Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-24 Thread Christoph Hellwig
Al, any chance to send this user triggerable use after free on to Linus? On Sun, Oct 16, 2016 at 07:51:22AM +0200, Christoph Hellwig wrote: > From: Jan Kara > > Currently we dropped freeze protection of aio writes just after IO was > submitted. Thus aio write could be in flight

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-24 Thread Christoph Hellwig
Al, any chance to send this user triggerable use after free on to Linus? On Sun, Oct 16, 2016 at 07:51:22AM +0200, Christoph Hellwig wrote: > From: Jan Kara > > Currently we dropped freeze protection of aio writes just after IO was > submitted. Thus aio write could be in flight while the

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Christoph Hellwig
On Mon, Oct 17, 2016 at 04:04:00PM -0400, Jeff Moyer wrote: > >> Could we just change percpu_rw_semaphore->read_count to be a signed > >> integer? The down_write path sums up the counters from all cpus... > > > > To what point? > > Duh, nevermind. You're right, it should work as-is. Ok,

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Christoph Hellwig
On Mon, Oct 17, 2016 at 04:04:00PM -0400, Jeff Moyer wrote: > >> Could we just change percpu_rw_semaphore->read_count to be a signed > >> integer? The down_write path sums up the counters from all cpus... > > > > To what point? > > Duh, nevermind. You're right, it should work as-is. Ok,

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Jeff Moyer
Christoph Hellwig writes: > From: Jan Kara > > Currently we dropped freeze protection of aio writes just after IO was > submitted. Thus aio write could be in flight while the filesystem was > frozen and that could result in unexpected situation like aio completion >

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Jeff Moyer
Christoph Hellwig writes: > From: Jan Kara > > Currently we dropped freeze protection of aio writes just after IO was > submitted. Thus aio write could be in flight while the filesystem was > frozen and that could result in unexpected situation like aio completion > wanting to convert extent

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Jeff Moyer
Peter Zijlstra writes: > On Mon, Oct 17, 2016 at 03:40:24PM -0400, Jeff Moyer wrote: >> Christoph Hellwig writes: >> >> > On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote: >> >> This ends up being a call to __sb_end_write: >> >> >> >> void

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Jeff Moyer
Peter Zijlstra writes: > On Mon, Oct 17, 2016 at 03:40:24PM -0400, Jeff Moyer wrote: >> Christoph Hellwig writes: >> >> > On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote: >> >> This ends up being a call to __sb_end_write: >> >> >> >> void __sb_end_write(struct super_block *sb, int

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Peter Zijlstra
On Mon, Oct 17, 2016 at 03:40:24PM -0400, Jeff Moyer wrote: > Christoph Hellwig writes: > > > On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote: > >> This ends up being a call to __sb_end_write: > >> > >> void __sb_end_write(struct super_block *sb, int level) > >> { > >>

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Peter Zijlstra
On Mon, Oct 17, 2016 at 03:40:24PM -0400, Jeff Moyer wrote: > Christoph Hellwig writes: > > > On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote: > >> This ends up being a call to __sb_end_write: > >> > >> void __sb_end_write(struct super_block *sb, int level) > >> { > >>

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Peter Zijlstra
On Mon, Oct 17, 2016 at 08:55:52PM +0200, Christoph Hellwig wrote: > On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote: > > This ends up being a call to __sb_end_write: > > > > void __sb_end_write(struct super_block *sb, int level) > > { > > percpu_up_read(sb->s_writers.rw_sem +

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Peter Zijlstra
On Mon, Oct 17, 2016 at 08:55:52PM +0200, Christoph Hellwig wrote: > On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote: > > This ends up being a call to __sb_end_write: > > > > void __sb_end_write(struct super_block *sb, int level) > > { > > percpu_up_read(sb->s_writers.rw_sem +

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Jeff Moyer
Christoph Hellwig writes: > On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote: >> This ends up being a call to __sb_end_write: >> >> void __sb_end_write(struct super_block *sb, int level) >> { >> percpu_up_read(sb->s_writers.rw_sem + level-1); >> } >> >> Nothing

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Jeff Moyer
Christoph Hellwig writes: > On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote: >> This ends up being a call to __sb_end_write: >> >> void __sb_end_write(struct super_block *sb, int level) >> { >> percpu_up_read(sb->s_writers.rw_sem + level-1); >> } >> >> Nothing guarantees

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Christoph Hellwig
On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote: > This ends up being a call to __sb_end_write: > > void __sb_end_write(struct super_block *sb, int level) > { > percpu_up_read(sb->s_writers.rw_sem + level-1); > } > > Nothing guarantees that submission and completion happen on

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Christoph Hellwig
On Mon, Oct 17, 2016 at 02:19:47PM -0400, Jeff Moyer wrote: > This ends up being a call to __sb_end_write: > > void __sb_end_write(struct super_block *sb, int level) > { > percpu_up_read(sb->s_writers.rw_sem + level-1); > } > > Nothing guarantees that submission and completion happen on

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Jeff Moyer
Hi, Christoph, Christoph Hellwig writes: > diff --git a/fs/aio.c b/fs/aio.c > index 1157e13..bf315cd 100644 > --- a/fs/aio.c > +++ b/fs/aio.c > @@ -1078,6 +1078,17 @@ static void aio_complete(struct kiocb *kiocb, long > res, long res2) > unsigned tail, pos, head; >

Re: [PATCH] aio: fix a use after free (and fix freeze protection of aio writes)

2016-10-17 Thread Jeff Moyer
Hi, Christoph, Christoph Hellwig writes: > diff --git a/fs/aio.c b/fs/aio.c > index 1157e13..bf315cd 100644 > --- a/fs/aio.c > +++ b/fs/aio.c > @@ -1078,6 +1078,17 @@ static void aio_complete(struct kiocb *kiocb, long > res, long res2) > unsigned tail, pos, head; > unsigned long