Page MenuHomeFreeBSD
Differential D51626

aio: Fix a race in sys_aio_cancel()
ClosedPublic
Actions

Authored by markj on Jul 29 2025, 7:12 PM.
Tags
None
Referenced Files
Unknown Object (File)
Fri, Oct 10, 12:33 PM
Unknown Object (File)
Fri, Oct 10, 12:33 PM
Unknown Object (File)
Fri, Oct 10, 12:33 PM
Unknown Object (File)
Fri, Oct 10, 12:33 PM
Unknown Object (File)
Fri, Oct 10, 5:43 AM
Unknown Object (File)
Wed, Sep 17, 7:15 AM
Unknown Object (File)
Tue, Sep 16, 5:14 PM
Unknown Object (File)
Sep 15 2025, 11:18 AM
View All 35 Files
Subscribers
imp
olce

Details

Reviewers
asomers
kib
jhb
Commits
rGe71d494c600e: aio: Fix a race in sys_aio_cancel()
rG2dde3bed347a: aio: Fix a race in sys_aio_cancel()
Summary

sys_aio_cancel() loops over pending jobs for the process, cancelling
some of them. To cancel a job with a cancel callback, it must drop the
job list mutex. It uses flags, KAIOCB_CANCELLING and KAIOCB_CANCELLED,
to make sure that a job isn't double-cancelled. However, when iterating
over the list it uses TAILQ_FOREACH_SAFE and thus assumes that the next
job isn't going to be removed while the lock is dropped. Of course,
this assumption is false.

We could simply start search from the beginning after cancelling a job,
but this might be quite expensive. Instead, introduce the notion of a
marker job, used to keep track of one's position in the queue. Use it
in sys_aio_cancel() to resume iteration after a job is cancelled.

Reported by: syzkaller

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

markj created this revision.Jul 29 2025, 7:12 PM
Herald added subscribers: olce, imp. · View Herald TranscriptJul 29 2025, 7:12 PM
markj requested review of this revision.Jul 29 2025, 7:12 PM
Harbormaster completed remote builds in B65839: Diff 159423.Jul 29 2025, 7:12 PM
kib accepted this revision.Jul 29 2025, 7:37 PM
kib added inline comments.
sys/kern/vfs_aio.c
588

This should be true because we single-thread the process on exit and exec, I suppose. Might be, add a comment.

This revision is now accepted and ready to land.Jul 29 2025, 7:37 PM
markj updated this revision to Diff 159442.Jul 30 2025, 1:14 PM
markj marked an inline comment as done.

Add a comment.

This revision now requires review to proceed.Jul 30 2025, 1:14 PM
Harbormaster completed remote builds in B65845: Diff 159442.Jul 30 2025, 1:14 PM
kib accepted this revision.Jul 30 2025, 1:37 PM
This revision is now accepted and ready to land.Jul 30 2025, 1:37 PM
jhb accepted this revision.Jul 31 2025, 12:52 PM
Closed by commit rG2dde3bed347a: aio: Fix a race in sys_aio_cancel() (authored by markj). · Explain WhyJul 31 2025, 4:54 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rG2dde3bed347a: aio: Fix a race in sys_aio_cancel().
markj added a commit: rGe71d494c600e: aio: Fix a race in sys_aio_cancel().Aug 14 2025, 1:48 PM

Revision Contents
Changeset List

PathSize
sys/
kern/
33 lines

Diff 159501

View Options

sys/kern/vfs_aio.c

Loading...