From: Al Viro <viro@ZenIV.linux.org.uk>
To: Christoph Hellwig <hch@lst.de>
Cc: Avi Kivity <avi@scylladb.com>,
linux-aio@kvack.org, linux-fsdevel@vger.kernel.org,
netdev@vger.kernel.org, linux-api@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 08/31] aio: implement IOCB_CMD_POLL
Date: Wed, 23 May 2018 01:45:30 +0100 [thread overview]
Message-ID: <20180523004530.GG30522@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20180522220524.GE30522@ZenIV.linux.org.uk>
On Tue, May 22, 2018 at 11:05:24PM +0100, Al Viro wrote:
> > +{
> > + struct aio_kiocb *iocb = container_of(req, struct aio_kiocb, poll);
> > +
> > + fput(req->file);
> > + aio_complete(iocb, mangle_poll(mask), 0);
> > +}
>
> Careful.
>
> > +static int aio_poll_cancel(struct kiocb *iocb)
> > +{
> > + struct aio_kiocb *aiocb = container_of(iocb, struct aio_kiocb, rw);
> > + struct poll_iocb *req = &aiocb->poll;
> > + struct wait_queue_head *head = req->head;
> > + bool found = false;
> > +
> > + spin_lock(&head->lock);
> > + found = __aio_poll_remove(req);
> > + spin_unlock(&head->lock);
>
> What's to guarantee that req->head has not been freed by that point?
> Look: wakeup finds ->ctx_lock held, so it leaves the sucker on the
> list, removes it from queue and schedules the call of __aio_poll_complete().
> Which gets executed just as we hit aio_poll_cancel(), starting with fput().
>
> You really want to do aio_complete() before fput(). That way you know that
> req->wait is alive and well at least until iocb gets removed from the list.
Oh, bugger...
wakeup
removed from queue
schedule __aio_poll_complete()
cancel
grab ctx->lock
remove from list
work
aio_complete()
check if it's in the list
it isn't, move on to free the sucker
cancel
call ->ki_cancel()
BOOM
Looks like we want to call ->ki_cancel() *BEFORE* removing from the list,
as well as doing fput() after aio_complete(). The same ordering, BTW, goes
for aio_read() et.al.
Look:
CPU1: io_cancel() grabs ->ctx_lock, finds iocb and removes it from the list.
CPU2: aio_rw_complete() on that iocb. Since the sucker is not in the list
anymore, we do NOT spin on ->ctx_lock and proceed to free iocb
CPU1: pass freed iocb to ->ki_cancel(). BOOM.
and if we have fput() done first (in aio_rw_complete()) we are vulnerable to
CPU1: io_cancel() grabs ->ctx_lock, finds iocb and removes it from the list.
CPU2: aio_rw_complete() on that iocb. fput() done, opening us to rmmod.
CPU1: call ->ki_cancel(), which points to freed memory now. BOOM.
--
To unsubscribe, send a message with 'unsubscribe linux-aio' in
the body to majordomo@kvack.org. For more info on Linux AIO,
see: http://www.kvack.org/aio/
Don't email: <a href=mailto:"aart@kvack.org">aart@kvack.org</a>
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Christoph Hellwig <hch@lst.de>
Cc: Avi Kivity <avi@scylladb.com>,
linux-aio@kvack.org, linux-fsdevel@vger.kernel.org,
netdev@vger.kernel.org, linux-api@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 08/31] aio: implement IOCB_CMD_POLL
Date: Wed, 23 May 2018 01:45:30 +0100 [thread overview]
Message-ID: <20180523004530.GG30522@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20180522220524.GE30522@ZenIV.linux.org.uk>
On Tue, May 22, 2018 at 11:05:24PM +0100, Al Viro wrote:
> > +{
> > + struct aio_kiocb *iocb = container_of(req, struct aio_kiocb, poll);
> > +
> > + fput(req->file);
> > + aio_complete(iocb, mangle_poll(mask), 0);
> > +}
>
> Careful.
>
> > +static int aio_poll_cancel(struct kiocb *iocb)
> > +{
> > + struct aio_kiocb *aiocb = container_of(iocb, struct aio_kiocb, rw);
> > + struct poll_iocb *req = &aiocb->poll;
> > + struct wait_queue_head *head = req->head;
> > + bool found = false;
> > +
> > + spin_lock(&head->lock);
> > + found = __aio_poll_remove(req);
> > + spin_unlock(&head->lock);
>
> What's to guarantee that req->head has not been freed by that point?
> Look: wakeup finds ->ctx_lock held, so it leaves the sucker on the
> list, removes it from queue and schedules the call of __aio_poll_complete().
> Which gets executed just as we hit aio_poll_cancel(), starting with fput().
>
> You really want to do aio_complete() before fput(). That way you know that
> req->wait is alive and well at least until iocb gets removed from the list.
Oh, bugger...
wakeup
removed from queue
schedule __aio_poll_complete()
cancel
grab ctx->lock
remove from list
work
aio_complete()
check if it's in the list
it isn't, move on to free the sucker
cancel
call ->ki_cancel()
BOOM
Looks like we want to call ->ki_cancel() *BEFORE* removing from the list,
as well as doing fput() after aio_complete(). The same ordering, BTW, goes
for aio_read() et.al.
Look:
CPU1: io_cancel() grabs ->ctx_lock, finds iocb and removes it from the list.
CPU2: aio_rw_complete() on that iocb. Since the sucker is not in the list
anymore, we do NOT spin on ->ctx_lock and proceed to free iocb
CPU1: pass freed iocb to ->ki_cancel(). BOOM.
and if we have fput() done first (in aio_rw_complete()) we are vulnerable to
CPU1: io_cancel() grabs ->ctx_lock, finds iocb and removes it from the list.
CPU2: aio_rw_complete() on that iocb. fput() done, opening us to rmmod.
CPU1: call ->ki_cancel(), which points to freed memory now. BOOM.
next prev parent reply other threads:[~2018-05-23 0:45 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-22 11:30 aio poll and a new in-kernel poll API V12 Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 01/31] fs: unexport poll_schedule_timeout Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 02/31] fs: cleanup do_pollfd Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 03/31] fs: update documentation to mention __poll_t and match the code Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 04/31] fs: add new vfs_poll and file_can_poll helpers Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 05/31] fs: introduce new ->get_poll_head and ->poll_mask methods Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 06/31] aio: simplify KIOCB_KEY handling Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 07/31] aio: simplify cancellation Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 08/31] aio: implement IOCB_CMD_POLL Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 22:05 ` Al Viro
2018-05-22 22:05 ` Al Viro
2018-05-23 0:45 ` Al Viro [this message]
2018-05-23 0:45 ` Al Viro
2018-05-23 0:49 ` Al Viro
2018-05-23 0:49 ` Al Viro
2018-05-23 1:43 ` YAaioRace (was Re: [PATCH 08/31] aio: implement IOCB_CMD_POLL) Al Viro
2018-05-23 1:43 ` Al Viro
2018-05-22 11:30 ` [PATCH 09/31] aio: try to complete poll iocbs without context switch Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 10/31] net: refactor socket_poll Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 11/31] net: add support for ->poll_mask in proto_ops Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 12/31] net: remove sock_no_poll Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 13/31] net/tcp: convert to ->poll_mask Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 14/31] net/unix: " Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 15/31] net: convert datagram_poll users tp ->poll_mask Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 16/31] net/dccp: convert to ->poll_mask Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 17/31] net/atm: " Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 18/31] net/vmw_vsock: " Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 19/31] net/tipc: " Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 20/31] net/sctp: " Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 21/31] net/bluetooth: " Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:30 ` [PATCH 22/31] net/caif: " Christoph Hellwig
2018-05-22 11:30 ` Christoph Hellwig
2018-05-22 11:31 ` [PATCH 23/31] net/nfc: " Christoph Hellwig
2018-05-22 11:31 ` Christoph Hellwig
2018-05-22 11:31 ` [PATCH 24/31] net/phonet: " Christoph Hellwig
2018-05-22 11:31 ` Christoph Hellwig
2018-05-22 11:31 ` [PATCH 25/31] net/iucv: " Christoph Hellwig
2018-05-22 11:31 ` Christoph Hellwig
2018-05-22 11:31 ` [PATCH 26/31] net/rxrpc: " Christoph Hellwig
2018-05-22 11:31 ` Christoph Hellwig
2018-05-22 11:31 ` [PATCH 27/31] crypto: af_alg: " Christoph Hellwig
2018-05-22 11:31 ` Christoph Hellwig
2018-05-22 11:31 ` [PATCH 28/31] pipe: " Christoph Hellwig
2018-05-22 11:31 ` Christoph Hellwig
2018-05-22 11:31 ` [PATCH 29/31] eventfd: switch " Christoph Hellwig
2018-05-22 11:31 ` Christoph Hellwig
2018-05-22 11:31 ` [PATCH 30/31] timerfd: convert " Christoph Hellwig
2018-05-22 11:31 ` Christoph Hellwig
2018-05-22 16:59 ` Sergei Shtylyov
2018-05-22 16:59 ` Sergei Shtylyov
2018-05-22 11:31 ` [PATCH 31/31] random: " Christoph Hellwig
2018-05-22 11:31 ` Christoph Hellwig
2018-05-22 22:07 ` aio poll and a new in-kernel poll API V12 Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180523004530.GG30522@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=avi@scylladb.com \
--cc=hch@lst.de \
--cc=linux-aio@kvack.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.