https://www.dafei.me/tags/%E5%86%85%E5%AD%98%E5%AE%89%E5%85%A8/ Recent content in 内存安全 on 大飞的博客 Hugo zh-cn Thu, 04 Jun 2026 06:00:00 +0000 https://www.dafei.me/posts/os-49-fixes/ Thu, 04 Jun 2026 06:00:00 +0000 https://www.dafei.me/posts/os-49-fixes/ <p>内核模块跑起来之后，发现 SMP 下偶发崩溃。追查下去，发现是一类隐藏很深的 bug：<code>static</code> 局部缓冲区。</p> <h2 id="static-局部变量在-smp-下是定时炸弹">static 局部变量在 SMP 下是定时炸弹</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#75715e">// ext2.c 里随处可见这样的代码 </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">int</span> <span style="color:#a6e22e">ext2_read</span>(<span style="color:#66d9ef">uint32_t</span> inum, ...) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">static</span> <span style="color:#66d9ef">uint8_t</span> blk[<span style="color:#ae81ff">4096</span>]; <span style="color:#75715e">// 危险！ </span></span></span><span style="display:flex;"><span> <span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p><code>static</code> 局部变量存在 <code>.bss</code> 段里，整个内核只有一份。单核下没问题，但 SMP 下：</p> <ul> <li>CPU0 和 CPU1 同时读不同的文件</li> <li>都调用 <code>ext2_read</code>，都在用同一个 <code>blk[]</code></li> <li>互相覆盖对方的数据 → 文件读出来是乱的</li> </ul> <p><code>ext2.c</code> 里有十几处这样的 <code>static</code> 缓冲区，<code>vfs.c</code> 里也有。全部改成 <code>kmalloc</code>：</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#75715e">// 修改后 </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">uint8_t</span> <span style="color:#f92672">*</span>blk <span style="color:#f92672">=</span> (<span style="color:#66d9ef">uint8_t</span> <span style="color:#f92672">*</span>)<span style="color:#a6e22e">kmalloc</span>(block_size); </span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>blk) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span>; </span></span><span style="display:flex;"><span><span style="color:#75715e">// ... 使用 ... </span></span></span><span style="display:flex;"><span><span style="color:#a6e22e">kfree</span>(blk); </span></span></code></pre></div><p>同时还有一个更隐蔽的问题：间接块的 LBA 缓存：</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#75715e">// 修改前：有状态缓存，SMP 下竞争 </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">static</span> <span style="color:#66d9ef">uint32_t</span> ind1[<span style="color:#ae81ff">1024</span>]; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">static</span> <span style="color:#66d9ef">uint32_t</span> ind1_bno <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; <span style="color:#75715e">// 上次读的 LBA，用来判断是否要重读 </span></span></span><span style="display:flex;"><span><span style="color:#66d9ef">if</span> (ind1_bno <span style="color:#f92672">!=</span> inode.i_block[<span style="color:#ae81ff">12</span>]) { </span></span><span style="display:flex;"><span> ind1_bno <span style="color:#f92672">=</span> inode.i_block[<span style="color:#ae81ff">12</span>]; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">read_block</span>(ind1_bno, ind1); </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><p>两个核心同时修改 <code>ind1_bno</code>，都以为自己读的数据有效——去掉缓存，每次都读：</p>