From: Kent Overstreet <kmo@daterainc.com>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Dan Aloni <dan@kernelim.com>, Benjamin LaHaise <bcrl@kvack.org>,
"security@kernel.org" <security@kernel.org>,
linux-aio@kvack.org,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Mateusz Guzik <mguzik@redhat.com>,
Petr Matousek <pmatouse@redhat.com>,
Jeff Moyer <jmoyer@redhat.com>, stable <stable@vger.kernel.org>
Subject: Re: Revert "aio: fix aio request leak when events are reaped by user space"
Date: Mon, 25 Aug 2014 18:11:12 -0700 [thread overview]
Message-ID: <20140826011112.GA10095@kmo-pixel> (raw)
In-Reply-To: <CA+55aFzZbRkEh_MbB-XmurVP-4seMP3z9tbq+YQOhkjtDNTzfg@mail.gmail.com>
On Fri, Aug 22, 2014 at 02:43:56PM -0700, Linus Torvalds wrote:
> On Fri, Aug 22, 2014 at 11:51 AM, Dan Aloni <dan@kernelim.com> wrote:
> >
> > Ben, seems that the test program needs some twidling to make the bug
> > appear still by setting MAX_IOS to 256 (and it still passes on a
> > kernel with the original patch reverted). Under this condition the
> > ring buffer size remains 128 (here, 32*4 CPUs), and it is overrun on
> > the second attempt.
>
> Ugh.
>
> Ben, at this point my gut feel is that we should just revert the
> original "fix", and you should take a much deeper look at this all.
> The original "fix" was more broken then the leak it purported to fix,
> and now the patch to fix your fix has gone through two iterations and
> *still* Dan is finding bugs in it. I'm getting the feeling that this
> code needs more thinking than you are actually putting into it.
Ugh, I should've dug into this a lot sooner... mea culpa, I originally wrote
this percpu reqs_available() nonsense (can I unwrite code?)
Coming into the discussion late, here's my understanding, please correct me if
I'm wrong and I'll blame the cold medication...
The original patch f8567a3845ac05bb28f3c1b478ef752762bd39ef was broken because
it changed the logic so that a slot was considered available once an iocb
completion had been delivered to the ring buffer. BUT THE THING THAT IT'S
COUNTING IS AVAILABLE SLOTS IN THE RINGBUFFER: get_reqs_available() is reserving
a slot in the ringbuffer, we can't do the put() until the event is actually
consumed.
took me a minute to figure out the logic in Ben's current patch, but here's
what's going on as I understand it
* maintain a count of events we add to the ring
* if there's fewer events in the ring than that count, the difference has been
reaped so we can release their slots
and nothing else changes. we're just accounting one more thing,
completed_events, and the rest stays the same.
so, it took me a bit to figure out what was being accounted, I think the code
could stand some new comments explaining how this works (though I'm certainly
not one to throw stones) - but the new version makes sense to me, I do agree
with the approach.
Reviewed-by: Kent Overstreet <kmo@daterainc.com>
I think I owe Ben beer at some point...
next prev parent reply other threads:[~2014-08-26 1:11 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-06-24 18:01 [PATCH 0/2] aio: fixes for kernel memory disclosure in aio read events Benjamin LaHaise
2014-06-24 18:01 ` [PATCH 1/2] aio: fix aio request leak when events are reaped by userspace Benjamin LaHaise
2014-06-24 18:20 ` Jeff Moyer
2014-08-19 16:37 ` Revert "aio: fix aio request leak when events are reaped by user space" Dan Aloni
2014-08-19 16:54 ` Benjamin LaHaise
2014-08-19 17:14 ` Dan Aloni
2014-08-20 0:46 ` Benjamin LaHaise
2014-08-22 16:01 ` Benjamin LaHaise
2014-08-22 16:15 ` Dan Aloni
2014-08-22 16:26 ` Benjamin LaHaise
2014-08-22 18:51 ` Dan Aloni
2014-08-22 21:43 ` Linus Torvalds
2014-08-24 18:11 ` Benjamin LaHaise
2014-08-26 1:11 ` Kent Overstreet [this message]
2014-08-24 18:05 ` Benjamin LaHaise
2014-08-24 18:48 ` Dan Aloni
2014-08-27 20:26 ` Jeff Moyer
2014-08-25 15:06 ` Elliott, Robert (Server Storage)
2014-08-25 15:11 ` Benjamin LaHaise
2014-06-24 18:02 ` [PATCH 2/2] aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 Benjamin LaHaise
2014-06-24 18:23 ` Jeff Moyer
2014-06-24 18:39 ` Benjamin LaHaise
2014-06-24 19:21 ` Jeff Moyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140826011112.GA10095@kmo-pixel \
--to=kmo@daterainc.com \
--cc=bcrl@kvack.org \
--cc=dan@kernelim.com \
--cc=jmoyer@redhat.com \
--cc=linux-aio@kvack.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mguzik@redhat.com \
--cc=pmatouse@redhat.com \
--cc=security@kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).