| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Aug 2014 18:11:12 -0700 From: Kent Overstreet <kmo@...erainc.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Dan Aloni <dan@...nelim.com>, Benjamin LaHaise <bcrl@...ck.org>, "security@...nel.org" <security@...nel.org>, linux-aio@...ck.org, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Mateusz Guzik <mguzik@...hat.com>, Petr Matousek <pmatouse@...hat.com>, Jeff Moyer <jmoyer@...hat.com>, stable <stable@...r.kernel.org> Subject: Re: Revert "aio: fix aio request leak when events are reaped by user space" On Fri, Aug 22, 2014 at 02:43:56PM -0700, Linus Torvalds wrote: > On Fri, Aug 22, 2014 at 11:51 AM, Dan Aloni <dan@...nelim.com> wrote: > > > > Ben, seems that the test program needs some twidling to make the bug > > appear still by setting MAX_IOS to 256 (and it still passes on a > > kernel with the original patch reverted). Under this condition the > > ring buffer size remains 128 (here, 32*4 CPUs), and it is overrun on > > the second attempt. > > Ugh. > > Ben, at this point my gut feel is that we should just revert the > original "fix", and you should take a much deeper look at this all. > The original "fix" was more broken then the leak it purported to fix, > and now the patch to fix your fix has gone through two iterations and > *still* Dan is finding bugs in it. I'm getting the feeling that this > code needs more thinking than you are actually putting into it. Ugh, I should've dug into this a lot sooner... mea culpa, I originally wrote this percpu reqs_available() nonsense (can I unwrite code?) Coming into the discussion late, here's my understanding, please correct me if I'm wrong and I'll blame the cold medication... The original patch f8567a3845ac05bb28f3c1b478ef752762bd39ef was broken because it changed the logic so that a slot was considered available once an iocb completion had been delivered to the ring buffer. BUT THE THING THAT IT'S COUNTING IS AVAILABLE SLOTS IN THE RINGBUFFER: get_reqs_available() is reserving a slot in the ringbuffer, we can't do the put() until the event is actually consumed. took me a minute to figure out the logic in Ben's current patch, but here's what's going on as I understand it * maintain a count of events we add to the ring * if there's fewer events in the ring than that count, the difference has been reaped so we can release their slots and nothing else changes. we're just accounting one more thing, completed_events, and the rest stays the same. so, it took me a bit to figure out what was being accounted, I think the code could stand some new comments explaining how this works (though I'm certainly not one to throw stones) - but the new version makes sense to me, I do agree with the approach. Reviewed-by: Kent Overstreet <kmo@...erainc.com> I think I owe Ben beer at some point... -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists