Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2275201imm; Thu, 7 Jun 2018 08:04:01 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJ19Kwd+pO4xM/jznh51EYqJz1LVlQ/YMJxbzWfTjmo4/6o32E47JV7DwhmhEE1pTBN2Bug X-Received: by 2002:aa7:8004:: with SMTP id j4-v6mr2117226pfi.174.1528383841364; Thu, 07 Jun 2018 08:04:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528383841; cv=none; d=google.com; s=arc-20160816; b=zK1eQ2N2tOd/lre+FP6VxpIjWczSgQVggdlYZ1RmT1mNzwAFimhPHWMWyhgBUncBcH hMkTaEAm9h2tI9rngIHFvIdK4KaPWRfcTM7QOI6YxT2IxhnTA4ovRuw7N6vv1yHMDbqU gKvVRawuDqLt9dxhteVYkFG2sYsULQxcFlgd9kZWgxOdyY1XqGEcmDCT/tLtwSGx0IKf vNVb44C1f0XpYfwwLZkDZCtznlXQWfuMqGfOkIRftGdvw5yLvKF6i2JaytnT7csxSWJr 9C/8ZXPe5drB+aPBbz9kiuCPy5mQFqYOxGOIycI1x/YyvfgarFn4DNYk6VfgdoHpcYEi K+qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=UCFEp/E6uJgGmD0f889UkSfEklJL32fMzXKNIMxxx5s=; b=LIAAljcd6WM7nHgblqF0C/JugeGxGhL3UDsWFzRVN3W3kc5dSLvK/n/hQSqtcr6gWO iep+tG96UNXFICUnmE28L8QvLnshDlNKY/94fcanoTdna6A/P4PZpi3tuwd2lcST2xUN 0paU0LkQQPXC4yNIHa0AuOmbnxpwRqUkrR4V+BozcFqLk+2fZfbuMyWox8M+f9cyvsRa DLdJG3c/vKlw1y9/CyPqL44FgkjiMRmIceRFQOza5mex8Z7PU29MHrwiS4jBYVkMaJJw 6YbwsOPVuAr57m+HSUn7PQWkEU8JA34G4LmqiKwIsvVdUFVRHmRZRD+/RKrxGSxxKYvj h6pA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n12-v6si44983484pgs.560.2018.06.07.08.03.46; Thu, 07 Jun 2018 08:04:01 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964918AbeFGPCT (ORCPT + 99 others); Thu, 7 Jun 2018 11:02:19 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:41434 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964868AbeFGPCO (ORCPT ); Thu, 7 Jun 2018 11:02:14 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvbG-0005Zw-70; Thu, 07 Jun 2018 15:09:14 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvbC-0003FZ-Ri; Thu, 07 Jun 2018 15:09:10 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Linus Torvalds" , "Tejun Heo" , "Benjamin LaHaise" , "Jann Horn" Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 358/410] fs/aio: Use RCU accessors for kioctx_table->table[] In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Tejun Heo commit d0264c01e7587001a8c4608a5d1818dba9a4c11a upstream. While converting ioctx index from a list to a table, db446a08c23d ("aio: convert the ioctx list to table lookup v3") missed tagging kioctx_table->table[] as an array of RCU pointers and using the appropriate RCU accessors. This introduces a small window in the lookup path where init and access may race. Mark kioctx_table->table[] with __rcu and use the approriate RCU accessors when using the field. Signed-off-by: Tejun Heo Reported-by: Jann Horn Fixes: db446a08c23d ("aio: convert the ioctx list to table lookup v3") Cc: Benjamin LaHaise Cc: Linus Torvalds [bwh: Backported to 3.16: - Drop changes to aio_ring_mremap() - Signed-off-by: Ben Hutchings --- fs/aio.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) --- a/fs/aio.c +++ b/fs/aio.c @@ -68,9 +68,9 @@ struct aio_ring { #define AIO_RING_PAGES 8 struct kioctx_table { - struct rcu_head rcu; - unsigned nr; - struct kioctx *table[]; + struct rcu_head rcu; + unsigned nr; + struct kioctx __rcu *table[]; }; struct kioctx_cpu { @@ -588,9 +588,9 @@ static int ioctx_add_table(struct kioctx while (1) { if (table) for (i = 0; i < table->nr; i++) - if (!table->table[i]) { + if (!rcu_access_pointer(table->table[i])) { ctx->id = i; - table->table[i] = ctx; + rcu_assign_pointer(table->table[i], ctx); spin_unlock(&mm->ioctx_lock); /* While kioctx setup is in progress, @@ -765,8 +765,8 @@ static int kill_ioctx(struct mm_struct * spin_lock(&mm->ioctx_lock); table = rcu_dereference_raw(mm->ioctx_table); - WARN_ON(ctx != table->table[ctx->id]); - table->table[ctx->id] = NULL; + WARN_ON(ctx != rcu_access_pointer(table->table[ctx->id])); + RCU_INIT_POINTER(table->table[ctx->id], NULL); spin_unlock(&mm->ioctx_lock); /* free_ioctx_reqs() will do the necessary RCU synchronization */ @@ -827,7 +827,8 @@ void exit_aio(struct mm_struct *mm) skipped = 0; for (i = 0; i < table->nr; ++i) { - struct kioctx *ctx = table->table[i]; + struct kioctx *ctx = + rcu_dereference_protected(table->table[i], true); if (!ctx) { skipped++; @@ -1022,7 +1023,7 @@ static struct kioctx *lookup_ioctx(unsig if (!table || id >= table->nr) goto out; - ctx = table->table[id]; + ctx = rcu_dereference(table->table[id]); if (ctx && ctx->user_id == ctx_id) { percpu_ref_get(&ctx->users); ret = ctx;