[PATCH 1/5] poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Oleg Nesterov <oleg@redhat.com>
To: Christian Brauner <brauner@kernel.org>,
	Linus Torvalds <torvalds@linux-foundation.org>,
	Manfred Spraul <manfred@colorfullife.com>
Cc: "David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>, Jens Axboe <axboe@kernel.dk>,
	Pavel Begunkov <asml.silence@gmail.com>,
	WangYuli <wangyuli@uniontech.com>,
	linux-kernel@vger.kernel.org, io-uring@vger.kernel.org,
	netdev@vger.kernel.org
Subject: [PATCH 1/5] poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll()
Date: Tue, 7 Jan 2025 17:27:17 +0100	[thread overview]
Message-ID: <20250107162717.GA18922@redhat.com> (raw)
In-Reply-To: <20250107162649.GA18886@redhat.com>

As the comment above waitqueue_active() explains, it can only be used
if both waker and waiter have mb()'s that pair with each other. However
__pollwait() is broken in this respect.

This is not pipe-specific, but let's look at pipe_poll() for example:

	poll_wait(...); // -> __pollwait() -> add_wait_queue()

	LOAD(pipe->head);
	LOAD(pipe->head);

In theory these LOAD()'s can leak into the critical section inside
add_wait_queue() and can happen before list_add(entry, wq_head), in this
case pipe_poll() can race with wakeup_pipe_readers/writers which do

	smp_mb();
	if (waitqueue_active(wq_head))
		wake_up_interruptible(wq_head);

There are more __pollwait()-like functions (grep init_poll_funcptr), and
it seems that at least ep_ptable_queue_proc() has the same problem, so the
patch adds smp_mb() into poll_wait().

Link: https://lore.kernel.org/all/20250102163320.GA17691@redhat.com/
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
---
 include/linux/poll.h | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/include/linux/poll.h b/include/linux/poll.h
index d1ea4f3714a8..fc641b50f129 100644
--- a/include/linux/poll.h
+++ b/include/linux/poll.h
@@ -41,8 +41,16 @@ typedef struct poll_table_struct {
 
 static inline void poll_wait(struct file * filp, wait_queue_head_t * wait_address, poll_table *p)
 {
-	if (p && p->_qproc && wait_address)
+	if (p && p->_qproc && wait_address) {
 		p->_qproc(filp, wait_address, p);
+		/*
+		 * This memory barrier is paired in the wq_has_sleeper().
+		 * See the comment above prepare_to_wait(), we need to
+		 * ensure that subsequent tests in this thread can't be
+		 * reordered with __add_wait_queue() in _qproc() paths.
+		 */
+		smp_mb();
+	}
 }
 
 /*
-- 
2.25.1.362.g51ebf55

next prev parent reply	other threads:[~2025-01-07 16:27 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-01-07 16:26 [PATCH 0/5] poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Oleg Nesterov
2025-01-07 16:27 ` Oleg Nesterov [this message]
2025-01-07 16:27 ` [PATCH 2/5] poll_wait: kill the obsolete wait_address check Oleg Nesterov
2025-01-07 16:27 ` [PATCH 3/5] io_uring_poll: kill the no longer necessary barrier after poll_wait() Oleg Nesterov
2025-01-07 16:27 ` [PATCH 4/5] sock_poll_wait: " Oleg Nesterov
2025-01-07 16:27 ` [PATCH 5/5] poll: kill poll_does_not_wait() Oleg Nesterov
2025-01-07 17:38 ` [PATCH 0/5] poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Linus Torvalds
2025-01-07 22:55   ` Jens Axboe
2025-01-10 10:56   ` Christian Brauner
2025-01-10 11:00 ` Christian Brauner

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d1ea4f3714a dfblob:fc641b50f12 )
 OR (
bs:"[PATCH 1/5] poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250107162717.GA18922@redhat.com \
    --to=oleg@redhat.com \
    --cc=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=brauner@kernel.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=manfred@colorfullife.com \
    --cc=netdev@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=wangyuli@uniontech.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.