Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp1440704lqh; Mon, 6 May 2024 07:52:05 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWCWMOQAxgOOeAM0+rxzbx8rR10UujbCXNsmfLjWpYpykU+KkxkyDpeoauuNrTHnabbEaqvE0nUGocR/VN3SMXAC3v8E1ZhgofweoZdcg== X-Google-Smtp-Source: AGHT+IFgPzYxGnpYF7rqWfHNvZSbJPwTtMw0dVwWpfnOrgPmvy/G1y/6CxEGSA7CMTPfAeTXZuIZ X-Received: by 2002:a05:6512:34c9:b0:51d:5f0b:816f with SMTP id w9-20020a05651234c900b0051d5f0b816fmr6277981lfr.15.1715007125171; Mon, 06 May 2024 07:52:05 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715007125; cv=pass; d=google.com; s=arc-20160816; b=sWDePEOCoW/GpVr4vGW4NLTsvT3sIs/Lm86gD0CE+bXs9sDc23YEJNM2fNVte7W8f9 8aMCz4q68KlgIty0joP+lIj48yaOlgJrFckQ0TZtFkIusHycMlZSpBGxcXjzgVZUdOQd niiKZfps1CBjbUh91097DJeelgLo0+LUqE95BggHoRDuzw3C1r+Ybf+gUThWU3UUq2F2 gJU4L4TC25GtkkZRZ2mLpDQyKMy/7IkZbLV61EQPqNKc4/oxiKjQo7TjffMQKe9lBu4W NEzrgBJEpRoH6urKiqeJ4ZxpTBPknsMcb+tdUfA7AQwjLvfnmZChJX4CmDRThwHqXdb/ VkxQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=hJvxbNUxeULloPkLJE9SsjERpdsUIXxRxn2yKsRsSwc=; fh=cuXPv5SGfwO2jobVGVyB/Bd0OlmYQY2S0UQUesE7PTA=; b=RPBNV398f7wgQTsM6MlGXXXUQ76tvQ7UdssCGk6essJuN829+ecf0/6Dvchjpfi6IC pEKhlHM7TfVzCeWnkDQ1ZLK0bxLD4HAAsIg2iZqNxRQjZOrTu3GxQwRact7vMyG6bBIV qAqg4CU+w9knH8EPy3OpRyvSZpeWKTHD5pBAS/8avL70J9RUkwLfX55iLnzKp7Xck93X XaHiRR9jg3ZX0Nj0Dmn56DIUEEhJ/yylkSVe6K1xp53QY3QjEdLXbuCnBn8wAVnJDv98 FDRqRplZMyEH0mCxMfGG9ylo47jvJdcijmH/Cgm4DNnfSetCbmStB3io5fgpO39jijIF YDtw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=J4Sdfzf+; arc=pass (i=1 dkim=pass dkdomain=ffwll.ch); spf=pass (google.com: domain of linux-kernel+bounces-169798-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169798-linux.lists.archive=gmail.com@vger.kernel.org" Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id h22-20020a056402281600b005727e7aa8c6si5359168ede.114.2024.05.06.07.52.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 May 2024 07:52:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-169798-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@ffwll.ch header.s=google header.b=J4Sdfzf+; arc=pass (i=1 dkim=pass dkdomain=ffwll.ch); spf=pass (google.com: domain of linux-kernel+bounces-169798-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169798-linux.lists.archive=gmail.com@vger.kernel.org" Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id B986E1F2449B for ; Mon, 6 May 2024 12:24:08 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8E169143C45; Mon, 6 May 2024 12:23:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=ffwll.ch header.i=@ffwll.ch header.b="J4Sdfzf+" Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 38199143C42 for ; Mon, 6 May 2024 12:23:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.52 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714998234; cv=none; b=UY/K0fKgn90HKkSiTp71YqLvAo4VhcZdAcotZjE5x/GaLkEjuK/fTnyd1/c31PAPkNxiD1Zo2UpaPgSD3NlSj3LeryGEu5vHpBlG+BGXcD0JEo+t1ebyPgksLym/np9+go2H0s2cj92rOd87t+IqMAwr9W5rtVARqIURxHyYDPE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714998234; c=relaxed/simple; bh=lCeN5/qj6q6vJSmEiKVBWOtCMx5sNu2IArRIsx3u2Ng=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=ZX8nyCuvVOfJvzExV0jdJ7g6L77fUAez5YG2GhTiD/IuWtpEVKe++8cHnITxEDrBNZc+OsudgI5inTuyGs1nH9K1VSmsrwS/aanz4luU8D894PgJdTQ9jFyQpNlfosB4pgH5nwkelKQ3rRxnbS6s52VM6YpP3G6JJFarAiSr3vA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ffwll.ch; spf=none smtp.mailfrom=ffwll.ch; dkim=pass (1024-bit key) header.d=ffwll.ch header.i=@ffwll.ch header.b=J4Sdfzf+; arc=none smtp.client-ip=209.85.221.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=ffwll.ch Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=ffwll.ch Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-34ca50999cdso99004f8f.2 for ; Mon, 06 May 2024 05:23:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ffwll.ch; s=google; t=1714998231; x=1715603031; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:from:to:cc :subject:date:message-id:reply-to; bh=hJvxbNUxeULloPkLJE9SsjERpdsUIXxRxn2yKsRsSwc=; b=J4Sdfzf+sNHeQZbjLlHQkxe+vBV/CqtEKZIE21zHs5BZaP4fVUooE839QXHepk/ae4 POXW3MdM2YM0mL7+kPF0sFDjddZ6ZqJgjPLk5O1FAQ9LQ6NuGoI/6ghK9qafc9p5r5/q eIF9aflCGGZxuDwFxBa6ppO8Igf343ne8trek= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714998231; x=1715603031; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hJvxbNUxeULloPkLJE9SsjERpdsUIXxRxn2yKsRsSwc=; b=LIAYnhtVXZvqGc3UlkXvPXd4C8uGNqDYTmpfn+wfML6ovkRxrR5GtQHk+jkABwv9bo rbHsSpF4mg8LcqmrctNoUDvZTSSNm/rdMGcrQeDy8/QnC6NdKKtFMjsn42PrE3j3GyDE EJm+fzy/y2EJ8id9vTVcKVh1uNhwMHfJ97Jnk97QWp6QEWZTiR3wUHwZyyy1sW8JdOBL 7qSHOkCUdsfveHPkZgOhqrDR19ER/2/k7cFNA5Ej8eARTlBS7/WDgu5qSDwEfgafNcuB zmgH/ZBURXPM6h+dKLh9XzwqVnDqL8oULrIGE70ciVwT8145ReZoGxouLZU8Tnb16ACu aEMQ== X-Forwarded-Encrypted: i=1; AJvYcCWNJkzyBuiKAwVZ7sdX4cTJsI9wJn2LtVAh7Ig5F3Ydz03CTjG28TDmAS5YhWiuPRsXltwByxeZIhqnNcV77hnfqu7sTdhvMhmSDqf4 X-Gm-Message-State: AOJu0Ywx4/djNvy/3Z4LuEkuPDH0KrSdR4z4GUuSF/a0Wl1PfBrv9632 AzyDSQSDtPFIBjQatJsC2bKQIe9XXTyBHPcCfjYqTBDo922UFE1q7OYrE0uh9eA= X-Received: by 2002:a05:600c:3b02:b0:41a:c4fe:b0a5 with SMTP id m2-20020a05600c3b0200b0041ac4feb0a5mr6970105wms.4.1714998231468; Mon, 06 May 2024 05:23:51 -0700 (PDT) Received: from phenom.ffwll.local ([2a02:168:57f4:0:efd0:b9e5:5ae6:c2fa]) by smtp.gmail.com with ESMTPSA id n17-20020a05600c4f9100b0041668162b45sm19554882wmq.26.2024.05.06.05.23.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 May 2024 05:23:50 -0700 (PDT) Date: Mon, 6 May 2024 14:23:48 +0200 From: Daniel Vetter To: Al Viro Cc: Linus Torvalds , Kees Cook , Jens Axboe , Bui Quang Minh , Christian Brauner , syzbot , io-uring@vger.kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Sumit Semwal , Christian =?iso-8859-1?Q?K=F6nig?= , linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, Laura Abbott Subject: Re: get_file() unsafe under epoll (was Re: [syzbot] [fs?] [io-uring?] general protection fault in __ep_remove) Message-ID: Mail-Followup-To: Al Viro , Linus Torvalds , Kees Cook , Jens Axboe , Bui Quang Minh , Christian Brauner , syzbot , io-uring@vger.kernel.org, jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Sumit Semwal , Christian =?iso-8859-1?Q?K=F6nig?= , linux-media@vger.kernel.org, dri-devel@lists.freedesktop.org, linaro-mm-sig@lists.linaro.org, Laura Abbott References: <202405031110.6F47982593@keescook> <64b51cc5-9f5b-4160-83f2-6d62175418a2@kernel.dk> <202405031207.9D62DA4973@keescook> <202405031237.B6B8379@keescook> <202405031325.B8979870B@keescook> <20240503211109.GX2118490@ZenIV> <20240503213625.GA2118490@ZenIV> <20240503215303.GC2118490@ZenIV> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20240503215303.GC2118490@ZenIV> X-Operating-System: Linux phenom 6.6.15-amd64 On Fri, May 03, 2024 at 10:53:03PM +0100, Al Viro wrote: > On Fri, May 03, 2024 at 02:42:22PM -0700, Linus Torvalds wrote: > > On Fri, 3 May 2024 at 14:36, Al Viro wrote: > > > > > > ... the last part is no-go - poll_wait() must be able to grab a reference > > > (well, the callback in it must) > > > > Yeah. I really think that *poll* itself is doing everything right. It > > knows that it's called with a file pointer with a reference, and it > > adds its own references as needed. > > Not really. Note that select's __pollwait() does *NOT* leave a reference > at the mercy of driver - it's stuck into poll_table_entry->filp and > the poll_freewait() knows how to take those out. > > > dmabuf does something very different - it grabs the damn thing into > its private data structures and for all we know it could keep it for > a few hours, until some even materializes. dma_fence must complete in reasonable amount of time, where "reasonable" is roughly in line with other i/o (including the option that there's timeouts if the hw's gone busted). So definitely not hours (aside from driver bugs when things go really wrong ofc), but more like a few seconds in a worst case scenario. -Sima -- Daniel Vetter Software Engineer, Intel Corporation http://blog.ffwll.ch