From: Benjamin LaHaise <bcrl@kvack.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Linux Kernel <linux-kernel@vger.kernel.org>,
linux-aio@kvack.org, linux-fsdevel@vger.kernel.org,
Jan Kara <jack@suse.cz>, Dmitry Vyukov <dvyukov@google.com>
Subject: [GIT PULL] aio: a couple of fixes for 4.4
Date: Sat, 9 Jan 2016 17:08:26 -0500 [thread overview]
Message-ID: <20160109220826.GA11174@kvack.org> (raw)
Hello Linus et al,
Please consider pulling the following changes to fix a couple of issues
reported by Dmitry from git://git.kvack.org/~bcrl/aio-fixes.git . Thanks!
-ben
Benjamin LaHaise (1):
aio: handle integer overflow in io_getevents() timespec usage
Jan Kara (1):
aio: Fix freeze protection of aio writes
fs/aio.c | 33 ++++++++++++++++++++++++++++++---
include/linux/fs.h | 1 +
2 files changed, 31 insertions(+), 3 deletions(-)
--
2.5.0
>From fec65924b0b08095f820ad11cff3fd15fb29b436 Mon Sep 17 00:00:00 2001
From: Benjamin LaHaise <bcrl@kvack.org>
Date: Thu, 7 Jan 2016 10:37:58 -0500
Subject: [PATCH 1/2] aio: handle integer overflow in io_getevents() timespec
usage
Dmitry Vyukov reported an integer overflow in io_getevents() when
running a fuzzer. Upon investigation, the triggers appears to be that
an invalid value for the tv_sec or tv_nsec was passed in which is not
handled by timespec_to_ktime(). This patch fixes that by making
io_getevents() return -EINVAL when timespec_valid() checks fail. We
use timespec_valid() instead of timespec_valid_strict() to avoid issues
caused by userspace not knowing the cutoff for KTIME_SEC_MAX.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
diff --git a/fs/aio.c b/fs/aio.c
index 155f842..e0d5398 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1269,6 +1269,8 @@ static long read_events(struct kioctx *ctx, long min_nr, long nr,
if (unlikely(copy_from_user(&ts, timeout, sizeof(ts))))
return -EFAULT;
+ if (!timespec_valid(&ts))
+ return -EINVAL;
until = timespec_to_ktime(ts);
}
--
2.5.0
>From 3b9688ff1e083a3c981bbc795f823fb0b0f2aacc Mon Sep 17 00:00:00 2001
From: Jan Kara <jack@suse.cz>
Date: Thu, 7 Jan 2016 16:03:04 +0100
Subject: [PATCH 2/2] aio: Fix freeze protection of aio writes
Currently we dropped freeze protection of aio writes just after IO was
submitted. Thus aio write could be in flight while the filesystem was
frozen and that could result in unexpected situation like aio completion
wanting to convert extent type on frozen filesystem. Testcase from
Dmitry triggering this is like:
for ((i=0;i<60;i++));do fsfreeze -f /mnt ;sleep 1;fsfreeze -u /mnt;done &
fio --bs=4k --ioengine=libaio --iodepth=128 --size=1g --direct=1 \
--runtime=60 --filename=/mnt/file --name=rand-write --rw=randwrite
Fix the problem by dropping freeze protection only once IO is completed
in aio_complete().
Reported-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
diff --git a/fs/aio.c b/fs/aio.c
index e0d5398..a574944 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1065,6 +1065,19 @@ static void aio_complete(struct kiocb *kiocb, long res, long res2)
unsigned tail, pos, head;
unsigned long flags;
+ if (kiocb->ki_flags & IOCB_WRITE) {
+ struct file *f = kiocb->ki_filp;
+
+ /*
+ * Tell lockdep we inherited freeze protection from submission
+ * thread.
+ */
+ percpu_rwsem_acquire(
+ &f->f_inode->i_sb->s_writers.rw_sem[SB_FREEZE_WRITE-1],
+ 1, _THIS_IP_);
+ file_end_write(f);
+ }
+
/*
* Special case handling for sync iocbs:
* - events go directly into the iocb for fast handling
@@ -1451,13 +1464,25 @@ rw_common:
len = ret;
- if (rw == WRITE)
+ if (rw == WRITE) {
file_start_write(file);
+ req->ki_flags |= IOCB_WRITE;
+ }
ret = iter_op(req, &iter);
- if (rw == WRITE)
- file_end_write(file);
+ if (rw == WRITE) {
+ /*
+ * We release freeze protection in aio_complete(). Fool
+ * lockdep by telling it the lock got released so that
+ * it doesn't complain about held lock when we return
+ * to userspace.
+ */
+ percpu_rwsem_release(
+ &file->f_inode->i_sb->s_writers.rw_sem[SB_FREEZE_WRITE-1],
+ 1, _THIS_IP_);
+ }
+
kfree(iovec);
break;
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 3aa5142..54af40e 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -319,6 +319,7 @@ struct writeback_control;
#define IOCB_EVENTFD (1 << 0)
#define IOCB_APPEND (1 << 1)
#define IOCB_DIRECT (1 << 2)
+#define IOCB_WRITE (1 << 3)
struct kiocb {
struct file *ki_filp;
--
2.5.0
--
"Thought is the essence of where you are now."
next reply other threads:[~2016-01-09 22:08 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-09 22:08 Benjamin LaHaise [this message]
2016-01-09 22:43 ` [GIT PULL] aio: a couple of fixes for 4.4 Linus Torvalds
2016-01-09 23:00 ` Benjamin LaHaise
2016-01-11 16:59 ` Jan Kara
2016-01-09 23:08 ` Al Viro
2016-01-10 4:36 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160109220826.GA11174@kvack.org \
--to=bcrl@kvack.org \
--cc=dvyukov@google.com \
--cc=jack@suse.cz \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).