From: Dan Aloni <dan@kernelim.com>
To: Benjamin LaHaise <bcrl@kvack.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
security@kernel.org, linux-aio@kvack.org,
linux-kernel@vger.kernel.org, Mateusz Guzik <mguzik@redhat.com>,
Petr Matousek <pmatouse@redhat.com>,
Kent Overstreet <kmo@daterainc.com>,
Jeff Moyer <jmoyer@redhat.com>,
stable@vger.kernel.org
Subject: Re: Revert "aio: fix aio request leak when events are reaped by user space"
Date: Sun, 24 Aug 2014 21:48:21 +0300 [thread overview]
Message-ID: <20140824184821.GA5449@gmail.com> (raw)
In-Reply-To: <20140824180531.GC4376@kvack.org>
On Sun, Aug 24, 2014 at 02:05:31PM -0400, Benjamin LaHaise wrote:
> On Fri, Aug 22, 2014 at 09:51:10PM +0300, Dan Aloni wrote:
> > Ben, seems that the test program needs some twidling to make the bug
> > appear still by setting MAX_IOS to 256 (and it still passes on a
> > kernel with the original patch reverted). Under this condition the
> > ring buffer size remains 128 (here, 32*4 CPUs), and it is overrun on
> > the second attempt.
>
> Thanks for checking that. I've made some further changes to your test
> program to be able to support both userspace event reaping and using the
> io_getevents() syscall. I also added a --max-ios= parameter to allow
> using different values of MAX_IOS for testing. A copy of the modified
> source is available at http://www.kvack.org/~bcrl/20140824-aio_bug.c .
> With this version of the patch, both means of reaping events now work
> corectly. The aio_bug.c code still needs to be added to libaio's set
> of tests, but that's a separate email.
I like your extension to the test program. I have a suggestion for
the integration inside libaio's harness, since the original issue
depended on the size of the ring buffer, let's have max_ios be picked
from {ring->nr + 1, ring->nr - 1, ring->nr}*{1,2,3,4} for the various
test cases. I guess Jeff who is maintaining it will have some ideas
too.
>[snip]
> If you can have a quick look and acknowledge with your Signed-off-by, I'll
> add it to the commit and send a pull request. With these changes and the
> modified aio_bug.c, the test passes using various random values for
> max_ios, as well as both with and without --user_getevents validating that
> both regressions involved have now been fixed.
I haven't tested it yet due to lack of more time today (will give it a
try tomorrow), but I've reviewed and didn't find any problem.
Signed-off-by: Dan Aloni <dan@kernelim.com>
>
> ...
> > BTW, I am not an expert on this code so I am still not sure that
> > 'ctx->completed_events' wouldn't get wrong if for instance - one SMP
> > core does userspace event reaping and another calls io_submit(). Do
> > you think it would work alright in that case?
>
> This should be SMP safe: both ctx->completed_events and ctx->tail are
> protected ctx->completion_lock. Additionally, possible races with
> grabbing the value of ring->head should also be safe, and I added a
> comment explaining why. Does that address your concerns? Cheers,
Yes, thanks.
--
Dan Aloni
next prev parent reply other threads:[~2014-08-24 18:48 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 18:01 [PATCH 0/2] aio: fixes for kernel memory disclosure in aio read events Benjamin LaHaise
2014-06-24 18:01 ` [PATCH 1/2] aio: fix aio request leak when events are reaped by userspace Benjamin LaHaise
2014-06-24 18:20 ` Jeff Moyer
2014-08-19 16:37 ` Revert "aio: fix aio request leak when events are reaped by user space" Dan Aloni
2014-08-19 16:54 ` Benjamin LaHaise
2014-08-19 17:14 ` Dan Aloni
2014-08-20 0:46 ` Benjamin LaHaise
2014-08-22 16:01 ` Benjamin LaHaise
2014-08-22 16:15 ` Dan Aloni
2014-08-22 16:26 ` Benjamin LaHaise
2014-08-22 18:51 ` Dan Aloni
2014-08-22 21:43 ` Linus Torvalds
2014-08-24 18:11 ` Benjamin LaHaise
2014-08-26 1:11 ` Kent Overstreet
2014-08-24 18:05 ` Benjamin LaHaise
2014-08-24 18:48 ` Dan Aloni [this message]
2014-08-27 20:26 ` Jeff Moyer
2014-08-25 15:06 ` Elliott, Robert (Server Storage)
2014-08-25 15:11 ` Benjamin LaHaise
2014-06-24 18:02 ` [PATCH 2/2] aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 Benjamin LaHaise
2014-06-24 18:23 ` Jeff Moyer
2014-06-24 18:39 ` Benjamin LaHaise
2014-06-24 19:21 ` Jeff Moyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140824184821.GA5449@gmail.com \
--to=dan@kernelim.com \
--cc=bcrl@kvack.org \
--cc=jmoyer@redhat.com \
--cc=kmo@daterainc.com \
--cc=linux-aio@kvack.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mguzik@redhat.com \
--cc=pmatouse@redhat.com \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).