Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp5636085imm; Tue, 12 Jun 2018 10:46:12 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIajIbGM8SPOwqLlup/0J+0tWna05ypN27N2Qiq/PpTr4gYImXC891JIINsrCz9Hko6Q0mg X-Received: by 2002:a63:b109:: with SMTP id r9-v6mr1200696pgf.102.1528825572187; Tue, 12 Jun 2018 10:46:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528825572; cv=none; d=google.com; s=arc-20160816; b=qv8UrwB6JZiIPu7YAX/sUKFLLS/23DbmVOnynAuZF6cbzx+q2JwAcp4Z7fAG9SL6Fl eSJW/2EGzbuHQ+DNNJyyAfBWqH8tDoJ3gUfzKGL1jTaLF0YVzPGrpwRHSnHwkN66P32h 5NhXeI5qWHz2nQhutIxK9jgPj+5mvBtNW+kCSEB/cNfU7pylPpDm6pG/dbvvDRzcKu0P CajgpwYcj6MeWOaYoh2CQ0s9pI8lDUN/JJymrHwWnwxu49OYDreyX7fqgC9r22kEE3am aZviVOrkA3g1wEbxsLr4DfWUcHmnz4HNuX53hb8unT2+VoloLMaYFj7LY4v/6AxHAI2Z Kisw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=6vtTYi0NxK5xfGYU/EoY87+RUkSKW+4Yx0N/rmUNeUY=; b=B5gmtbqt8yIVxKv/IeblLuJrn3IobLaq5KugRVHOunU/pxU7iG6duyjKDz6FRfqRzf uZc0+4upJ7z8LRlz2zB0iySFUTaLFI3ukDYUt43dG9952nA/e8HXJ9+2kzsiH1hbsm/3 aeSJrEgrdeqq2kzlFJo6J/sThrofpDQvVX8IhSpYG1mQsk726XfTZEf1EOxcWwsRUMT2 7RKlCJVt3XtVF+iCm/sm8Fwgz/iqAqpz99c4KKjGbHAz5Mj45k92875VyXido7mcP/x6 Cb0AUEhDkn8CYwRx1BoRRmm3la2a9Nqs840HnPpnfACuHk6fUYMy+8TKVTxQbudXNuoE /Xww== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dTUxjHPZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p21-v6si499819pgv.112.2018.06.12.10.45.57; Tue, 12 Jun 2018 10:46:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dTUxjHPZ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934176AbeFLRpO (ORCPT + 99 others); Tue, 12 Jun 2018 13:45:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:47238 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933574AbeFLRpN (ORCPT ); Tue, 12 Jun 2018 13:45:13 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4521F20660; Tue, 12 Jun 2018 17:45:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1528825512; bh=X0d/s4r7cZwINA0t1AE4pSdBKw4CfF0hUElmnO6yDl0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dTUxjHPZd5g4a+w9RphsIJ46bVwniLhh3rozVQ0WkoZ7vNXY7jI4NBredeSsLw5s1 SC9BSe0/eulswIaIPWXI/R9cllSdJRaEPfDI0ENXi4Qg7uT4ZslBuomqz2F8zV+6G4 LjFpcMhuBzQbFAH7PxoxTXpDTNKhBPH2/9CgKOZI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Al Viro Subject: [PATCH 3.18 07/21] fix io_destroy()/aio_complete() race Date: Tue, 12 Jun 2018 18:52:04 +0200 Message-Id: <20180612164825.712821017@linuxfoundation.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180612164825.401145490@linuxfoundation.org> References: <20180612164825.401145490@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Al Viro commit 4faa99965e027cc057c5145ce45fa772caa04e8d upstream. If io_destroy() gets to cancelling everything that can be cancelled and gets to kiocb_cancel() calling the function driver has left in ->ki_cancel, it becomes vulnerable to a race with IO completion. At that point req is already taken off the list and aio_complete() does *NOT* spin until we (in free_ioctx_users()) releases ->ctx_lock. As the result, it proceeds to kiocb_free(), freing req just it gets passed to ->ki_cancel(). Fix is simple - remove from the list after the call of kiocb_cancel(). All instances of ->ki_cancel() already have to cope with the being called with iocb still on list - that's what happens in io_cancel(2). Cc: stable@kernel.org Fixes: 0460fef2a921 "aio: use cancellation list lazily" Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman --- fs/aio.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/fs/aio.c +++ b/fs/aio.c @@ -560,9 +560,8 @@ static void free_ioctx_users(struct perc while (!list_empty(&ctx->active_reqs)) { req = list_first_entry(&ctx->active_reqs, struct kiocb, ki_list); - - list_del_init(&req->ki_list); kiocb_cancel(req); + list_del_init(&req->ki_list); } spin_unlock_irq(&ctx->ctx_lock);