Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp1958928imb; Sun, 3 Mar 2019 12:31:01 -0800 (PST) X-Google-Smtp-Source: AHgI3Ia/Dq9+OOq7i2DJm+WvgA7MeznNlhM4hn+lVd2OZG//kgwA0j85xiVe6UYX7QRra6DhvFpZ X-Received: by 2002:a62:fc10:: with SMTP id e16mr16802986pfh.83.1551645061264; Sun, 03 Mar 2019 12:31:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551645061; cv=none; d=google.com; s=arc-20160816; b=qELRrJolgu8e+X2MwU447RoVB6GhvvY3U7e3y+j/Y/LlIResbAqfKkuN4FFirVib11 m6cgoe8HS+Yy3XwcdzxswxMWUwVhHsWJt+3g6qWX9kcxZ7jOLF1PXHpOIa9L56+ZRgmy G6j9g+Y6sp1M8QcUyhOhik86Yx45Z20SHHwgKvsvLorq63XW4flRFunBWboYK8U+oCkA pgTSyul1rzpKm1MNj5G4JhhvHfzDYKUHFT4u96M7BNWJSMq/vrLvcqxvvaEoIqI0MHBq VKELbfXNphJ52ZMDSw1hOzmWgo6C+eU83sMFtdr1R0t67rl63wDJFzH0ugVdwevu3O/d lS3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=fefpYW+vywEzB1hkOJnYxx07uGi/IIEPBhhsABLCRNw=; b=G90bwMVMkHc1CMdM4b/t1o8DDfUU8DxP4YcpjbXNnU1ip33bXZcYyOVYKpA2K06+yO PB9HqEmu0+GZX9ERMH+I530i5l+2D4hgT8XmL6LnvErn8vXe4bipYZr9HhMWPbPGud98 tbgQo040jSKaDpmOUrustkgjxv/4MIh3l1E9ecPpi+0gEVbn/phmaafoGEqrHBoxBuC7 pqxs4q6elguQS92TmUEKBtioBOEU/2e1GYNDjJji9fjvsOkpwQLsp2PUC5pLTesTsbEt Um3TV4uOserbo3PaM5TIKFtjpJAnvP4d12SP4fHVXGx0lbtPs6ran5ej55t8/H5iTNuz ZoUQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q77si3698397pfa.102.2019.03.03.12.30.44; Sun, 03 Mar 2019 12:31:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726650AbfCCUaY (ORCPT + 99 others); Sun, 3 Mar 2019 15:30:24 -0500 Received: from zeniv.linux.org.uk ([195.92.253.2]:39030 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726512AbfCCUaY (ORCPT ); Sun, 3 Mar 2019 15:30:24 -0500 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92 #3 (Red Hat Linux)) id 1h0XkR-0002Y3-7R; Sun, 03 Mar 2019 20:30:11 +0000 Date: Sun, 3 Mar 2019 20:30:11 +0000 From: Al Viro To: Linus Torvalds Cc: Eric Dumazet , David Miller , Jason Baron , kgraul@linux.ibm.com, ktkhai@virtuozzo.com, kyeongdon.kim@lge.com, Linux List Kernel Mailing , Netdev , pabeni@redhat.com, syzkaller-bugs@googlegroups.com, xiyou.wangcong@gmail.com, Christoph Hellwig Subject: Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll) Message-ID: <20190303203011.GR2217@ZenIV.linux.org.uk> References: <000000000000f39c7b05832e0219@google.com> <20190303135502.GP2217@ZenIV.linux.org.uk> <20190303151846.GQ2217@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Mar 03, 2019 at 11:44:33AM -0800, Linus Torvalds wrote: > On Sun, Mar 3, 2019 at 7:18 AM Al Viro wrote: > > > > > Maybe unrelated to this bug, but... What's to prevent a wakeup > > > that happens just after we'd been added to a waitqueue by ->poll() > > > triggering aio_poll_wake(), which gets to aio_poll_complete() > > > with its fput() *before* we'd reached the end of ->poll() instance? > > I'm assuming you're talking about the second vfs_poll() in > aio_poll_complete_work()? The one we call before we check for > "rew->cancelled" properly under the spinlock? No. The first one, right in aio_poll(). > But as far as I can tell, they *all* could do: > > - look up file in aio_submit() when allocating and creating the aio_kiocb > > - drop the filp in 'iocb_put()' (which happens whether things > complete successfully or not). > > and we'd have avoided a lot of complexity, and we'd have avoided this bug. > > Your patch fixes the poll() case, but it does so by just letting the > existing complexity remain, and adding a second fget/fput pair in the > poll logic. > > It would seem like it would be much better to rip all the complexity > out entirely, and replace it with sane, simple and obviously correct > code. > > Hmm? > > In other words, why wouldn't something like the attached work instead? I'll need to dig out the mail archive from last year, but IIRC this had been considered and there'd been non-trivial problems. Give me an hour or so and I'll dig that out (there'd been many rounds of review, with long threads involved, some private, some on fsdevel). > @@ -1060,6 +1071,7 @@ static inline void iocb_put(struct aio_kiocb *iocb) > { > if (refcount_read(&iocb->ki_refcnt) == 0 || > refcount_dec_and_test(&iocb->ki_refcnt)) { > + fput(iocb->ki_filp); Trivial oops here - it might be NULL.