Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp1911140imb;
        Sun, 3 Mar 2019 10:38:48 -0800 (PST)
X-Google-Smtp-Source: APXvYqynObcFbLOTLS3hXOVf9bKa/SKVGKIsqBbnNuVcHro9GOpQ8YAFXrlfTpr+pi7tf83TVNo8
X-Received: by 2002:a65:60d8:: with SMTP id r24mr14880611pgv.6.1551638328911;
        Sun, 03 Mar 2019 10:38:48 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1551638328; cv=none;
        d=google.com; s=arc-20160816;
        b=P9tg9roMmer59SRzLJ7U1eZnPVAYAzysM7leGUwO6z8nZi2ZcFV8NQugNsw5j/ULZe
         5bMRTDl4vMUu+G197iEdaKCz+qikqwmSCm/ySqAi1jMGLx8uXkjkBNNS9SWHyIr1ldCz
         2Ey866iOr7DsDNbvHKbtbvGcZh6aAZZfj2z6B035S6QGixDHSiyXFy/nNbPadfh9s2l9
         1+7VoEykfUkiVPADvKLhxUYbmA/rvwj3eJ4QXjQINI5vyBNs9dFHWx9Qu6m26GBFLi07
         GaEQxAnvkSci8VBhBksSbBgrzs/rLOVfcpI4mI52eUNCXCcoPkAMNZOQD7AtHFYw11hr
         W/qQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:cc:to:subject:dkim-signature;
        bh=aoPw5I3Ewbr9354P6/DT203SccE5DmMTt6TnPmIIGa8=;
        b=FP36zDzRExXoqp8NqcdaUgSAfa4ghkBnpFkvYDo98rPeWzYyccd3bXHGwfcMBfeROF
         PiAwExwcA+G50qt9NEn+zHqX8JFlNPWRh38TWRZghpCKncnSvusy4BOupP0FNO2dyPKf
         LA8D0LP3ABGfs6kvFcmN7Hmt6/Ggvr1eno7CmCdRykpVMM8WeW5UfId4SyLZOD1KJxzC
         YurQp6Ohd5b60FZrGgPLhm6zUZkD9MtXIfMR0aeujr69YED2pEZxWWgTMtXwZSohuuMJ
         FYDkYAhV0+vvVqrlqbE6OIhll+/rNX1CcKzYl2+pLJbcEUyaz1v4ZmJ83AVXNTGUrP5s
         1O1A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="TH0/BoxB";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id s10si3244584pgp.564.2019.03.03.10.38.32;
        Sun, 03 Mar 2019 10:38:48 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b="TH0/BoxB";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726641AbfCCShk (ORCPT <rfc822;lans.zhang2008@gmail.com>
        + 99 others); Sun, 3 Mar 2019 13:37:40 -0500
Received: from mail-pg1-f196.google.com ([209.85.215.196]:35873 "EHLO
        mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726533AbfCCShk (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 3 Mar 2019 13:37:40 -0500
Received: by mail-pg1-f196.google.com with SMTP id r124so1408760pgr.3;
        Sun, 03 Mar 2019 10:37:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=aoPw5I3Ewbr9354P6/DT203SccE5DmMTt6TnPmIIGa8=;
        b=TH0/BoxBB4YSfmi0BMxLuSE9NC0mpUQ75cO0BDYJFgeKLEm2Nb9a1lRECDUOum5Aod
         tuHeuWCaQu1I67R/2nE0wVNpU7A3F0pefpHjeEDm5WO8ALu++LVjLyIVQh9NdDPsl/pa
         ydNYfqgIlc44y+wnp+fCQx1XrQRRGAmLwjLqTxLFhOEOqGNtRi8mwheJxsFsxJpss+ho
         YLEgXtxVUzPD9UT6XrY3+jA+jTi/3EyPHEKptEszUHFkAWU5RVdO97ENPsbE9CR2gsLV
         TC+2OPFFJI5hvMBJszvXtM710QRnwRGo+QEI+kHuebDHwgkaxmFqfaqrjm0uqHNFs5uV
         2G5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=aoPw5I3Ewbr9354P6/DT203SccE5DmMTt6TnPmIIGa8=;
        b=YYoEs0kYH8uXuJhqTTfpGGlBj/xu/RnOplUbolEPcQ5SeBnS6RgezPoU3BVNz4Xuud
         rKTDM1zckOHAlFGU/22j9tXCbArkrxvMCriFbgsieYazssw66atD4UBNBZs0rTPbxudP
         NpbWPWWFBCr1pNXYsU8JZ8WAhA2vXggBVED1G6b+30FFifZo77+D3HIw8QqLoQNerqKQ
         lZRm7Ugl1++H6+hoZOLqDX+bSv2dD4qIWC/KetjSdeT2TH5rpN/qsIV3YZwqCKJFeW2y
         lIMOKzahqQWui4cvUKfJl2nGe+fUnWvccQD4GFxo/kCf8HvHWeDcVWx0vGD2FpYms7LW
         mWUA==
X-Gm-Message-State: APjAAAV5CkVrUeIZSGhUTrB9MBVOg3KZ0560EyVwdWnkDNgWA5ZmoEKd
        FIB4UlWfQfF5l7mA5rUly/8=
X-Received: by 2002:a65:4203:: with SMTP id c3mr15042914pgq.271.1551638259289;
        Sun, 03 Mar 2019 10:37:39 -0800 (PST)
Received: from [192.168.86.235] (c-73-241-150-70.hsd1.ca.comcast.net. [73.241.150.70])
        by smtp.gmail.com with ESMTPSA id b85sm10085693pfj.56.2019.03.03.10.37.38
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 03 Mar 2019 10:37:38 -0800 (PST)
Subject: Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll()
 (Re: KASAN: use-after-free Read in unix_dgram_poll)
To:     Al Viro <viro@zeniv.linux.org.uk>,
        Linus Torvalds <torvalds@linux-foundation.org>
Cc:     davem@davemloft.net, jbaron@akamai.com, kgraul@linux.ibm.com,
        ktkhai@virtuozzo.com, kyeongdon.kim@lge.com,
        linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
        pabeni@redhat.com, syzkaller-bugs@googlegroups.com,
        xiyou.wangcong@gmail.com, hch@lst.de
References: <000000000000f39c7b05832e0219@google.com>
 <20190303135502.GP2217@ZenIV.linux.org.uk>
 <20190303151846.GQ2217@ZenIV.linux.org.uk>
From:   Eric Dumazet <eric.dumazet@gmail.com>
Message-ID: <dd9d445c-4adc-67a7-8957-01f38cb39a70@gmail.com>
Date:   Sun, 3 Mar 2019 10:37:37 -0800
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <20190303151846.GQ2217@ZenIV.linux.org.uk>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 03/03/2019 07:18 AM, Al Viro wrote:

> Fixes: bfe4037e722ec
> Cc: stable@vger.kernel.org
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
> diff --git a/fs/aio.c b/fs/aio.c
> index 3083180a54c8..7e88bfabdac2 100644
> --- a/fs/aio.c
> +++ b/fs/aio.c
> @@ -1767,6 +1767,7 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb)
>  
>  	/* one for removal from waitqueue, one for this function */
>  	refcount_set(&aiocb->ki_refcnt, 2);
> +	get_file(req->file);
>  
>  	mask = vfs_poll(req->file, &apt.pt) & req->events;
>  	if (unlikely(!req->head)) {
> @@ -1793,6 +1794,7 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb)
>  	spin_unlock_irq(&ctx->ctx_lock);
>  
>  out:
> +	fput(req->file);
>  	if (unlikely(apt.error)) {
>  		fput(req->file);
>  		return apt.error;
> 

Very nice changelog Al, thanks for fixing this.

Reviewed-by: Eric Dumazet <edumazet@google.com>