Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp318343lqh; Sat, 4 May 2024 02:37:49 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUu/OtEUvcGTYBZmVTmu+qma3hv3cy/aeSYaPN4X7E0pm7jpXLf6WrsMYO2F5Mxwr+kzMC6LfkIKsG3+P6DklessY7e7nz7XybWzxDAUw== X-Google-Smtp-Source: AGHT+IG20pzwj3mZfkMW8+8RdYXkBVzJJXW3Gso+8E5b04R5/Jo0ZBhWz3oo9NiDfQg+xaRJs2Ur X-Received: by 2002:ac8:5a91:0:b0:43a:cbfc:dbf1 with SMTP id c17-20020ac85a91000000b0043acbfcdbf1mr5633200qtc.67.1714815469751; Sat, 04 May 2024 02:37:49 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714815469; cv=pass; d=google.com; s=arc-20160816; b=bPAZFG8YMqY4xWJiv5VoYlvjxlymZU+tJd+4M6/GPso+YaOcKRbborKbpPw2LW0BVr AQalhJEEi9c2vBjf+EHssrehJ4kV8/iWmgzFLvKqw+KXltZ9mlg7c7F4/8EBxyr7/sAB 1/EoZTs/UALHodHSPfB3r/lI5DvxElVYi9wwj+86bMAxlCROOR7n1R0nUMHglgPpBjN3 gXLmmd5vo4Is0f4yVtxw71N7rdEBNgak9YAStYuD54/t9Mc8GCOa0YLRx8AdlAfiBBPA 3DneCbu+lS+/wzhs+PYaW9iiL5VLQ4lGo6p6cHEKcrrWRW7Z4mUU5SDXllYjTPC/8Ya+ v4EA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=cqJM580IU9lo9LC+3RxlZmVNWKgc7AwXyZcIIsNxKn8=; fh=K+u6k4LeW50YAlFBITh17z6/Kw8sjFmvdXtpOlBV5c8=; b=PQAXnQTc4COuwCOqQWfn1BP0gxCABQTzI4RW7YwMe3NSGmM1uAZ8ZF72SAxz3tN3be FtkqFMxO2hrciL9zn0oHhAdv45+8opCP7OdxjAY+ouVGRE5nyhK2z+hftZkyssnc8DqU X/bzTPw/wZagWtqV8TsLc5Q1LR4RgtUveuJ2W1w17AQ2dYE+KmdBLuFj/M9NYaelMvvn cAmxRGplkf1B6c9O3qJSVOoFi6wxIzvWiDhsKRAhu3jxCltVjaz1OLpKMGe7IUbjwzvI ZLBoZVQxpR7xu8+eL0UERkSt8Pnij1cUPvSMe9EFQtDwFlIlnE1LifEcAadiQkgf+9Sm oL7A==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="uMavHk//"; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-168573-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168573-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id s42-20020a05622a1aaa00b0043b03ef506esi5440297qtc.126.2024.05.04.02.37.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 04 May 2024 02:37:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-168573-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="uMavHk//"; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-168573-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-168573-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 749931C21355 for ; Sat, 4 May 2024 09:37:49 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 69D3B17BD9; Sat, 4 May 2024 09:37:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="uMavHk//" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BB315221; Sat, 4 May 2024 09:37:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714815458; cv=none; b=ZhDE/acWuc9YzLR0FpIauf0YtgwjwU2zS5OdNLnVO0aMBOsVd9styMdgtynPrro4ZlEnPjcpatzK6/FALw9RUzuOUm3Rh42XAvF0iaFAx4FYz6ua97d49HkqkW8DRcXYDGGRTo3JOL5LE66jTG7h3SJ3wa9KwMr7XymSUYg+3qk= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714815458; c=relaxed/simple; bh=iBRxGQJjRoROFxKq58LLxfgM50Q+YDQejQATifgx5Mg=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=hRBAYuHAzvS9zoPgNbI4V1erLg+gSjqb6p3iBo1Ut5mrtkxz8ncsrZqQwnQ+k40280FC0m52exyBSBPOinbK2NpSjFi2VBnJV/JP76p7PYlU1bBmUqfT+UMmY/keWzf+4QZ8eQ4AnNRBTrm+9HyRNv9uSXLmpSwHBKwZxweeYhQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=uMavHk//; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2A037C072AA; Sat, 4 May 2024 09:37:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1714815458; bh=iBRxGQJjRoROFxKq58LLxfgM50Q+YDQejQATifgx5Mg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=uMavHk//UYBlcW8RF+QF3+ZaD+R7GOT79sK90E6pyBxxoEp742dLivqK3dkPq715a dU8PE7fABkGVbY8i1D8DCAoPk5gogBaWjAaUK707J9DXBS4Oge68+2bgVfN3lyfivp OIS5ZtNlbDvXRdQivUMKYhbZ1F7HohjvG2fS3YqHE11Kl23ulvUw3LELqAfcmZgxE9 +IcZDIyYUvoI2NiQZGo+g79bnPNlMYTRFgki6Xyt7dbB3KHA0omA07pvxCT5rFfzTv tWqFqvW309XZ7kIR0csaSLmkTuYfL1c2OLLbOglGYu9QyHzC9UOVwJ7VT0zi5KkgTt fe/wh2z4c+AEQ== Date: Sat, 4 May 2024 11:37:31 +0200 From: Christian Brauner To: Linus Torvalds Cc: Al Viro , keescook@chromium.org, axboe@kernel.dk, christian.koenig@amd.com, dri-devel@lists.freedesktop.org, io-uring@vger.kernel.org, jack@suse.cz, laura@labbott.name, linaro-mm-sig@lists.linaro.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-media@vger.kernel.org, minhquangbui99@gmail.com, sumit.semwal@linaro.org, syzbot+045b454ab35fd82a35fb@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com Subject: Re: [PATCH] epoll: try to be a _bit_ better about file lifetimes Message-ID: <20240504-wohngebiet-restwert-6c3c94fddbdd@brauner> References: <202405031110.6F47982593@keescook> <20240503211129.679762-2-torvalds@linux-foundation.org> <20240503212428.GY2118490@ZenIV> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: On Fri, May 03, 2024 at 02:33:37PM -0700, Linus Torvalds wrote: > On Fri, 3 May 2024 at 14:24, Al Viro wrote: > > > > Can we get to ep_item_poll(epi, ...) after eventpoll_release_file() > > got past __ep_remove()? Because if we can, we have a worse problem - > > epi freed under us. > > Look at the hack in __ep_remove(): if it is concurrent with > eventpoll_release_file(), it will hit this code > > spin_lock(&file->f_lock); > if (epi->dying && !force) { > spin_unlock(&file->f_lock); > return false; > } > > and not free the epi. > > But as far as I can tell, almost nothing else cares about the f_lock > and dying logic. > > And in fact, I don't think doing > > spin_lock(&file->f_lock); > > is even valid in the places that look up file through "epi->ffd.file", > because the lock itself is inside the thing that you can't trust until > you've taken the lock... > > So I agree with Kees about the use of "atomic_dec_not_zero()" kind of > logic - but it also needs to be in an RCU-readlocked region, I think. Why isn't it enough to just force dma_buf_poll() to use get_file_active()? Then that whole problem goes away afaict. So the fix I had yesterday before I had to step away from the computer was literally just that [1]. It currently uses two atomic incs potentially but that can probably be fixed by the dma folks to be smarter about when they actually need to take a file reference. > > I wish epoll() just took the damn file ref itself. But since it relies > on the file refcount to release the data structure, that obviously > can't work. > > Linus diff --git a/drivers/dma-buf/dma-buf.c b/drivers/dma-buf/dma-buf.c index 8fe5aa67b167..7149c45976e1 100644 --- a/drivers/dma-buf/dma-buf.c +++ b/drivers/dma-buf/dma-buf.c @@ -244,13 +244,18 @@ static __poll_t dma_buf_poll(struct file *file, poll_table *poll) if (!dmabuf || !dmabuf->resv) return EPOLLERR; + if (!get_file_active(&dmabuf->file)) + return EPOLLERR; + resv = dmabuf->resv; poll_wait(file, &dmabuf->poll, poll); events = poll_requested_events(poll) & (EPOLLIN | EPOLLOUT); - if (!events) + if (!events) { + fput(file); return 0; + } dma_resv_lock(resv, NULL); @@ -268,7 +273,6 @@ static __poll_t dma_buf_poll(struct file *file, poll_table *poll) if (events & EPOLLOUT) { /* Paired with fput in dma_buf_poll_cb */ get_file(dmabuf->file); - if (!dma_buf_poll_add_cb(resv, true, dcb)) /* No callback queued, wake up any other waiters */ dma_buf_poll_cb(NULL, &dcb->cb); @@ -301,6 +305,7 @@ static __poll_t dma_buf_poll(struct file *file, poll_table *poll) } dma_resv_unlock(resv); + fput(file); return events; }