lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20130214013609.GN12631@moria.home.lan>
Date:	Wed, 13 Feb 2013 17:36:09 -0800
From:	Kent Overstreet <koverstreet@...gle.com>
To:	Benjamin LaHaise <bcrl@...ck.org>
Cc:	Andrew Morton <akpm@...ux-foundation.org>, linux-aio@...ck.org,
	linux-fsdevel@...r.kernel.org,
	Linux Kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/2] aio: fix kioctx not being freed after cancellation
 at exit time

On Wed, Feb 13, 2013 at 12:46:36PM -0500, Benjamin LaHaise wrote:
> The recent changes overhauling fs/aio.c introduced a bug that results in the
> kioctx not being freed when outstanding kiocbs are cancelled at exit_aio()
> time.  Specifically, a kiocb that is cancelled has its completion events
> discarded by batch_complete_aio(), which then fails to wake up the process
> stuck in free_ioctx().  Fix this by adding a wake_up() in batch_complete_aio()
> and modifying the wait_event() condition in free_ioctx() appropriately.
> 
> Signed-off-by: Benjamin LaHaise <bcrl@...ck.org>
> ---
>  fs/aio.c |    5 ++++-
>  1 files changed, 4 insertions(+), 1 deletions(-)
> 
> diff --git a/fs/aio.c b/fs/aio.c
> index dc52b0c..46f9dd0 100644
> --- a/fs/aio.c
> +++ b/fs/aio.c
> @@ -335,7 +335,9 @@ static void free_ioctx(struct kioctx *ctx)
>  	kunmap_atomic(ring);
>  
>  	while (atomic_read(&ctx->reqs_available) < ctx->nr) {
> -		wait_event(ctx->wait, head != ctx->shadow_tail);
> +		wait_event(ctx->wait,
> +			   (head != ctx->shadow_tail) ||
> +			   (atomic_read(&ctx->reqs_available) != ctx->nr));

That test looks backwards - I think we want to wait until reqs_available
== ctx->nr

>  
>  		avail = (head <= ctx->shadow_tail ?
>  			 ctx->shadow_tail : ctx->nr) - head;
> @@ -754,6 +756,7 @@ void batch_complete_aio(struct batch_complete *batch)
>  			 * with free_ioctx()
>  			 */
>  			atomic_inc(&req->ki_ctx->reqs_available);
> +			wake_up(&req->ki_ctx->wait);
>  			aio_put_req(req);
>  			continue;
>  		}
> -- 
> 1.7.4.1
> 
> 
> -- 
> "Thought is the essence of where you are now."
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ