[PATCH 1/2] fs: Fix aio rcu ioctx lookup

From: Jan Kara
Date: Tue Feb 15 2011 - 07:59:46 EST

Next message: Jan Kara: "[PATCH 2/2] fs: Fix race between io_destroy() and io_submit() in AIO"
Previous message: Jan Kara: "[PATCH 0/2] aio: Fix use after free bugs"
In reply to: Jan Kara: "[PATCH 0/2] aio: Fix use after free bugs"
Next in thread: Jan Kara: "[PATCH 2/2] fs: Fix race between io_destroy() and io_submit() in AIO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nick Piggin <npiggin@xxxxxxxxx>

aio-dio-invalidate-failure GPFs in aio_put_req from io_submit.

lookup_ioctx doesn't implement the rcu lookup pattern properly. rcu_read_lock
does not prevent refcount going to zero, so we might take a refcount on a zero
count ioctx.

Fix the bug by atomically testing for zero refcount before incrementing.

[JK: Added comment into the code]

Reviewed-by: Jeff Moyer <jmoyer@xxxxxxxxxx>
Signed-off-by: Nick Piggin <npiggin@xxxxxxxxx>
Signed-off-by: Jan Kara <jack@xxxxxxx>
---
fs/aio.c | 35 ++++++++++++++++++++++++-----------
1 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/fs/aio.c b/fs/aio.c
index fc557a3..b4dd668 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -239,15 +239,23 @@ static void __put_ioctx(struct kioctx *ctx)
call_rcu(&ctx->rcu_head, ctx_rcu_free);
}

-#define get_ioctx(kioctx) do { \
- BUG_ON(atomic_read(&(kioctx)->users) <= 0); \
- atomic_inc(&(kioctx)->users); \
-} while (0)
-#define put_ioctx(kioctx) do { \
- BUG_ON(atomic_read(&(kioctx)->users) <= 0); \
- if (unlikely(atomic_dec_and_test(&(kioctx)->users))) \
- __put_ioctx(kioctx); \
-} while (0)
+static inline void get_ioctx(struct kioctx *kioctx)
+{
+ BUG_ON(atomic_read(&kioctx->users) <= 0);
+ atomic_inc(&kioctx->users);
+}
+
+static inline int try_get_ioctx(struct kioctx *kioctx)
+{
+ return atomic_inc_not_zero(&kioctx->users);
+}
+
+static inline void put_ioctx(struct kioctx *kioctx)
+{
+ BUG_ON(atomic_read(&kioctx->users) <= 0);
+ if (unlikely(atomic_dec_and_test(&kioctx->users)))
+ __put_ioctx(kioctx);
+}

/* ioctx_alloc
* Allocates and initializes an ioctx. Returns an ERR_PTR if it failed.
@@ -601,8 +609,13 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
rcu_read_lock();

hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) {
- if (ctx->user_id == ctx_id && !ctx->dead) {
- get_ioctx(ctx);
+ /*
+ * RCU protects us against accessing freed memory but
+ * we have to be careful not to get a reference when the
+ * reference count already dropped to 0 (ctx->dead test
+ * is unreliable because of races).
+ */
+ if (ctx->user_id == ctx_id && !ctx->dead && try_get_ioctx(ctx)){
ret = ctx;
break;
}
--
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jan Kara: "[PATCH 2/2] fs: Fix race between io_destroy() and io_submit() in AIO"
Previous message: Jan Kara: "[PATCH 0/2] aio: Fix use after free bugs"
In reply to: Jan Kara: "[PATCH 0/2] aio: Fix use after free bugs"
Next in thread: Jan Kara: "[PATCH 2/2] fs: Fix race between io_destroy() and io_submit() in AIO"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]