lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 25 Jan 2013 21:30:32 +0800
From:	Hillf Danton <dhillf@...il.com>
To:	Kent Overstreet <koverstreet@...gle.com>
Cc:	akpm@...ux-foundation.org, Valdis.Kletnieks@...edu, bcrl@...ck.org,
	zab@...bo.net, linux-kernel@...r.kernel.org, linux-aio@...ck.org,
	linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH 3/3] aio-use-cancellation-list-lazily-fix

On Fri, Jan 25, 2013 at 5:43 AM, Kent Overstreet <koverstreet@...gle.com> wrote:
> The cancellation changes were fubar - we can't cancel a kiocb if it
> doesn't actually have a cancellation callback.
>
> The use of xchg() in aio_complete() was right - there we're marking the
> kiocb as completed - but we need to use cmpxchg() in kiocb_cancel() - a
> lock isn't sufficient since we're synchronizing with aio_complete()
> which isn't taking any locks.
>

What is observed without this fix?

> Signed-off-by: Kent Overstreet <koverstreet@...gle.com>
> ---
>  fs/aio.c            | 32 ++++++++++++++++++++++----------
>  include/linux/aio.h | 11 +++++++++++
>  2 files changed, 33 insertions(+), 10 deletions(-)
>
> diff --git a/fs/aio.c b/fs/aio.c
> index 85d1b38..2760180 100644
> --- a/fs/aio.c
> +++ b/fs/aio.c
> @@ -244,28 +244,40 @@ static int aio_setup_ring(struct kioctx *ctx)
>
>  void kiocb_set_cancel_fn(struct kiocb *req, kiocb_cancel_fn *cancel)
>  {
> -       if (!req->ki_list.next) {
> -               struct kioctx *ctx = req->ki_ctx;
> -               unsigned long flags;
> +       struct kioctx *ctx = req->ki_ctx;
> +       unsigned long flags;
>
> -               spin_lock_irqsave(&ctx->ctx_lock, flags);
> +       spin_lock_irqsave(&ctx->ctx_lock, flags);
> +
> +       if (!req->ki_list.next)
>                 list_add(&req->ki_list, &ctx->active_reqs);
> -               spin_unlock_irqrestore(&ctx->ctx_lock, flags);
> -       }
>
>         req->ki_cancel = cancel;
> +
> +       spin_unlock_irqrestore(&ctx->ctx_lock, flags);
>  }
>  EXPORT_SYMBOL(kiocb_set_cancel_fn);
>
>  static int kiocb_cancel(struct kioctx *ctx, struct kiocb *kiocb,
>                         struct io_event *res)
>  {
> -       kiocb_cancel_fn *cancel;
> +       kiocb_cancel_fn *old, *cancel;
>         int ret = -EINVAL;
>
> -       cancel = xchg(&kiocb->ki_cancel, KIOCB_CANCELLED);
> -       if (!cancel || cancel == KIOCB_CANCELLED)
> -               return ret;
> +       /*
> +        * Don't want to set kiocb->ki_cancel = KIOCB_CANCELLED unless it
> +        * actually has a cancel function, hence the cmpxchg()
> +        */
> +
> +       cancel = ACCESS_ONCE(kiocb->ki_cancel);
> +       do {
> +               if (!cancel || cancel == KIOCB_CANCELLED)
> +                       return ret;
> +
> +               BUG();

Hmm, what is trapped?

> +               old = cancel;
> +               cancel = cmpxchg(&kiocb->ki_cancel, old, KIOCB_CANCELLED);
> +       } while (cancel != old);
>
>         atomic_inc(&kiocb->ki_users);
>         spin_unlock_irq(&ctx->ctx_lock);
> diff --git a/include/linux/aio.h b/include/linux/aio.h
> index 8eaa490..cd4aea0 100644
> --- a/include/linux/aio.h
> +++ b/include/linux/aio.h
> @@ -15,6 +15,17 @@ struct batch_complete;
>
>  #define KIOCB_KEY              0
>
> +/*
> + * We use ki_cancel == KIOCB_CANCELLED to indicate that a kiocb has been either
> + * cancelled or completed (this makes a certain amount of sense because
> + * successful cancellation - io_cancel() - does deliver the completion to
> + * userspace).
> + *
> + * And since most things don't implement kiocb cancellation and we'd really like
> + * kiocb completion to be lockless when possible, we use ki_cancel to
> + * synchronize cancellation and completion - we only set it to KIOCB_CANCELLED
> + * with xchg() or cmpxchg(), see batch_complete_aio() and kiocb_cancel().
> + */
>  #define KIOCB_CANCELLED                ((void *) (~0ULL))
>
>  typedef int (kiocb_cancel_fn)(struct kiocb *, struct io_event *);
> --
> 1.7.12
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ