From: Oleg Nesterov <oleg@redhat.com>
To: Al Viro <viro@ZenIV.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Benjamin LaHaise <bcrl@kvack.org>, Jeff Moyer <jmoyer@redhat.com>
Cc: linux-aio@kvack.org, linux-kernel@vger.kernel.org
Subject: [PATCH v3 1/3] aio_ring_remap: kill the bogus ctx->dead check
Date: Thu, 18 Jun 2015 19:52:07 +0200 [thread overview]
Message-ID: <20150618175207.GA10055@redhat.com> (raw)
In-Reply-To: <20150618175143.GA10033@redhat.com>
kill_ioctx() sets ctx->dead and removes ctx from ->ioctx_table
"atomically" under mm->ioctx_lock, so aio_ring_remap() can never
see a dead ctx.
And even -EINVAL doesn't look necessary. Yes, if mremap() races
with kill_ioctx() vm_munmap(ctx->mmap_base, ctx->mmap_size) can
unmap the wrong region. In this case the buggy application should
blame itself. And there are other reasons why that vm_munmap() can
be wrong. Say, an application can mremap() the part of aio region
and then do io_destroy(). We could change aio_ring_remap() to
verify vma->that vma_end - vma->vma_start == ctx->mmap_size but
this won't help if the application does munmap() instead.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
fs/aio.c | 9 +++------
1 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/fs/aio.c b/fs/aio.c
index 480440f..893d300 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -325,14 +325,11 @@ static int aio_ring_remap(struct file *file, struct vm_area_struct *vma)
rcu_read_lock();
table = rcu_dereference(mm->ioctx_table);
for (i = 0; i < table->nr; i++) {
- struct kioctx *ctx;
+ struct kioctx *ctx = table->table[i];
- ctx = table->table[i];
if (ctx && ctx->aio_ring_file == file) {
- if (!atomic_read(&ctx->dead)) {
- ctx->user_id = ctx->mmap_base = vma->vm_start;
- res = 0;
- }
+ ctx->user_id = ctx->mmap_base = vma->vm_start;
+ res = 0;
break;
}
}
--
1.5.5.1
next prev parent reply other threads:[~2015-06-18 17:53 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-06-18 17:51 [PATCH v3 0/3] aio: ctx->dead cleanups Oleg Nesterov
2015-06-18 17:52 ` Oleg Nesterov [this message]
2015-06-18 17:52 ` [PATCH v3 2/3] aio: make aio_ring->dead boolean Oleg Nesterov
2015-06-18 18:02 ` Jeff Moyer
2015-06-18 18:27 ` Oleg Nesterov
2015-06-18 17:52 ` [PATCH v3 3/3] aio_free_ring: don't do page_count(NULL) Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150618175207.GA10055@redhat.com \
--to=oleg@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=bcrl@kvack.org \
--cc=jmoyer@redhat.com \
--cc=linux-aio@kvack.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.