From patchwork Wed May 23 19:19:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christoph Hellwig X-Patchwork-Id: 10422067 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 8E0646032A for ; Wed, 23 May 2018 19:20:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7A8AE291AC for ; Wed, 23 May 2018 19:20:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 769E1291CB; Wed, 23 May 2018 19:20:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3FC5E291AC for ; Wed, 23 May 2018 19:20:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934305AbeEWTUf (ORCPT ); Wed, 23 May 2018 15:20:35 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:40654 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934256AbeEWTU3 (ORCPT ); Wed, 23 May 2018 15:20:29 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=UXCU4823MEwegH7RPR797Qh+Vf2tBdcbIJKYiRkUWbE=; b=uILGLEP9fOTEy75ts+Z2rudGz /oomQdxohdStDrnEZWHaB/JRmAcFp2NN44o1VhZJEzQNX8lO5TQADeynNiefkSsGjVzj4ox06w+NL hleCY2N7NztQ31sIYqc8+ArBaGXU210pibGj2rkm0srrSVMF3TZgLgDkzZ4u6vUZyYqFpfDHKvBzg JGs8N/p23Io6gLwEtedjOiXHMohNNiuIjenn7WjqkNRVJOSA896RLJ/GrJEpYObhbKeKbKXbgZ00r Us6Plv06W6nL+Me9MlL2yM4oa14efxhuIq3s+MLNTy8rk+ma+JD4Vm34jr1xrJ6M3N3gc8cTPKkD0 0tfkver0Q==; Received: from 089144199016.atnat0008.highway.a1.net ([89.144.199.16] helo=localhost) by bombadil.infradead.org with esmtpsa (Exim 4.90_1 #2 (Red Hat Linux)) id 1fLZJD-0008LI-Bz; Wed, 23 May 2018 19:20:27 +0000 From: Christoph Hellwig To: viro@zeniv.linux.org.uk Cc: Avi Kivity , linux-aio@kvack.org, linux-fsdevel@vger.kernel.org, netdev@vger.kernel.org, linux-api@vger.kernel.org, linux-kernel@vger.kernel.org, stable@kernel.org Subject: [PATCH 01/33] fix io_destroy()/aio_complete() race Date: Wed, 23 May 2018 21:19:50 +0200 Message-Id: <20180523192022.1703-2-hch@lst.de> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180523192022.1703-1-hch@lst.de> References: <20180523192022.1703-1-hch@lst.de> X-SRS-Rewrite: SMTP reverse-path rewritten from by bombadil.infradead.org. See http://www.infradead.org/rpr.html Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Al Viro If io_destroy() gets to cancelling everything that can be cancelled and gets to kiocb_cancel() calling the function driver has left in ->ki_cancel, it becomes vulnerable to a race with IO completion. At that point req is already taken off the list and aio_complete() does *NOT* spin until we (in free_ioctx_users()) releases ->ctx_lock. As the result, it proceeds to kiocb_free(), freing req just it gets passed to ->ki_cancel(). Fix is simple - remove from the list after the call of kiocb_cancel(). All instances of ->ki_cancel() already have to cope with the being called with iocb still on list - that's what happens in io_cancel(2). Cc: stable@kernel.org Fixes: 0460fef2a921 "aio: use cancellation list lazily" Signed-off-by: Al Viro Signed-off-by: Christoph Hellwig --- fs/aio.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/fs/aio.c b/fs/aio.c index 755d3f57bcc8..1c383bb44b2d 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -639,9 +639,8 @@ static void free_ioctx_users(struct percpu_ref *ref) while (!list_empty(&ctx->active_reqs)) { req = list_first_entry(&ctx->active_reqs, struct aio_kiocb, ki_list); - - list_del_init(&req->ki_list); kiocb_cancel(req); + list_del_init(&req->ki_list); } spin_unlock_irq(&ctx->ctx_lock);