From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S934162AbcJQTkh (ORCPT <rfc822;w@1wt.eu>);
        Mon, 17 Oct 2016 15:40:37 -0400
Received: from mx1.redhat.com ([209.132.183.28]:37540 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1754426AbcJQTk1 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 Oct 2016 15:40:27 -0400
From: Jeff Moyer <jmoyer@redhat.com>
To: Christoph Hellwig <hch@lst.de>
Cc: viro@zeniv.linux.org.uk, jack@suse.cz, dmonakhov@openvz.org,
        linux-fsdevel@vger.kernel.org, linux-aio@kvack.org,
        linux-kernel@vger.kernel.org, Peter Zijlstra <peterz@infradead.org>,
        Oleg Nesterov <oleg@redhat.com>, Mikulas Patocka <mpatocka@redhat.com>
Subject: Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)
References: <1476597082-15317-1-git-send-email-hch@lst.de>
        <x49twcabzy4.fsf@segfault.boston.devel.redhat.com>
        <20161017185552.GA24653@lst.de>
X-PGP-KeyID: 1F78E1B4
X-PGP-CertKey: F6FE 280D 8293 F72C 65FD  5A58 1FF8 A7CA 1F78 E1B4
X-PCLoadLetter: What the f**k does that mean?
Date: Mon, 17 Oct 2016 15:40:24 -0400
In-Reply-To: <20161017185552.GA24653@lst.de> (Christoph Hellwig's message of
        "Mon, 17 Oct 2016 20:55:52 +0200")
Message-ID: <x49pomyydav.fsf@segfault.boston.devel.redhat.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Mon, 17 Oct 2016 19:40:26 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Christoph Hellwig <hch@lst.de> writes:

> On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote:
>> This ends up being a call to __sb_end_write:
>> 
>> void __sb_end_write(struct super_block *sb, int level)
>> {
>>         percpu_up_read(sb->s_writers.rw_sem + level-1);
>> }
>> 
>> Nothing guarantees that submission and completion happen on the same
>> CPU.  Is this safe?
>
> Good point.  From my reading of the percpu_rwsem implementation it
> is not safe to release it from a different CPU.  Which makes me
> wonder how we can protect aio writes properly here..

Could we just change percpu_rw_semaphore->read_count to be a signed
integer?  The down_write path sums up the counters from all cpus...

-Jeff