From: Al Viro <viro@ZenIV.linux.org.uk>
To: Christoph Hellwig <hch@lst.de>
Cc: Avi Kivity <avi@scylladb.com>,
linux-aio@kvack.org, linux-fsdevel@vger.kernel.org,
linux-api@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 7/9] aio: add delayed cancel support
Date: Thu, 22 Mar 2018 16:33:56 +0000 [thread overview]
Message-ID: <20180322163356.GG30522@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20180321073232.13366-8-hch@lst.de>
On Wed, Mar 21, 2018 at 08:32:30AM +0100, Christoph Hellwig wrote:
> The upcoming aio poll support would like to be able to complete the
> iocb inline from the cancellation context, but that would cause
> a lock order reversal. Add support for optionally moving the cancelation
> outside the context lock to avoid this reversal.
Ouch... Seeing that you've just taken out cmpxchg loop out of kiocb_cancel()
with "serialized on ->ctx_lock" for explanation of safety... Let me check
the aio_poll side of it; this commit might be better off in the poll series,
*if* it is actually correct.
What's to prevent double completions there? Suppose we have iocb sitting on
the wait queue; cancellation callback set, so's "delayed cancel" flag.
Now, somebody tries to cancel the fucker on CPU1. With ctx->lock held the
sucker is found on the list and, just as we mark it "cancelled", driver sends
a wakeup, executing (on CPU2) aio_poll_wake(), calling aio_complete_poll()
(without ctx->lock, so no exclusion with io_cancel(2) on CPU1), which checks
AIO_IOCB_CANCELLED and does not notice the flag being set on CPU1, then
proceeds to __aio_complete_poll() and fput() in there.
In the meanwhile, CPU1 has taken the sucker off the list, dropped the
lock and called kiocb_cancel() on it. Now we get aio_poll_cancel()
and __aio_complete_poll() on CPU1, with *another* fput().
What am I missing here that would prevent such a race?
--
To unsubscribe, send a message with 'unsubscribe linux-aio' in
the body to majordomo@kvack.org. For more info on Linux AIO,
see: http://www.kvack.org/aio/
Don't email: <a href=mailto:"aart@kvack.org">aart@kvack.org</a>
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Christoph Hellwig <hch@lst.de>
Cc: Avi Kivity <avi@scylladb.com>,
linux-aio@kvack.org, linux-fsdevel@vger.kernel.org,
linux-api@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 7/9] aio: add delayed cancel support
Date: Thu, 22 Mar 2018 16:33:56 +0000 [thread overview]
Message-ID: <20180322163356.GG30522@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20180321073232.13366-8-hch@lst.de>
On Wed, Mar 21, 2018 at 08:32:30AM +0100, Christoph Hellwig wrote:
> The upcoming aio poll support would like to be able to complete the
> iocb inline from the cancellation context, but that would cause
> a lock order reversal. Add support for optionally moving the cancelation
> outside the context lock to avoid this reversal.
Ouch... Seeing that you've just taken out cmpxchg loop out of kiocb_cancel()
with "serialized on ->ctx_lock" for explanation of safety... Let me check
the aio_poll side of it; this commit might be better off in the poll series,
*if* it is actually correct.
What's to prevent double completions there? Suppose we have iocb sitting on
the wait queue; cancellation callback set, so's "delayed cancel" flag.
Now, somebody tries to cancel the fucker on CPU1. With ctx->lock held the
sucker is found on the list and, just as we mark it "cancelled", driver sends
a wakeup, executing (on CPU2) aio_poll_wake(), calling aio_complete_poll()
(without ctx->lock, so no exclusion with io_cancel(2) on CPU1), which checks
AIO_IOCB_CANCELLED and does not notice the flag being set on CPU1, then
proceeds to __aio_complete_poll() and fput() in there.
In the meanwhile, CPU1 has taken the sucker off the list, dropped the
lock and called kiocb_cancel() on it. Now we get aio_poll_cancel()
and __aio_complete_poll() on CPU1, with *another* fput().
What am I missing here that would prevent such a race?
next prev parent reply other threads:[~2018-03-22 16:33 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-21 7:32 io_pgetevents & aio fsync Christoph Hellwig
2018-03-21 7:32 ` Christoph Hellwig
2018-03-21 7:32 ` [PATCH 1/9] aio: don't print the page size at boot time Christoph Hellwig
2018-03-21 7:32 ` Christoph Hellwig
2018-03-21 9:12 ` Greg KH
2018-03-21 9:12 ` Greg KH
2018-03-21 7:32 ` [PATCH 2/9] aio: remove an outdated comment in aio_complete Christoph Hellwig
2018-03-21 7:32 ` Christoph Hellwig
2018-03-21 9:14 ` Greg KH
2018-03-21 9:14 ` Greg KH
2018-03-21 9:17 ` Christoph Hellwig
2018-03-21 9:17 ` Christoph Hellwig
2018-03-21 7:32 ` [PATCH 3/9] aio: refactor read/write iocb setup Christoph Hellwig
2018-03-21 7:32 ` Christoph Hellwig
2018-03-21 9:15 ` Greg KH
2018-03-21 9:15 ` Greg KH
2018-03-21 7:32 ` [PATCH 4/9] aio: sanitize ki_list handling Christoph Hellwig
2018-03-21 7:32 ` Christoph Hellwig
2018-03-21 9:16 ` Greg KH
2018-03-21 9:16 ` Greg KH
2018-03-22 15:24 ` Al Viro
2018-03-22 15:24 ` Al Viro
2018-03-22 17:04 ` Christoph Hellwig
2018-03-22 17:04 ` Christoph Hellwig
2018-03-21 7:32 ` [PATCH 5/9] aio: simplify cancellation Christoph Hellwig
2018-03-21 7:32 ` Christoph Hellwig
2018-03-21 9:17 ` Greg KH
2018-03-21 9:17 ` Greg KH
2018-03-21 16:23 ` Darrick J. Wong
2018-03-21 16:23 ` Darrick J. Wong
2018-03-21 7:32 ` [PATCH 6/9] aio: delete iocbs from the active_reqs list in kiocb_cancel Christoph Hellwig
2018-03-21 7:32 ` Christoph Hellwig
2018-03-21 9:17 ` Greg KH
2018-03-21 9:17 ` Greg KH
2018-03-21 16:23 ` Darrick J. Wong
2018-03-21 16:23 ` Darrick J. Wong
2018-03-21 7:32 ` [PATCH 7/9] aio: add delayed cancel support Christoph Hellwig
2018-03-21 7:32 ` Christoph Hellwig
2018-03-21 9:18 ` Greg KH
2018-03-21 9:18 ` Greg KH
2018-03-21 16:23 ` Darrick J. Wong
2018-03-21 16:23 ` Darrick J. Wong
2018-03-22 16:33 ` Al Viro [this message]
2018-03-22 16:33 ` Al Viro
2018-03-21 7:32 ` [PATCH 8/9] aio: implement io_pgetevents Christoph Hellwig
2018-03-21 7:32 ` Christoph Hellwig
2018-03-21 9:24 ` Greg KH
2018-03-21 9:24 ` Greg KH
2018-03-21 9:29 ` Christoph Hellwig
2018-03-21 9:29 ` Christoph Hellwig
2018-03-21 14:39 ` Greg KH
2018-03-21 14:39 ` Greg KH
2018-03-21 16:26 ` Darrick J. Wong
2018-03-21 16:26 ` Darrick J. Wong
2018-03-21 7:32 ` [PATCH 9/9] aio: implement IOCB_CMD_FSYNC and IOCB_CMD_FDSYNC Christoph Hellwig
2018-03-21 7:32 ` Christoph Hellwig
2018-03-21 9:27 ` Greg KH
2018-03-21 9:27 ` Greg KH
2018-03-21 9:30 ` Christoph Hellwig
2018-03-21 9:30 ` Christoph Hellwig
2018-03-21 16:26 ` Darrick J. Wong
2018-03-21 16:26 ` Darrick J. Wong
2018-03-22 16:36 ` io_pgetevents & aio fsync Al Viro
2018-03-22 16:36 ` Al Viro
2018-03-22 16:36 ` Al Viro
2018-03-22 16:36 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180322163356.GG30522@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=avi@scylladb.com \
--cc=hch@lst.de \
--cc=linux-aio@kvack.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.