, MUTEX_DEFAULT, NULL); | 
					
						
							|  |  |  | 	zrl->zr_refcount = 0; | 
					
						
							|  |  |  | 	cv_init(&zrl->zr_cv, NULL, CV_DEFAULT, NULL); | 
					
						
							|  |  |  | #ifdef	ZFS_DEBUG
 | 
					
						
							|  |  |  | 	zrl->zr_owner = NULL; | 
					
						
							|  |  |  | 	zrl->zr_caller = NULL; | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void | 
					
						
							|  |  |  | zrl_destroy(zrlock_t *zrl) | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
										
										
											2015-04-27 01:29:43 +03:00
										 |  |  | 	ASSERT0(zrl->zr_refcount); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	mutex_destroy(&zrl->zr_mtx); | 
					
						
							|  |  |  | 	zrl->zr_refcount = ZRL_DESTROYED; | 
					
						
							|  |  |  | 	cv_destroy(&zrl->zr_cv); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void | 
					
						
							| 
									
										
										
										
											2017-01-12 20:42:11 +03:00
										 |  |  | zrl_add_impl(zrlock_t *zrl, const char *zc) | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2017-01-23 21:35:58 +03:00
										 |  |  | 	for (;;) { | 
					
						
							|  |  |  | 		uint32_t n = (uint32_t)zrl->zr_refcount; | 
					
						
							|  |  |  | 		while (n != ZRL_LOCKED) { | 
					
						
							|  |  |  | 			uint32_t cas = atomic_cas_32( | 
					
						
							|  |  |  | 			    (uint32_t *)&zrl->zr_refcount, n, n + 1); | 
					
						
							|  |  |  | 			if (cas == n) { | 
					
						
							|  |  |  | 				ASSERT3S((int32_t)n, >=, 0); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | #ifdef	ZFS_DEBUG
 | 
					
						
							| 
									
										
										
										
											2017-01-23 21:35:58 +03:00
										 |  |  | 				if (zrl->zr_owner == curthread) { | 
					
						
							| 
									
										
											  
											
												Fix race in trace point in zrl_add_impl
We hit an illegal memory access in the zrlock trace point. The problem
is that zrl->zr_owner and zrl->zr_caller are assigned locklessly. And if
zrl->zr_owner got assigned a longer string between when __string()
calculate the strlen, and when __assign_str() does strcpy. The copy will
overflow the buffer.
==
For example:
Initial condition:
zrl->zr_owner = A
zrl->zr_caller = "abc"
Thread A                                 Thread B
-------------------------------------------------
if (zrl->zr_owner == A) {
  DTRACE_PROBE2() {
    __string() {
      strlen(zrl->zr_caller) -> 3
      allocate buf[4]
    }
                                        zrl->zr_owner = B
				        zrl->zr_caller = "abcd"
    __assign_str() {
      strcpy(buf, zrl->zr_caller) <- buffer overflow
==
Dereferencing zrl->zr_owner->pid may also be problematic, in that the
zrl->zr_owner got changed to other task, and that task exits, freeing
the task_struct. This should be very unlikely, as the other task need to
zrl_remove and exit between the dereferencing zr->zr_owner and
zr->zr_owner->pid. Nevertheless, we'll deal with it as well.
To fix the zrl->zr_caller issue, instead of copy the string content, we
just copy the pointer, this is safe because it always points to
__func__, which is static. As for the zrl->zr_owner issue, we pass in
curthread instead of using zrl->zr_owner.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Chunwei Chen <david.chen@nutanix.com>
Closes #7291 
											
										 
											2018-03-12 21:27:02 +03:00
										 |  |  | 					DTRACE_PROBE3(zrlock__reentry, | 
					
						
							|  |  |  | 					    zrlock_t *, zrl, | 
					
						
							|  |  |  | 					    kthread_t *, curthread, | 
					
						
							|  |  |  | 					    uint32_t, n); | 
					
						
							| 
									
										
										
										
											2017-01-23 21:35:58 +03:00
										 |  |  | 				} | 
					
						
							|  |  |  | 				zrl->zr_owner = curthread; | 
					
						
							|  |  |  | 				zrl->zr_caller = zc; | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | #endif
 | 
					
						
							| 
									
										
										
										
											2017-01-23 21:35:58 +03:00
										 |  |  | 				return; | 
					
						
							|  |  |  | 			} | 
					
						
							|  |  |  | 			n = cas; | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 		} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-01-23 21:35:58 +03:00
										 |  |  | 		mutex_enter(&zrl->zr_mtx); | 
					
						
							|  |  |  | 		while (zrl->zr_refcount == ZRL_LOCKED) { | 
					
						
							|  |  |  | 			cv_wait(&zrl->zr_cv, &zrl->zr_mtx); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 		mutex_exit(&zrl->zr_mtx); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 	} | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void | 
					
						
							|  |  |  | zrl_remove(zrlock_t *zrl) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	uint32_t n; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #ifdef	ZFS_DEBUG
 | 
					
						
							|  |  |  | 	if (zrl->zr_owner == curthread) { | 
					
						
							|  |  |  | 		zrl->zr_owner = NULL; | 
					
						
							|  |  |  | 		zrl->zr_caller = NULL; | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | #endif
 | 
					
						
							| 
									
										
										
										
											2015-04-27 01:29:43 +03:00
										 |  |  | 	n = atomic_dec_32_nv((uint32_t *)&zrl->zr_refcount); | 
					
						
							|  |  |  | 	ASSERT3S((int32_t)n, >=, 0); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | int | 
					
						
							|  |  |  | zrl_tryenter(zrlock_t *zrl) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	uint32_t n = (uint32_t)zrl->zr_refcount; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (n == 0) { | 
					
						
							|  |  |  | 		uint32_t cas = atomic_cas_32( | 
					
						
							|  |  |  | 		    (uint32_t *)&zrl->zr_refcount, 0, ZRL_LOCKED); | 
					
						
							|  |  |  | 		if (cas == 0) { | 
					
						
							|  |  |  | #ifdef	ZFS_DEBUG
 | 
					
						
							| 
									
										
										
										
											2015-04-27 01:29:43 +03:00
										 |  |  | 			ASSERT3P(zrl->zr_owner, ==, NULL); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 			zrl->zr_owner = curthread; | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | 			return (1); | 
					
						
							|  |  |  | 		} | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2015-04-27 01:29:43 +03:00
										 |  |  | 	ASSERT3S((int32_t)n, >, ZRL_DESTROYED); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	return (0); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | void | 
					
						
							|  |  |  | zrl_exit(zrlock_t *zrl) | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
										
										
											2015-04-27 01:29:43 +03:00
										 |  |  | 	ASSERT3S(zrl->zr_refcount, ==, ZRL_LOCKED); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	mutex_enter(&zrl->zr_mtx); | 
					
						
							|  |  |  | #ifdef	ZFS_DEBUG
 | 
					
						
							| 
									
										
										
										
											2015-04-27 01:29:43 +03:00
										 |  |  | 	ASSERT3P(zrl->zr_owner, ==, curthread); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 	zrl->zr_owner = NULL; | 
					
						
							|  |  |  | 	membar_producer();	/* make sure the owner store happens first */ | 
					
						
							|  |  |  | #endif
 | 
					
						
							|  |  |  | 	zrl->zr_refcount = 0; | 
					
						
							|  |  |  | 	cv_broadcast(&zrl->zr_cv); | 
					
						
							|  |  |  | 	mutex_exit(&zrl->zr_mtx); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | int | 
					
						
							|  |  |  | zrl_refcount(zrlock_t *zrl) | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
										
										
											2015-04-27 01:29:43 +03:00
										 |  |  | 	ASSERT3S(zrl->zr_refcount, >, ZRL_DESTROYED); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-11-04 23:25:13 +03:00
										 |  |  | 	int n = (int)zrl->zr_refcount; | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 	return (n <= 0 ? 0 : n); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | int | 
					
						
							|  |  |  | zrl_is_zero(zrlock_t *zrl) | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
										
										
											2015-04-27 01:29:43 +03:00
										 |  |  | 	ASSERT3S(zrl->zr_refcount, >, ZRL_DESTROYED); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	return (zrl->zr_refcount <= 0); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | int | 
					
						
							|  |  |  | zrl_is_locked(zrlock_t *zrl) | 
					
						
							|  |  |  | { | 
					
						
							| 
									
										
										
										
											2015-04-27 01:29:43 +03:00
										 |  |  | 	ASSERT3S(zrl->zr_refcount, >, ZRL_DESTROYED); | 
					
						
							| 
									
										
										
										
											2010-08-27 01:24:34 +04:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	return (zrl->zr_refcount == ZRL_LOCKED); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #ifdef	ZFS_DEBUG
 | 
					
						
							|  |  |  | kthread_t * | 
					
						
							|  |  |  | zrl_owner(zrlock_t *zrl) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	return (zrl->zr_owner); | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | #endif
 | 
					
						
							| 
									
										
										
										
											2010-09-18 03:07:24 +04:00
										 |  |  | 
 | 
					
						
							|  |  |  | #if defined(_KERNEL) && defined(HAVE_SPL)
 | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2017-01-12 20:42:11 +03:00
										 |  |  | EXPORT_SYMBOL(zrl_add_impl); | 
					
						
							| 
									
										
										
										
											2010-09-18 03:07:24 +04:00
										 |  |  | EXPORT_SYMBOL(zrl_remove); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #endif
 |