Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp233516pxb; Mon, 13 Sep 2021 17:54:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxNpxn0uWlaSbQyY4USahkpkCI7qb3gFPbsT+7nG7XLsNMg6p1/6niS+MOqCYQ+XEjQ/EgT X-Received: by 2002:a17:906:1b15:: with SMTP id o21mr9177993ejg.473.1631580855482; Mon, 13 Sep 2021 17:54:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631580855; cv=none; d=google.com; s=arc-20160816; b=wLJkH7omwTUdZT70bfMx32Z9oMv3egKZBC4IldkGTJM7IkcWpioFdCDNnP3fjlZhLX YdYBR9vIQI+cR6T2qL0W8TH6itoNwPDFks/fqYCeiA8UCJTSMCgaMiXFfhKrKnlVkD5X N3oIuAoMMU3ThXLGiueHNph3e7s8Cei3CKiR/4VdOovGe63W/lMeqm87ug7B5t1Ri4p0 LDv//IHm8FPQWVoJ0s98k4TpEnXjwxBhoRQ3OJoFFpkPt7sY0tKm29LCXwMuhL28d7Ij T7BqiswtNusRx65295tnKyxk/jBWeonfps0MAKFk/v/FGf4XduT9Ln8ddy6u2eQjRi8B fmow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:mime-version:message-id:date :dkim-signature; bh=ORusbr9BmjXcPtqf7j3wkWSVtlEx7sQaXqjNFhLLsiA=; b=lTHVVLXw/4yGhYeyCJGS6SdsrTOLs1sYaOCCQC/A0p4fb7o8EHRB7CP44RfFNRtezv 0fp5WUe2aHlNbMglmTH1Lx9u4H4WUWfyyhZVlxTaK6Ugb2F2Nf06m3Kx5tS5vb6EAmNS Oz6CUG/qdx5l5bIITYV2VWscj+apCquFHPCyotN+CJIdxsSGVt+ZUobUTSRzBtciHqVr XBvsZSGWAPWrePmxfv5tjvqSTLcEtElVYriRbhRjNn23V6Vrun7ssgTVDnkUIA9HzF0l vtf2Ab8elKe5WRuISZa/rhoj4ogIteFKXRgDqPeeMOnrcKFvQzH0mHwRAPjHmArUtX96 TGAg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="Uxvo/AAa"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f6si8463224edd.240.2021.09.13.17.53.52; Mon, 13 Sep 2021 17:54:15 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b="Uxvo/AAa"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1347304AbhIMSjW (ORCPT + 99 others); Mon, 13 Sep 2021 14:39:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47534 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1347169AbhIMSjV (ORCPT ); Mon, 13 Sep 2021 14:39:21 -0400 Received: from mail-pl1-x649.google.com (mail-pl1-x649.google.com [IPv6:2607:f8b0:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AB449C061574 for ; Mon, 13 Sep 2021 11:38:05 -0700 (PDT) Received: by mail-pl1-x649.google.com with SMTP id x5-20020a1709028ec500b0013a347b89e4so3623140plo.3 for ; Mon, 13 Sep 2021 11:38:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=ORusbr9BmjXcPtqf7j3wkWSVtlEx7sQaXqjNFhLLsiA=; b=Uxvo/AAaVm/TrsvJp2gPNfsdMAsdNAIFJblX2JLeH8VzGnDWWDFSFoA9yWUkSSpMiz cGjKsie76v7gq+aIUvGk1bAoiZcDZQj8NQMlSNL6WGp60sBlfLD8FFHehC1QkZ7n/cv9 PT0kSVMrvv3dHZPO/o8Io+O2gZZTfKgfls4OVc22DWixMDPGZAqRdlFDNet11tfAs7e/ +4BNQQ2J7H5VMxHr4pQEGJ7ClSfgfoxNGYKCP4n61HRZ8AKVqUg6NB6Iw+a55vNnA1ny VdH7D84V1kTI01XOVAgWHojt+9WSLUB2aiI/aliBL3hdIgK4TRKRr3uUHHeQNchu9Qal MoZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=ORusbr9BmjXcPtqf7j3wkWSVtlEx7sQaXqjNFhLLsiA=; b=mxQigjFSn63vS8zQMQgQzTcVpj2+yJQRPt658YxfmWy6lpM1bEg5PrMCZ4JrMrvD+R hFUsqWk0tVtr0E9gd4CphzyFwfpcy5kuLwwDvglACftC4JCQH5VzMrWhXnT390Me65/M G0S8Jkcv0BZQQLDLqbcpsJkDtsVZq7d1E+5Kul4qpj/y+3oaoNxqE7AKpQkgUDgEGNzk mXF5Dn74FLOqADTmlQRMBoabjujLQ4SsQ3u4EIeLHzmJPcqiSbDJV3JmNw0iVJJxbgFY 5X5wIXmJ5VsZZp57Y02zHiqmlro0Kq0m1zL9pNa87K1hO4XfXAm8gjCePu7xrmkNktox AbTw== X-Gm-Message-State: AOAM531knTX/tDBt+njZf2vxd+PISoWwTJpzdaeCnMWEb0e1fo+19/l9 /NN2f7/Hn8pzM+Q/T0uEjZqn+MPFOb62Ppw= X-Received: from ramjiyani.c.googlers.com ([fda3:e722:ac3:cc00:7f:e700:c0a8:2edd]) (user=ramjiyani job=sendgmr) by 2002:a17:90a:7f04:: with SMTP id k4mr1046505pjl.0.1631558284830; Mon, 13 Sep 2021 11:38:04 -0700 (PDT) Date: Mon, 13 Sep 2021 18:37:52 +0000 Message-Id: <20210913183753.563103-1-ramjiyani@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.33.0.309.g3052b89438-goog Subject: [PATCH] aio: Add support for the POLLFREE From: Ramji Jiyani To: Alexander Viro , Benjamin LaHaise , Arnd Bergmann Cc: Ramji Jiyani , kernel-team@android.com, linux-fsdevel@vger.kernel.org, linux-aio@kvack.org, linux-kernel@vger.kernel.org, linux-arch@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit f5cb779ba163 ("ANDROID: binder: remove waitqueue when thread exits.") fixed the use-after-free in eventpoll but aio still has the same issue because it doesn't honor the POLLFREE flag. Add support for the POLLFREE flag to force complete iocb inline in aio_poll_wake(). A thread may use it to signal it's exit and/or request to cleanup while pending poll request. In this case, aio_poll_wake() needs to make sure it doesn't keep any reference to the queue entry before returning from wake to avoid possible use after free via poll_cancel() path. The POLLFREE flag is no more exclusive to the epoll and is being shared with the aio. Remove comment from poll.h to avoid confusion. Also enclosed the POLLFREE macro definition in parentheses to fix checkpatch error. Signed-off-by: Ramji Jiyani --- fs/aio.c | 45 ++++++++++++++++++--------------- include/uapi/asm-generic/poll.h | 2 +- 2 files changed, 26 insertions(+), 21 deletions(-) diff --git a/fs/aio.c b/fs/aio.c index 51b08ab01dff..5d539c05df42 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -1674,6 +1674,7 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync, { struct poll_iocb *req = container_of(wait, struct poll_iocb, wait); struct aio_kiocb *iocb = container_of(req, struct aio_kiocb, poll); + struct kioctx *ctx = iocb->ki_ctx; __poll_t mask = key_to_poll(key); unsigned long flags; @@ -1683,29 +1684,33 @@ static int aio_poll_wake(struct wait_queue_entry *wait, unsigned mode, int sync, list_del_init(&req->wait.entry); - if (mask && spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) { - struct kioctx *ctx = iocb->ki_ctx; + /* + * Use irqsave/irqrestore because not all filesystems (e.g. fuse) + * call this function with IRQs disabled and because IRQs have to + * be disabled before ctx_lock is obtained. + */ + if (mask & POLLFREE) { + /* Force complete iocb inline to remove refs to deleted entry */ + spin_lock_irqsave(&ctx->ctx_lock, flags); + } else if (!(mask && spin_trylock_irqsave(&ctx->ctx_lock, flags))) { + /* Can't complete iocb inline; schedule for later */ + schedule_work(&req->work); + return 1; + } - /* - * Try to complete the iocb inline if we can. Use - * irqsave/irqrestore because not all filesystems (e.g. fuse) - * call this function with IRQs disabled and because IRQs - * have to be disabled before ctx_lock is obtained. - */ - list_del(&iocb->ki_list); - iocb->ki_res.res = mangle_poll(mask); - req->done = true; - if (iocb->ki_eventfd && eventfd_signal_allowed()) { - iocb = NULL; - INIT_WORK(&req->work, aio_poll_put_work); - schedule_work(&req->work); - } - spin_unlock_irqrestore(&ctx->ctx_lock, flags); - if (iocb) - iocb_put(iocb); - } else { + /* complete iocb inline */ + list_del(&iocb->ki_list); + iocb->ki_res.res = mangle_poll(mask); + req->done = true; + if (iocb->ki_eventfd && eventfd_signal_allowed()) { + iocb = NULL; + INIT_WORK(&req->work, aio_poll_put_work); schedule_work(&req->work); } + spin_unlock_irqrestore(&ctx->ctx_lock, flags); + if (iocb) + iocb_put(iocb); + return 1; } diff --git a/include/uapi/asm-generic/poll.h b/include/uapi/asm-generic/poll.h index 41b509f410bf..35b1b69af729 100644 --- a/include/uapi/asm-generic/poll.h +++ b/include/uapi/asm-generic/poll.h @@ -29,7 +29,7 @@ #define POLLRDHUP 0x2000 #endif -#define POLLFREE (__force __poll_t)0x4000 /* currently only for epoll */ +#define POLLFREE ((__force __poll_t)0x4000) #define POLL_BUSY_LOOP (__force __poll_t)0x8000 -- 2.33.0.309.g3052b89438-goog