From: Benjamin LaHaise <bcrl@kvack.org>
To: Gu Zheng <guz.fnst@cn.fujitsu.com>
Cc: Tang Chen <tangchen@cn.fujitsu.com>,
Dave Jones <davej@redhat.com>, Al Viro <viro@zeniv.linux.org.uk>,
jmoyer@redhat.com, kosaki.motohiro@jp.fujitsu.com,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>,
miaox@cn.fujitsu.com, linux-aio@kvack.org,
fsdevel <linux-fsdevel@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [V2 PATCH 1/2] aio: clean up aio_migratepage() and related code much
Date: Mon, 24 Mar 2014 09:20:58 -0400 [thread overview]
Message-ID: <20140324132058.GH4173@kvack.org> (raw)
In-Reply-To: <53301012.7040306@cn.fujitsu.com>
On Mon, Mar 24, 2014 at 06:59:30PM +0800, Gu Zheng wrote:
> As the page migration framework holds lock_page() to protect the pages
> (both old and new) while migrating, so while the page migrating, both
> of old page and new page are locked. And the aio context teardown
> routine will call *truncate*(in put_aio_ring_file()) to truncate
> pagecache which needs to acquire page_lock() for each page one by one.
> So there is a native mutual exclusion between *migrate page* v.s. truncate().
>
> If put_aio_ring_file() is called at first of the context teardown flow
> (aio_free_ring). Then, page migration and ctx freeing will have mutual
> execution guarded by lock_page() v.s. truncate(). Once a page is removed
> from radix-tree, it will not be migrated. On the other hand, the context
> can not be freed while the page migraiton are ongoing.
Sorry, but your change to remove the taking of ->private_lock in
put_aio_ring_file() is not safe. If a malicious user reinstantiates
any pages in the ring buffer's mmaping, there is nothing protecting
the system against incoherent accesses of ->ring_pages. One possible
way of making this occur would be to use mremap() to expand the size
of the mapping or move it to a different location in the user process'
address space. Yes, it's a tiny race, but it's possible. There is
absolutely no reason to remove this locking -- ring teardown is
hardly a performance sensitive code path. I'm going to stick with my
approach instead.
-ben
--
"Thought is the essence of where you are now."
--
To unsubscribe, send a message with 'unsubscribe linux-aio' in
the body to majordomo@kvack.org. For more info on Linux AIO,
see: http://www.kvack.org/aio/
Don't email: <a href=mailto:"aart@kvack.org">aart@kvack.org</a>
WARNING: multiple messages have this Message-ID (diff)
From: Benjamin LaHaise <bcrl@kvack.org>
To: Gu Zheng <guz.fnst@cn.fujitsu.com>
Cc: Tang Chen <tangchen@cn.fujitsu.com>,
Dave Jones <davej@redhat.com>, Al Viro <viro@zeniv.linux.org.uk>,
jmoyer@redhat.com, kosaki.motohiro@jp.fujitsu.com,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>,
miaox@cn.fujitsu.com, linux-aio@kvack.org,
fsdevel <linux-fsdevel@vger.kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [V2 PATCH 1/2] aio: clean up aio_migratepage() and related code much
Date: Mon, 24 Mar 2014 09:20:58 -0400 [thread overview]
Message-ID: <20140324132058.GH4173@kvack.org> (raw)
In-Reply-To: <53301012.7040306@cn.fujitsu.com>
On Mon, Mar 24, 2014 at 06:59:30PM +0800, Gu Zheng wrote:
> As the page migration framework holds lock_page() to protect the pages
> (both old and new) while migrating, so while the page migrating, both
> of old page and new page are locked. And the aio context teardown
> routine will call *truncate*(in put_aio_ring_file()) to truncate
> pagecache which needs to acquire page_lock() for each page one by one.
> So there is a native mutual exclusion between *migrate page* v.s. truncate().
>
> If put_aio_ring_file() is called at first of the context teardown flow
> (aio_free_ring). Then, page migration and ctx freeing will have mutual
> execution guarded by lock_page() v.s. truncate(). Once a page is removed
> from radix-tree, it will not be migrated. On the other hand, the context
> can not be freed while the page migraiton are ongoing.
Sorry, but your change to remove the taking of ->private_lock in
put_aio_ring_file() is not safe. If a malicious user reinstantiates
any pages in the ring buffer's mmaping, there is nothing protecting
the system against incoherent accesses of ->ring_pages. One possible
way of making this occur would be to use mremap() to expand the size
of the mapping or move it to a different location in the user process'
address space. Yes, it's a tiny race, but it's possible. There is
absolutely no reason to remove this locking -- ring teardown is
hardly a performance sensitive code path. I'm going to stick with my
approach instead.
-ben
--
"Thought is the essence of where you are now."
next prev parent reply other threads:[~2014-03-24 13:20 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-20 5:46 [PATCH 2/2] aio: fix the confliction of read events and migrating ring page Gu Zheng
2014-03-20 5:46 ` Gu Zheng
2014-03-20 14:32 ` Dave Jones
2014-03-20 14:32 ` Dave Jones
2014-03-20 16:30 ` Benjamin LaHaise
2014-03-20 16:30 ` Benjamin LaHaise
2014-03-21 1:56 ` Gu Zheng
2014-03-21 1:56 ` Gu Zheng
2014-03-21 17:35 ` Benjamin LaHaise
2014-03-21 17:35 ` Benjamin LaHaise
2014-03-21 18:35 ` [PATCH] aio: ensure access to ctx->ring_pages is correctly serialised Benjamin LaHaise
2014-03-21 18:35 ` Benjamin LaHaise
2014-03-24 10:56 ` Gu Zheng
2014-03-24 10:56 ` Gu Zheng
2014-03-24 10:59 ` [V2 PATCH 1/2] aio: clean up aio_migratepage() and related code much Gu Zheng
2014-03-24 10:59 ` Gu Zheng
2014-03-24 13:20 ` Benjamin LaHaise [this message]
2014-03-24 13:20 ` Benjamin LaHaise
2014-03-25 10:11 ` Gu Zheng
2014-03-24 10:59 ` [V2 PATCH 2/2] aio: fix the confliction of aio read events and aio migrate page Gu Zheng
2014-03-24 10:59 ` Gu Zheng
2014-03-24 18:22 ` [PATCH] aio: ensure access to ctx->ring_pages is correctly serialised Sasha Levin
2014-03-24 18:22 ` Sasha Levin
2014-03-24 19:07 ` Benjamin LaHaise
2014-03-24 19:07 ` Benjamin LaHaise
2014-03-25 17:47 ` Sasha Levin
2014-03-25 17:47 ` Sasha Levin
2014-03-25 18:57 ` Benjamin LaHaise
2014-03-25 18:57 ` Benjamin LaHaise
2014-03-25 18:57 ` Benjamin LaHaise
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140324132058.GH4173@kvack.org \
--to=bcrl@kvack.org \
--cc=akpm@linux-foundation.org \
--cc=davej@redhat.com \
--cc=guz.fnst@cn.fujitsu.com \
--cc=isimatu.yasuaki@jp.fujitsu.com \
--cc=jmoyer@redhat.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=kosaki.motohiro@jp.fujitsu.com \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miaox@cn.fujitsu.com \
--cc=tangchen@cn.fujitsu.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.