From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gorcunov@gmail.com>
Received: from mail-lf1-f65.google.com (mail-lf1-f65.google.com
 [209.85.167.65])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id 17E2A4696C3
 for <tarantool-patches@dev.tarantool.org>;
 Tue,  4 Feb 2020 17:32:13 +0300 (MSK)
Received: by mail-lf1-f65.google.com with SMTP id b15so12358686lfc.4
 for <tarantool-patches@dev.tarantool.org>;
 Tue, 04 Feb 2020 06:32:13 -0800 (PST)
From: Cyrill Gorcunov <gorcunov@gmail.com>
Date: Tue,  4 Feb 2020 17:31:45 +0300
Message-Id: <20200204143147.20791-3-gorcunov@gmail.com>
In-Reply-To: <20200204143147.20791-1-gorcunov@gmail.com>
References: <20200204143147.20791-1-gorcunov@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [Tarantool-patches] [PATCH v3 2/4] fiber: leak stack if we unable
	to revert guard page
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
To: tml <tarantool-patches@dev.tarantool.org>

At the moment we setup fiber's stack with a guard page
which is used to detect stack overrun. This page is just
a regular page taken from a slab with PROT_NONE attribute.

Once fiber is no longer needed we try to revert this
attribute back to PROT_READ | PROT_WRITE. Still there
is a small chance (well, pretty small I would say) that
this attempt get failed.

Thus in such case we should not allow to reuse such memory
area (because slab engine expects the memory it handles is
solid in terms of permissions). IOW, lets explicitly leak
such memory with error message, it is a bit better than
panic and gives administrator a chance to gracefully restart
tarantool instance or relax memory pressue somehow one the node.

I put FIXME into the code since I think we could implement
some more intelligent handling and collect such corrupted
slabs into a list and retry to restore permissions in background.

Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
---
 src/lib/core/fiber.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/lib/core/fiber.c b/src/lib/core/fiber.c
index b51f46f2f..d6ff481a5 100644
--- a/src/lib/core/fiber.c
+++ b/src/lib/core/fiber.c
@@ -1041,15 +1041,21 @@ fiber_stack_destroy(struct fiber *fiber, struct slab_cache *slabc)
 			 * to setup the original protection back in
 			 * background.
 			 *
+			 * For now lets keep such slab referenced and
+			 * leaked: if mprotect failed we must not allow
+			 * to reuse such slab with PROT_NONE'ed page
+			 * somewhere inside.
+			 *
 			 * Note that in case if we're called from
 			 * fiber_stack_create() the @mprotect_flags is
 			 * the same as the slab been created with, so
 			 * calling mprotect for VMA with same flags
 			 * won't fail.
 			 */
-			diag_log();
-		}
-		slab_put(slabc, fiber->stack_slab);
+			say_syserror("fiber: Can't put guard page to slab. "
+				     "Leak %zu bytes", (size_t)fiber->stack_size);
+		} else
+			slab_put(slabc, fiber->stack_slab);
 	}
 }
 
-- 
2.20.1