From: Dan Aloni <dan@kernelim.com>
To: Benjamin LaHaise <bcrl@kvack.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
security@kernel.org, linux-aio@kvack.org,
linux-kernel@vger.kernel.org, Mateusz Guzik <mguzik@redhat.com>,
Petr Matousek <pmatouse@redhat.com>,
Kent Overstreet <kmo@daterainc.com>,
Jeff Moyer <jmoyer@redhat.com>,
stable@vger.kernel.org
Subject: Re: Revert "aio: fix aio request leak when events are reaped by user space"
Date: Sun, 24 Aug 2014 21:48:21 +0300 [thread overview]
Message-ID: <20140824184821.GA5449@gmail.com> (raw)
In-Reply-To: <20140824180531.GC4376@kvack.org>
On Sun, Aug 24, 2014 at 02:05:31PM -0400, Benjamin LaHaise wrote:
> On Fri, Aug 22, 2014 at 09:51:10PM +0300, Dan Aloni wrote:
> > Ben, seems that the test program needs some twidling to make the bug
> > appear still by setting MAX_IOS to 256 (and it still passes on a
> > kernel with the original patch reverted). Under this condition the
> > ring buffer size remains 128 (here, 32*4 CPUs), and it is overrun on
> > the second attempt.
>
> Thanks for checking that. I've made some further changes to your test
> program to be able to support both userspace event reaping and using the
> io_getevents() syscall. I also added a --max-ios= parameter to allow
> using different values of MAX_IOS for testing. A copy of the modified
> source is available at http://www.kvack.org/~bcrl/20140824-aio_bug.c .
> With this version of the patch, both means of reaping events now work
> corectly. The aio_bug.c code still needs to be added to libaio's set
> of tests, but that's a separate email.
I like your extension to the test program. I have a suggestion for
the integration inside libaio's harness, since the original issue
depended on the size of the ring buffer, let's have max_ios be picked
from {ring->nr + 1, ring->nr - 1, ring->nr}*{1,2,3,4} for the various
test cases. I guess Jeff who is maintaining it will have some ideas
too.
>[snip]
> If you can have a quick look and acknowledge with your Signed-off-by, I'll
> add it to the commit and send a pull request. With these changes and the
> modified aio_bug.c, the test passes using various random values for
> max_ios, as well as both with and without --user_getevents validating that
> both regressions involved have now been fixed.
I haven't tested it yet due to lack of more time today (will give it a
try tomorrow), but I've reviewed and didn't find any problem.
Signed-off-by: Dan Aloni <dan@kernelim.com>
>
> ...
> > BTW, I am not an expert on this code so I am still not sure that
> > 'ctx->completed_events' wouldn't get wrong if for instance - one SMP
> > core does userspace event reaping and another calls io_submit(). Do
> > you think it would work alright in that case?
>
> This should be SMP safe: both ctx->completed_events and ctx->tail are
> protected ctx->completion_lock. Additionally, possible races with
> grabbing the value of ring->head should also be safe, and I added a
> comment explaining why. Does that address your concerns? Cheers,
Yes, thanks.
--
Dan Aloni
next prev parent reply other threads:[~2014-08-24 18:48 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 18:01 [PATCH 0/2] aio: fixes for kernel memory disclosure in aio read events Benjamin LaHaise
2014-06-24 18:01 ` [PATCH 1/2] aio: fix aio request leak when events are reaped by userspace Benjamin LaHaise
2014-06-24 18:20 ` Jeff Moyer
2014-08-19 16:37 ` Revert "aio: fix aio request leak when events are reaped by user space" Dan Aloni
2014-08-19 16:54 ` Benjamin LaHaise
2014-08-19 17:14 ` Dan Aloni
2014-08-20 0:46 ` Benjamin LaHaise
2014-08-22 16:01 ` Benjamin LaHaise
2014-08-22 16:15 ` Dan Aloni
2014-08-22 16:26 ` Benjamin LaHaise
2014-08-22 18:51 ` Dan Aloni
2014-08-22 21:43 ` Linus Torvalds
2014-08-24 18:11 ` Benjamin LaHaise
2014-08-26 1:11 ` Kent Overstreet
2014-08-24 18:05 ` Benjamin LaHaise
2014-08-24 18:48 ` Dan Aloni [this message]
2014-08-27 20:26 ` Jeff Moyer
2014-08-25 15:06 ` Elliott, Robert (Server Storage)
2014-08-25 15:11 ` Benjamin LaHaise
2014-06-24 18:02 ` [PATCH 2/2] aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 Benjamin LaHaise
2014-06-24 18:23 ` Jeff Moyer
2014-06-24 18:39 ` Benjamin LaHaise
2014-06-24 19:21 ` Jeff Moyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140824184821.GA5449@gmail.com \
--to=dan@kernelim.com \
--cc=bcrl@kvack.org \
--cc=jmoyer@redhat.com \
--cc=kmo@daterainc.com \
--cc=linux-aio@kvack.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mguzik@redhat.com \
--cc=pmatouse@redhat.com \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.