Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp36582795rwd; Tue, 11 Jul 2023 03:01:10 -0700 (PDT) X-Google-Smtp-Source: APBJJlFJrtxPyabzdK2dCoTbxLn/aV9RsllbWE/NNS5iNdVJubGgxj/e6fEF3PFhqmsKu1NJUTAr X-Received: by 2002:a05:6512:281c:b0:4f4:c6ab:f119 with SMTP id cf28-20020a056512281c00b004f4c6abf119mr16992787lfb.64.1689069669811; Tue, 11 Jul 2023 03:01:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689069669; cv=none; d=google.com; s=arc-20160816; b=xzmdYDlp1Dy+6ByqQd3FsPeKs9OGqGhFudZ6Tc/i416H1mkvCg2lzOo7piEKpfTnAG ERXQEpHazIOLZOaQiVrpTuQYhu3Bkk9TIVM1LZThYlbT2ri2nFVLA4chFr5RV+bFT4B1 fQNVGPoknSSQxm+gnZNqL0sB4L1PVJIa0UyvM9YhlBZEVj9W8P8/PeRXHsAvOrqGiQ+v rvsNQtPg/uCpL2yjoXWUONNYw9VXe55mbYuCCY7lbOUvCvOYBDmoXoitIaV2B7hsE9bc jRkwAgGsQSA3utGxcPHZyNTu98B+eJUVtfwntDm7ERNjkBxyI+ZcynnqOznVhWK7Aoxu T8Kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=SSaTjyWO47PMCR5oyAmH7OjmUkKqVZSEtsmQnNWUEyU=; fh=j/difak3wVKaB8s4prWYi1W9+1REbxpjJaNkD8HJOHk=; b=dlBG7E9kWyA8YBlKmXTsm6NyAUBhg1zA8XwJVk3s0FNitlHXM25Zpm6BkM8jJMgg+p el91kHwMtmNd1CbbHihjYEFe10oVurPU8IudOGv7bXDFDDvPar/fIWUr3I/5/uNpOWay lcO96hxBoxeD5IvazLqcT+ZGZJh1MQ84ZtdDqnkp1m1+tZxCIfKNOkT+FEp8knYhqbYa ZRvJg1ijh4uRFTugWjZGmTt0lnpJW4/7HKAlExrPHkpihORwULCMkIpX+A/QBJd7Ya9y /2pWe51C8OZ82zDG9SxLImpDTto2D9G54Fn7uBHzt6i0/9FHvjtx40iVuQkSRKArakHf 7T2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bGra2pZm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gt9-20020a170906f20900b009930d603e75si1487128ejb.905.2023.07.11.03.00.45; Tue, 11 Jul 2023 03:01:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=bGra2pZm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230296AbjGKJkc (ORCPT + 99 others); Tue, 11 Jul 2023 05:40:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60224 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230263AbjGKJkP (ORCPT ); Tue, 11 Jul 2023 05:40:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 39762170F; Tue, 11 Jul 2023 02:40:03 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id CC1C461447; Tue, 11 Jul 2023 09:40:02 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 477B3C433C9; Tue, 11 Jul 2023 09:40:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1689068402; bh=tNg5RzXLNkj13iWCpf81KjQRIluq/j+Mh+/AaKjhV/s=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=bGra2pZm/V7ttpDbB7qkBlkdjQedgI8dz0ghqBuEaWTNp81KbQ9QqMQBvADDFrJTm rd19VmGqeEza7LHOcT2YcXgsiJSK18vn3fQjSrfNYeddqBB9zXS787bTU+s6smgYj2 i6UpTBwnn1JyUwwOSetFKXw3c7+kWtzCLMmgjsCdr+WAcSQWWJyXrIGxMk4kKN2mPr VHesNz+Vtjc+KQZGZRxhp2x5Rb+NV1vcqYNqfQedbXrL8uKIRGvfpRcy+mUcU6Rcai tReD7NUj8qIIBgjq05dLwV5a6PiCsh3IstcbYMMY9wtPg6+wiaaPBRmobvzAugfWqC 57on1kUGPjpPA== Date: Tue, 11 Jul 2023 11:39:57 +0200 From: Christian Brauner To: Wen Yang Cc: Alexander Viro , Jens Axboe , Christoph Hellwig , Dylan Yudaken , David Woodhouse , Matthew Wilcox , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] eventfd: avoid overflow to ULLONG_MAX when ctx->count is 0 Message-ID: <20230711-legalisieren-qualvoll-c578e099c65a@brauner> References: <20230710-fahrbahn-flocken-03818a6b2e91@brauner> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 10, 2023 at 11:02:33PM +0800, Wen Yang wrote: > > On 2023/7/10 22:12, Christian Brauner wrote: > > On Sun, Jul 09, 2023 at 02:54:51PM +0800, wenyang.linux@foxmail.com wrote: > > > From: Wen Yang > > > > > > For eventfd with flag EFD_SEMAPHORE, when its ctx->count is 0, calling > > > eventfd_ctx_do_read will cause ctx->count to overflow to ULLONG_MAX. > > > > > > Fixes: cb289d6244a3 ("eventfd - allow atomic read and waitqueue remove") > > > Signed-off-by: Wen Yang > > > Cc: Alexander Viro > > > Cc: Jens Axboe > > > Cc: Christian Brauner > > > Cc: Christoph Hellwig > > > Cc: Dylan Yudaken > > > Cc: David Woodhouse > > > Cc: Matthew Wilcox > > > Cc: linux-fsdevel@vger.kernel.org > > > Cc: linux-kernel@vger.kernel.org > > > --- > > So this looks ok but I would like to see an analysis how the overflow > > can happen. I'm looking at the callers and it seems that once ctx->count > > hits 0 eventfd_read() won't call eventfd_ctx_do_read() anymore. So is > > there a caller that can call directly or indirectly > > eventfd_ctx_do_read() on a ctx->count == 0? > eventfd_read() ensures that ctx->count is not 0 before calling > eventfd_ctx_do_read() and it is correct. > > But it is not appropriate for eventfd_ctx_remove_wait_queue() to call > eventfd_ctx_do_read() unconditionally, > > as it may not only causes ctx->count to overflow, but also unnecessarily > calls wake_up_locked_poll(). > > > I am sorry for just adding the following string in the patch: > Fixes: cb289d6244a3 ("eventfd - allow atomic read and waitqueue remove") > > > Looking forward to your suggestions. > > -- > > Best wishes, > > Wen > > > > I'm just slightly skeptical about patches that fix issues without an > > analysis how this can happen. > > > > > fs/eventfd.c | 4 +++- > > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > > > diff --git a/fs/eventfd.c b/fs/eventfd.c > > > index 8aa36cd37351..10a101df19cd 100644 > > > --- a/fs/eventfd.c > > > +++ b/fs/eventfd.c > > > @@ -189,7 +189,7 @@ void eventfd_ctx_do_read(struct eventfd_ctx *ctx, __u64 *cnt) > > > { > > > lockdep_assert_held(&ctx->wqh.lock); > > > - *cnt = (ctx->flags & EFD_SEMAPHORE) ? 1 : ctx->count; > > > + *cnt = ((ctx->flags & EFD_SEMAPHORE) && ctx->count) ? 1 : ctx->count; > > > ctx->count -= *cnt; > > > } > > > EXPORT_SYMBOL_GPL(eventfd_ctx_do_read); > > > @@ -269,6 +269,8 @@ static ssize_t eventfd_write(struct file *file, const char __user *buf, size_t c > > > return -EFAULT; > > > if (ucnt == ULLONG_MAX) > > > return -EINVAL; > > > + if ((ctx->flags & EFD_SEMAPHORE) && !ucnt) > > > + return -EINVAL; Hm, why is bit necessary though? What's wrong with specifying ucnt == 0 with EFD_SEMAPHORE? This also looks like a (very low potential) uapi break.