Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue (w/ Fixes:)

linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
To: David Miller <davem@davemloft.net>
Cc: rweikusat@mobileactivedefense.com, jbaron@akamai.com,
	dvyukov@google.com, syzkaller@googlegroups.com, mkubecek@suse.cz,
	viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, hannes@stressinduktion.org,
	dhowells@redhat.com, paul@paul-moore.com, salyzyn@android.com,
	sds@tycho.nsa.gov, ying.xue@windriver.com,
	netdev@vger.kernel.org, kcc@google.com, glider@google.com,
	andreyknvl@google.com, sasha.levin@oracle.com, jln@google.com,
	keescook@google.com, minipli@googlemail.com
Subject: Re: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue (w/ Fixes:)
Date: Wed, 18 Nov 2015 18:15:27 +0000	[thread overview]
Message-ID: <87ziyb6uo0.fsf@doppelsaurus.mobileactivedefense.com> (raw)
In-Reply-To: <20151117.151421.249423864481324472.davem@davemloft.net> (David Miller's message of "Tue, 17 Nov 2015 15:14:21 -0500 (EST)")

David Miller <davem@davemloft.net> writes:
> From: Rainer Weikusat <rweikusat@mobileactivedefense.com>
> Date: Mon, 16 Nov 2015 22:28:40 +0000
>
>> An AF_UNIX datagram socket being the client in an n:1

[...]

> So because of a corner case of epoll handling and sender socket release,
> every single datagram sendmsg has to do a double lock now?
>
> I do not dispute the correctness of your fix at this point, but that
> added cost in the fast path is really too high.

Some more information on this: Running the test program included below
on my 'work' system (otherwise idle, after logging in via VT with no GUI
running)/ quadcore AMD A10-5700, 3393.984 for 20 times/ patched 4.3 resulted in the
following throughput statistics[*]:

avg		13.617  M/s
median		13.393  M/s
max		17.14   M/s
min		13.047  M/s
deviation	0.85

I'll try to post the results for 'unpatched' later as I'm also working
on a couple of other things.

[*] I do not use my fingers for counting, hence, these are binary and
not decimal units.

------------
#include <inttypes.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <unistd.h>

enum {
    MSG_SZ =	16,
    MSGS =	1000000
};

static char msg[MSG_SZ];

static uint64_t tv2u(struct timeval *tv)
{
    uint64_t u;

    u = tv->tv_sec;
    u *= 1000000;
    return u + tv->tv_usec;
}

int main(void)
{
    struct timeval start, stop;
    uint64_t t_diff;
    double rate;
    int sks[2];
    unsigned remain;
    char buf[MSG_SZ];

    socketpair(AF_UNIX, SOCK_SEQPACKET, 0, sks);

    if (fork() == 0) {
	close(*sks);
	
	gettimeofday(&start, 0);
	while (read(sks[1], buf, sizeof(buf)) > 0);
	gettimeofday(&stop, 0);

	t_diff = tv2u(&stop);
	t_diff -= tv2u(&start);
	rate = MSG_SZ * MSGS;
	rate /= t_diff;
	rate *= 1000000;
	printf("rate %fM/s\n", rate / (1 << 20));

	fflush(stdout);
	_exit(0);
    }

    close(sks[1]);
    
    remain = MSGS;
    do write(*sks, msg, sizeof(msg)); while (--remain);
    close(*sks);

    wait(NULL);
    return 0;
}

next prev parent reply	other threads:[~2015-11-18 18:16 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-12 11:07 Use-after-free in ep_remove_wait_queue Dmitry Vyukov
2015-10-12 12:02 ` Michal Kubecek
2015-10-12 12:14   ` Eric Dumazet
2015-10-12 12:17     ` Dmitry Vyukov
2015-11-06 13:06       ` Dmitry Vyukov
2015-11-06 14:58         ` Jason Baron
2015-11-06 15:15           ` Rainer Weikusat
2015-11-09 14:40             ` [PATCH] unix: avoid use-after-free " Rainer Weikusat
2015-11-09 18:25               ` David Miller
2015-11-10 17:16                 ` Rainer Weikusat
2015-11-09 22:44               ` Jason Baron
2015-11-10 17:38                 ` Rainer Weikusat
2015-11-22 21:43                   ` alternate queueing mechanism (was: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue) Rainer Weikusat
2015-11-10 21:55               ` [PATCH] unix: avoid use-after-free in ep_remove_wait_queue Rainer Weikusat
2015-11-11 12:28                 ` Hannes Frederic Sowa
2015-11-11 16:12                   ` Rainer Weikusat
2015-11-11 18:52                     ` Hannes Frederic Sowa
2015-11-13 19:06                       ` Rainer Weikusat
2015-11-11 17:35                 ` Jason Baron
2015-11-12 19:11                   ` Rainer Weikusat
2015-11-13 18:51                 ` Rainer Weikusat
2015-11-13 22:17                   ` Jason Baron
2015-11-15 18:32                     ` Rainer Weikusat
2015-11-17 16:08                       ` Jason Baron
2015-11-17 18:38                         ` Rainer Weikusat
2015-11-16 22:15                   ` Rainer Weikusat
2015-11-16 22:28                     ` [PATCH] unix: avoid use-after-free in ep_remove_wait_queue (w/ Fixes:) Rainer Weikusat
2015-11-17 16:13                       ` Jason Baron
2015-11-17 20:14                       ` David Miller
2015-11-17 21:37                         ` Rainer Weikusat
2015-11-17 22:09                           ` Rainer Weikusat
2015-11-19 23:48                             ` Rainer Weikusat
2015-11-17 22:48                           ` Rainer Weikusat
2015-11-18 18:15                         ` Rainer Weikusat [this message]
2015-11-18 23:39                           ` more statistics (was: [PATCH] unix: avoid use-after-free in ep_remove_wait_queue (w/ Fixes:)) Rainer Weikusat
2015-11-19 23:52                       ` [PATCH] unix: avoid use-after-free in ep_remove_wait_queue (w/ Fixes:) Rainer Weikusat
2015-11-20 16:03                         ` Jason Baron
2015-11-20 16:21                           ` Rainer Weikusat
2015-11-20 22:07                         ` [PATCH] unix: avoid use-after-free in ep_remove_wait_queue Rainer Weikusat
2015-11-23 16:21                           ` Jason Baron
2015-11-23 17:30                           ` David Miller
2015-11-23 21:37                             ` Rainer Weikusat
2015-11-23 23:06                               ` Rainer Weikusat

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87ziyb6uo0.fsf@doppelsaurus.mobileactivedefense.com \
    --to=rweikusat@mobileactivedefense.com \
    --cc=andreyknvl@google.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dvyukov@google.com \
    --cc=glider@google.com \
    --cc=hannes@stressinduktion.org \
    --cc=jbaron@akamai.com \
    --cc=jln@google.com \
    --cc=kcc@google.com \
    --cc=keescook@google.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=minipli@googlemail.com \
    --cc=mkubecek@suse.cz \
    --cc=netdev@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=salyzyn@android.com \
    --cc=sasha.levin@oracle.com \
    --cc=sds@tycho.nsa.gov \
    --cc=syzkaller@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=ying.xue@windriver.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).