Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2934631pxb; Tue, 24 Aug 2021 10:56:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxc8S7eTHQFgO63pLFUEMR+2T/cqMGRIMDU552WkBIZxyH10SHyaDnF9UtxqmKKByNYNpcE X-Received: by 2002:a92:2e0d:: with SMTP id v13mr22458879ile.111.1629827776323; Tue, 24 Aug 2021 10:56:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629827776; cv=none; d=google.com; s=arc-20160816; b=fNP+TrygATLMVpM/GKauOJRZQbcu/7PPXNFBdmYf0p0m59+ab3HTJTx0i+fvIzfYMf qbNGk8sQynuiH3ALarCmyiEBeIeZZToDlvLfObNjjaYH2i8wugUUlA9mceqTNyVzuaOi 1Q21r+XkeRG9yk7/NCgsGvgIN7Ksuj8bZOciWaBMWoYY8KAEXXK2U5b72uJ7Od1OvCxl snJZULhhef6UNcIEwv2gaNEsHQbI/mE4T/pALs86j6NabFSzlXnwjiI6VoTioDhX02ac jvF7p/ukDO1XWf/rWYl0B/Q/q1mWE3DhswEKsjJYzO1YuIP3rwgn9loW1kjGvFVKkYJE 2RFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=PyPyoQ1Y/vEaAdOthKoeZXWHDoxb0qT1TuN9oYnPBQI=; b=B8Ky8+IOhHbLTwHOl2OmooRvgYM0iZVOgq8vVsxLd7asIEPVJXpcm3nbr09HOPKirz X7MDDfcJGI04JC1kqItyjjJBCruxI5bQ7MGrxKaa7wgGb2wWqDitP0SjET9U3p8E2QKs TWtrYkv/HUm1dAf/AkYlcw5reQAEP1JmQh5RDRDlwryuZbM6Gjg9ycbm0F6aHZEblXLn DtEGDkR7W+TDGh3Xgp41j6ZWof0Bf+GbFCn+juJ1A+nYb9C+1NXidbqxXIdxmzzmyzmM VoYhdpSHYXjWTCuI8MbLKlIQQtH6hA5suVn0Wd3WhP0vyS0Ro4iyiNeGO4IwTDP/2D5d wxgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=h+z6Loaj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l5si19084710iln.118.2021.08.24.10.56.02; Tue, 24 Aug 2021 10:56:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=h+z6Loaj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234096AbhHXRzj (ORCPT + 99 others); Tue, 24 Aug 2021 13:55:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40786 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240234AbhHXRzg (ORCPT ); Tue, 24 Aug 2021 13:55:36 -0400 Received: from mail-qt1-x84a.google.com (mail-qt1-x84a.google.com [IPv6:2607:f8b0:4864:20::84a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6A819C02F8E0 for ; Tue, 24 Aug 2021 10:25:27 -0700 (PDT) Received: by mail-qt1-x84a.google.com with SMTP id t35-20020a05622a1823b02902647b518455so11020136qtc.3 for ; Tue, 24 Aug 2021 10:25:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:message-id:mime-version:subject:from:to:cc; bh=PyPyoQ1Y/vEaAdOthKoeZXWHDoxb0qT1TuN9oYnPBQI=; b=h+z6Loajqhrn8HSErPRwJYnI/+inKFY98+8bBTTxs3X5Z/9UyGGcgfxsnVnZqi9adG +YBh8ix6JOoWG5kdKy7bPE6pLDW9V4A4kroXhwNCSHX/oFzfEUnHdFyCnnDb0yYmXQQ9 BQjxyGRlgPd+Tf8YRGvHokYMJmFdl4evWWgL0TuXb4n8mJk6R6o+z+aieC+4URdYpFor 0gfdMZmQu4Qu9NCpYp0JjjNhw8mkzSi2uQjWDxMJktVNXc4ijBS2WY2wtnuh/fyDNysN +6PZWw6cpfesqFg4HnE7l0vkMqnC3yeU/dLwtm9LFe4QH1brC0PLbB+37REAX5PjBSa8 daYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=PyPyoQ1Y/vEaAdOthKoeZXWHDoxb0qT1TuN9oYnPBQI=; b=d0H/yrLqOndqOolwWk1q/++IVeZVbftDoI6bN95ugQVxoqAPAYEKIFp42EcpViACWi WUBv9wRYWteJE3carChLwDWbHzkWd91BDxcGBPkw1O2/gd5O7gUryErZ67ADhfff8HlX hrMsdLMaOAxRAqEIu7ODMMOo6uVccWIcpgM28y+4ZXa64yAGC2lGgqDsqOKx8nczCsoB 51iCuIjve5ACqK9FR8/K4/mj0Nc03+xJn77e8EPyLe0RSyqbQxqLi3reg8Xy9I+TPgyb Ern+XybrX1B+4TGAdYytIapuJLIcC4QkKVGO5GrusZUWX7T/Gpm/1jcN9pFisWRQv00r ipNg== X-Gm-Message-State: AOAM531Fj1BrZj+SeC/zdjG8URGewdGoV0HQLHBe4eZuEtpUWCAQmq3z Np2U+Gj2wTpAhaGw/wdVWu0WNK9HfLJJaYo= X-Received: from ramjiyani.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2edd]) (user=ramjiyani job=sendgmr) by 2002:ad4:5b8b:: with SMTP id 11mr5938631qvp.51.1629825926578; Tue, 24 Aug 2021 10:25:26 -0700 (PDT) Date: Tue, 24 Aug 2021 17:25:20 +0000 Message-Id: <20210824172520.2284531-1-ramjiyani@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.33.0.rc2.250.ged5fa647cd-goog Subject: [RFC PATCH v1] aio: Add support for the POLLFREE From: Ramji Jiyani To: Alexander Viro , Benjamin LaHaise , Arnd Bergmann Cc: Ramji Jiyani , kernel-team@android.com, linux-fsdevel@vger.kernel.org, linux-aio@kvack.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.") fixed the use-after-free in eventpoll but aio still has the same issue because it doesn't honor the POLLFREE flag. Add support for the POLLFREE flag to force complete iocb inline in aio_poll_wake(). A thread may use it to signal it's exit and/or request to cleanup while pending poll request. In this case, aio_poll_wake() needs to make sure it doesn't keep any reference to the queue entry before returning from wake to avoid possible use after free via poll_cancel() path. The POLLFREE flag is no more exclusive to the epoll and is being shared with the aio. Remove comment from poll.h to avoid confusion. Also enclosed the POLLFREE macro definition in parentheses to fix checkpatch error. Signed-off-by: Ramji Jiyani --- fs/aio.c | 45 ++++++++++++++++++--------------- include/uapi/asm-generic/poll.h | 2 +- 2 files changed, 26 insertions(+), 21 deletions(-) diff --git a/fs/aio.c b/fs/aio.c index 76ce0cc3ee4e..2c432cbb38e5 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -1674,6 +1674,7 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync, { struct poll_iocb *req = container_of(wait, struct poll_iocb, wait); struct aio_kiocb *iocb = container_of(req, struct aio_kiocb, poll); + struct kioctx *ctx = iocb->ki_ctx; __poll_t mask = key_to_poll(key); unsigned long flags; @@ -1683,29 +1684,33 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync, list_del_init(&req->wait.entry); - if (mask && spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) { - struct kioctx *ctx = iocb->ki_ctx; + /* + * Use irqsave/irqrestore because not all filesystems (e.g. fuse) + * call this function with IRQs disabled and because IRQs have to + * be disabled before ctx_lock is obtained. + */ + if (mask & POLLFREE) { + /* Force complete iocb inline to remove refs to deleted entry */ + spin_lock_irqsave(&ctx->ctx_lock, flags); + } else if (!(mask && spin_trylock_irqsave(&ctx->ctx_lock, flags))) { + /* Can't complete iocb inline; schedule for later */ + schedule_work(&req->work); + return 1; + } - /* - * Try to complete the iocb inline if we can. Use - * irqsave/irqrestore because not all filesystems (e.g. fuse) - * call this function with IRQs disabled and because IRQs - * have to be disabled before ctx_lock is obtained. - */ - list_del(&iocb->ki_list); - iocb->ki_res.res = mangle_poll(mask); - req->done = true; - if (iocb->ki_eventfd && eventfd_signal_count()) { - iocb = NULL; - INIT_WORK(&req->work, aio_poll_put_work); - schedule_work(&req->work); - } - spin_unlock_irqrestore(&ctx->ctx_lock, flags); - if (iocb) - iocb_put(iocb); - } else { + /* complete iocb inline */ + list_del(&iocb->ki_list); + iocb->ki_res.res = mangle_poll(mask); + req->done = true; + if (iocb->ki_eventfd && eventfd_signal_count()) { + iocb = NULL; + INIT_WORK(&req->work, aio_poll_put_work); schedule_work(&req->work); } + spin_unlock_irqrestore(&ctx->ctx_lock, flags); + if (iocb) + iocb_put(iocb); + return 1; } diff --git a/include/uapi/asm-generic/poll.h b/include/uapi/asm-generic/poll.h index 41b509f410bf..35b1b69af729 100644 --- a/include/uapi/asm-generic/poll.h +++ b/include/uapi/asm-generic/poll.h @@ -29,7 +29,7 @@ #define POLLRDHUP 0x2000 #endif -#define POLLFREE (__force __poll_t)0x4000 /* currently only for epoll */ +#define POLLFREE ((__force __poll_t)0x4000) #define POLL_BUSY_LOOP (__force __poll_t)0x8000 -- 2.33.0.rc2.250.ged5fa647cd-goog