All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Aloni <dan@kernelim.com>
To: Benjamin LaHaise <bcrl@kvack.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	security@kernel.org, linux-aio@kvack.org,
	linux-kernel@vger.kernel.org, Mateusz Guzik <mguzik@redhat.com>,
	Petr Matousek <pmatouse@redhat.com>,
	Kent Overstreet <kmo@daterainc.com>,
	Jeff Moyer <jmoyer@redhat.com>,
	stable@vger.kernel.org
Subject: Re: Revert "aio: fix aio request leak when events are reaped by user space"
Date: Fri, 22 Aug 2014 21:51:10 +0300	[thread overview]
Message-ID: <20140822185110.GA2333@gmail.com> (raw)
In-Reply-To: <20140822162630.GF20391@kvack.org>

On Fri, Aug 22, 2014 at 12:26:30PM -0400, Benjamin LaHaise wrote:
> On Fri, Aug 22, 2014 at 07:15:02PM +0300, Dan Aloni wrote:
> > Sorry, I was waiting for a new patch from your direction, I should
> > have replied earlier. What bothered me about the patch you sent is that
> > completed_events is added as a new field but nothing assigns to it, so I 
> > wonder how it can be effective.
> 
> Ah, that was missing a hunk then.  Try this version instead.

Ben, seems that the test program needs some twidling to make the bug
appear still by setting MAX_IOS to 256 (and it still passes on a
kernel with the original patch reverted). Under this condition the
ring buffer size remains 128 (here, 32*4 CPUs), and it is overrun on
the second attempt.

    $ ./aio_bug 
    Submitting: 256
    Submitted: 126
    Submitting: 130
    Submitted too much, that's okay
    Completed: 126
    Submitting: 130
    Submitted: 130
    <stuck>

I think I have found two problems with your patch: first, the
completed_events field is never decremented so it goes up until 2^32
wraparound. So I tested with 'ctx->completed_events -= completed;'
there (along with some prints), but testing revealed that this didn't
solve the problem, so secondly, I also fixed the 'avail = ' line. The
case where the 'head > tail' case didn't look correct to me.

So the good news is that it works now with fix below and MAX_IOS=256
and even with MAX_IOS=512. You can git-amend this it to your patch I
guess.

Signed-off: Dan Aloni <dan@kernelim.com>

diff --git a/fs/aio.c b/fs/aio.c
index 6982357d9372..eafc96c60a8c 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -893,12 +893,20 @@ static void refill_reqs_available(struct kioctx *ctx)
 		tail = ACCESS_ONCE(ring->tail);
 		kunmap_atomic(ring);
 
-		avail = (head <= tail ?  tail : ctx->nr_events) - head;
+		if (head <= tail)
+			avail = tail - head;
+		else
+			avail = ctx->nr_events - (head - tail);
+
 		completed = ctx->completed_events;
+		pr_debug("%u %u  h%u t%u\n", avail, completed, head, tail);
 		if (avail < completed)
 			completed -= avail;
 		else
 			completed = 0;
+		pr_debug("completed %u\n", completed);
+
+		ctx->completed_events -= completed;
 		put_reqs_available(ctx, completed);
 	}
 

BTW, I am not an expert on this code so I am still not sure that
'ctx->completed_events' wouldn't get wrong if for instance - one SMP
core does userspace event reaping and another calls io_submit(). Do
you think it would work alright in that case?


-- 
Dan Aloni

  reply	other threads:[~2014-08-22 18:51 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-06-24 18:01 [PATCH 0/2] aio: fixes for kernel memory disclosure in aio read events Benjamin LaHaise
2014-06-24 18:01 ` [PATCH 1/2] aio: fix aio request leak when events are reaped by userspace Benjamin LaHaise
2014-06-24 18:20   ` Jeff Moyer
2014-08-19 16:37   ` Revert "aio: fix aio request leak when events are reaped by user space" Dan Aloni
2014-08-19 16:54     ` Benjamin LaHaise
2014-08-19 17:14       ` Dan Aloni
2014-08-20  0:46         ` Benjamin LaHaise
2014-08-22 16:01           ` Benjamin LaHaise
2014-08-22 16:15             ` Dan Aloni
2014-08-22 16:26               ` Benjamin LaHaise
2014-08-22 18:51                 ` Dan Aloni [this message]
2014-08-22 21:43                   ` Linus Torvalds
2014-08-24 18:11                     ` Benjamin LaHaise
2014-08-26  1:11                     ` Kent Overstreet
2014-08-24 18:05                   ` Benjamin LaHaise
2014-08-24 18:48                     ` Dan Aloni
2014-08-27 20:26                       ` Jeff Moyer
2014-08-25 15:06                 ` Elliott, Robert (Server Storage)
2014-08-25 15:11                   ` Benjamin LaHaise
2014-06-24 18:02 ` [PATCH 2/2] aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 Benjamin LaHaise
2014-06-24 18:23   ` Jeff Moyer
2014-06-24 18:39     ` Benjamin LaHaise
2014-06-24 19:21       ` Jeff Moyer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140822185110.GA2333@gmail.com \
    --to=dan@kernelim.com \
    --cc=bcrl@kvack.org \
    --cc=jmoyer@redhat.com \
    --cc=kmo@daterainc.com \
    --cc=linux-aio@kvack.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mguzik@redhat.com \
    --cc=pmatouse@redhat.com \
    --cc=security@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.