Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp97669lqh; Fri, 3 May 2024 14:47:57 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWMpbUS3SUWU6QAaXMctcXAzTt8v222VNLs2U+xg8QelY2c2CtxyPa8YglVhCvS51Zs8UBuLLP0d5Pszk1lJS7ejonoB/GZ5MiUDVn+Uw== X-Google-Smtp-Source: AGHT+IE3Fh4Va/7wrtHgp+aCg7MMyWKvDp+FeBS8AY4gUH7CptJpwWI6nR1EWaChbiO/b1ZSVduv X-Received: by 2002:a50:c304:0:b0:56d:c295:dde3 with SMTP id a4-20020a50c304000000b0056dc295dde3mr2511192edb.35.1714772877129; Fri, 03 May 2024 14:47:57 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714772877; cv=pass; d=google.com; s=arc-20160816; b=ZbEZa8ovivlLsTZb68MGsEzgmq5jYQ/h7VfP69lDKOmXAMJxud7ZRhR8e3VBKnwndU VJbSn8bfOOOiQhh0uVMLYIPQ/j1E3RNhV2fF26UM0asa4/llbfsth8WUKRre8QQHB432 zlEPHoAudnCR9r223b9oQkiZGn9gZkaRgonsxKlUTBflINqFJ8sOKwkl/0m0AkU/ZMBM ORS/uEKuxsmaeybS/md6XJiROd0L7d1391xZrqEE1UgBBn1Elvy+MAsCxKdBHytplB6O Xbuc5Qxd/hnlwIj19zzg0TWa0vMukNIj3eFy1eBjWcIAlKq+xmxQOPpUTiA0YN7Xz+h6 fnyA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:list-unsubscribe:list-subscribe:list-id:precedence :dkim-signature; bh=gwyBdWufoxKVrcKcsHh2OBVbUooApVD3S23GDedqB7U=; fh=z1gsnRCP0As9bvln8N8qywxGYFsiUhS3U48kyDtwpM4=; b=oV0LaEggD/1CyAKMEDh6yxv63SXtT+odbo/i7hM4GIvVExDQ8euznl0IbLywn3ATIm zfonjKCvYxl5H5i8abTTpXXzyXbC+YxOE9rLDVjXL3Ex/LgIvfKOmXe67BWDu5XB5S1u Fwygz1YwZjtzMn4uhV9jUtqcUscD3zYyiAN4Er8wKJeSud2l3+WhxARlFis4OJysBqOx fIYI621SJU6HMKDHNRkMr04Si8vFfXjYib07zunRfoV3ag9xZHevSwYX+GtO3UzxfMsz koinpnH1gLFp2Pduwo9xW7ZWvCskXRm1jIFfCatRfvgBsPEuoYZCiIGB6o90awtvCD82 at9A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=BWAXnd37; arc=pass (i=1 spf=pass spfdomain=linuxfoundation.org dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-168316-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168316-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id q22-20020a50cc96000000b00572a280af95si1840653edi.21.2024.05.03.14.47.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 May 2024 14:47:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-168316-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@linux-foundation.org header.s=google header.b=BWAXnd37; arc=pass (i=1 spf=pass spfdomain=linuxfoundation.org dkim=pass dkdomain=linux-foundation.org); spf=pass (google.com: domain of linux-kernel+bounces-168316-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168316-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id D75631F21E71 for ; Fri, 3 May 2024 21:47:56 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8C6A38615A; Fri, 3 May 2024 21:42:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b="BWAXnd37" Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com [209.85.218.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CACD77EEE1 for ; Fri, 3 May 2024 21:42:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.47 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714772563; cv=none; b=PmP/VHA3bqTPsDodCEL/PJvbdPUsdG9PiRkA2Ka+M1pW8M7RXKtgGy/EYs6RapuIzLqKgI5ExtGBerXrR/Wb2EzLvxcYRAhrCIZB+8mr4v/0IqN6NHmJW9WG1rk6fDGykLFcT6AVp0cQe0kLVA5o+dwyUxx1D5Xp/r67fdA5x9Q= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714772563; c=relaxed/simple; bh=5kw/vQ2Z4GIERA/PZJO8R5H1So5ym6+6uJIhwrtRtXs=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=iUQLAZ0dWLAvhuPY9P8rbB8O2oemPBZBoiJ6ZTxXOduCntpDxPnxmyWMv50SXBQno+FtNbAaZmyP3rBNKDcQWXxD98NCkBXSVjMuQe0cneO/Zggxy1nkso5KhAkwDGD7KCLPuZCJiCot2dAUfipY6MDM0O5y5P+cj0MX/1C7ng4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org; spf=pass smtp.mailfrom=linuxfoundation.org; dkim=pass (1024-bit key) header.d=linux-foundation.org header.i=@linux-foundation.org header.b=BWAXnd37; arc=none smtp.client-ip=209.85.218.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=linux-foundation.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linuxfoundation.org Received: by mail-ej1-f47.google.com with SMTP id a640c23a62f3a-a59a5f81af4so17031566b.3 for ; Fri, 03 May 2024 14:42:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; t=1714772560; x=1715377360; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gwyBdWufoxKVrcKcsHh2OBVbUooApVD3S23GDedqB7U=; b=BWAXnd37oXbnZsHze4We8ZkQ2HKVHWZsPh/SWnlt/VZHjV0RmWa4S4DKTQ+NL27DM0 nMyoXBjC0O29EriEDpUE8WaETB0t4T89h9M+RrAoO/8hwJ2k/lrg9hT4ucl70xcNtSYA XZNEbxPjWWleEcwSiTWkepTDqZISPhB2T2YFI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714772560; x=1715377360; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gwyBdWufoxKVrcKcsHh2OBVbUooApVD3S23GDedqB7U=; b=oP041RfLzEDqjdnT2CP5wM8U22kfdeeKfXXuKg2Z5bzT8DbEk4qNARJ/XonRGhy346 J+j5ixLZCELJGJ5Kq+xupkg6eHtTUGhGqhUMG2iaKHQiCrZ7HvHISicX0o49vBoAiPXZ bEDEGs9ECDl7TenlqRg5K+j5jJBay3n27X7763nCt+NfwatRrRvU8ec6vNs2LHIhtwS1 oNck3Gg1qIEKR9wMwpC4y2zqM7ox4QyEWnqnEgGbm/7Y/Ntt5WRCyUrmtTt0aUbSYTVi eKQZJrJNocw35T2iPVh/Pjn01ce2R1+0O/KhNMNdBxCaKyjSH3KX9lzFCKi6csGWvtFk afJg== X-Forwarded-Encrypted: i=1; AJvYcCXKrJkJd4qRE3ZfKZZlGJKWCAVuCp2eKo61+YdBQGq0e+xg+UxTQcY7UtMM8wO74Ce2Hgxd2rdD+8e6zj3rv2gRXvKReaYZjp0bLr24 X-Gm-Message-State: AOJu0Ywi27RQagKBuornnk0geK2VekzDunJ6LHKbOP77PxUBxb8ImTuC FeaNPQHIfvELeNF5xQ+TACsQ6BMveqzbgw4KX6NOJHvd6V9tuQgfd/CQXd5nHIuDNuEsrBYpS3C gK3GjKQ== X-Received: by 2002:a17:906:168e:b0:a55:b581:dca8 with SMTP id s14-20020a170906168e00b00a55b581dca8mr2460245ejd.38.1714772559914; Fri, 03 May 2024 14:42:39 -0700 (PDT) Received: from mail-ej1-f52.google.com (mail-ej1-f52.google.com. [209.85.218.52]) by smtp.gmail.com with ESMTPSA id q6-20020a1709060e4600b00a5875dd74c2sm2169255eji.131.2024.05.03.14.42.39 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 03 May 2024 14:42:39 -0700 (PDT) Received: by mail-ej1-f52.google.com with SMTP id a640c23a62f3a-a58a36008ceso15307466b.0 for ; Fri, 03 May 2024 14:42:39 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCU3AW9cOO8pKO+fefoEGf4LxnZkb3Drk2aPBdE17NxrCi87jg9PGNHP2O1HqntgryeSQlD3+ZaJ5bOZtVH4vezCThtgoxveaQzbtgVS X-Received: by 2002:a17:906:29d4:b0:a59:8786:3852 with SMTP id y20-20020a17090629d400b00a5987863852mr2658677eje.55.1714772559064; Fri, 03 May 2024 14:42:39 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <0000000000002d631f0615918f1e@google.com> <7c41cf3c-2a71-4dbb-8f34-0337890906fc@gmail.com> <202405031110.6F47982593@keescook> <64b51cc5-9f5b-4160-83f2-6d62175418a2@kernel.dk> <202405031207.9D62DA4973@keescook> <202405031237.B6B8379@keescook> <202405031325.B8979870B@keescook> <20240503211109.GX2118490@ZenIV> <20240503213625.GA2118490@ZenIV> In-Reply-To: <20240503213625.GA2118490@ZenIV> From: Linus Torvalds Date: Fri, 3 May 2024 14:42:22 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: get_file() unsafe under epoll (was Re: [syzbot] [fs?] [io-uring?] general protection fault in __ep_remove) To: Al Viro Cc: Kees Cook , Jens Axboe , Bui Quang Minh , Christian Brauner , syzbot , io-uring@vger.kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Sumit Semwal , =?UTF-8?Q?Christian_K=C3=B6nig?= , linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, Laura Abbott Content-Type: text/plain; charset="UTF-8" On Fri, 3 May 2024 at 14:36, Al Viro wrote: > > ... the last part is no-go - poll_wait() must be able to grab a reference > (well, the callback in it must) Yeah. I really think that *poll* itself is doing everything right. It knows that it's called with a file pointer with a reference, and it adds its own references as needed. And I think that's all fine - both for dmabuf in particular, but for poll in general. That's how things are *supposed* to work. You can keep references to other things in your 'struct file *', knowing that files are properly refcounted, and won't go away while you are dealing with them. The problem, of course, is that then epoll violates that "called with reference" part. epoll very much by design does *not* take references to the files it keeps track of, and then tears them down at close() time. Now, epoll has its reasons for doing that. They are even good reasons. But that does mean that when epoll needs to deal with that hackery. I wish we could remove epoll entirely, but that isn't an option, so we need to just make sure that when it accesses the ffd.file pointer, it does so more carefully. Linus