We hit a memory ordering race condition on AIO ring buffer tail pointer
between function aio_complete() and aio_read_evt().
What happens is that on an architecture that has a relaxed memory
ordering model like IPF(ia64), explicit memory barrier is required in a
SMP execution environment. Considering the following case:
1 CPU is executing a tight loop of aio_read_evt. It is pulling event
off the ring buffer. During that loop, another CPU is executing
aio_complete() where it is putting event into the ring buffer and then
update the tail pointer. However, due to relaxed memory ordering model,
the tail pointer can be visible before the actual event is being
updated. So the other CPU sees the updated tail pointer but picks up a
staled event data.
A memory barrier is required in this case between the event data and
tail pointer update. Same is true for the head pointer but the window
of the race condition is nil. For function correctness, it is fixed
here as well.
By the way, this bug is fixed in the major distributor's kernel on 2.4.x
kernel series for a while, but somehow hasn't been propagated to 2.5
kernel yet.
The patch is relative to 2.5.74.
- Ken
On Tue, 8 Jul 2003 14:52:28 -0700
"Chen, Kenneth W" <[email protected]> wrote:
> We hit a memory ordering race condition on AIO ring buffer tail pointer
> between function aio_complete() and aio_read_evt().
>
> What happens is that on an architecture that has a relaxed memory
> ordering model like IPF(ia64), explicit memory barrier is required in a
> SMP execution environment. Considering the following case:
>
> 1 CPU is executing a tight loop of aio_read_evt. It is pulling event
> off the ring buffer. During that loop, another CPU is executing
> aio_complete() where it is putting event into the ring buffer and then
> update the tail pointer. However, due to relaxed memory ordering model,
> the tail pointer can be visible before the actual event is being
> updated. So the other CPU sees the updated tail pointer but picks up a
> staled event data.
>
> A memory barrier is required in this case between the event data and
> tail pointer update. Same is true for the head pointer but the window
> of the race condition is nil. For function correctness, it is fixed
> here as well.
>
> By the way, this bug is fixed in the major distributor's kernel on 2.4.x
> kernel series for a while, but somehow hasn't been propagated to 2.5
> kernel yet.
>
> The patch is relative to 2.5.74.
>
> - Ken
>
Make those smp_* memory barrier's because they don't matter on UP.
> From: Stephen Hemminger [mailto:[email protected]]
> Sent: Tuesday, July 08, 2003 4:00 PM
> Subject: Re: Race condition between aio_complete and aio_read_evt
> Make those smp_* memory barrier's because they don't matter on UP.
Certainly, thanks for pointing that out. I was about to say that as
well.
- Ken