From: Eric Biggers <ebiggers@kernel.org>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Benjamin LaHaise <bcrl@kvack.org>,
linux-aio@kvack.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, Ramji Jiyani <ramjiyani@google.com>,
Christoph Hellwig <hch@lst.de>, Oleg Nesterov <oleg@redhat.com>,
Jens Axboe <axboe@kernel.dk>, Martijn Coenen <maco@android.com>,
Xie Yongji <xieyongji@bytedance.com>
Subject: [GIT PULL] aio poll fixes for 5.16-rc5
Date: Fri, 10 Dec 2021 10:32:55 -0800 [thread overview]
Message-ID: <YbOdV8CPbyPAF234@sol.localdomain> (raw)
The following changes since commit 0fcfb00b28c0b7884635dacf38e46d60bf3d4eb1:
Linux 5.16-rc4 (2021-12-05 14:08:22 -0800)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git tags/aio-poll-for-linus
for you to fetch changes up to 4b3749865374899e115aa8c48681709b086fe6d3:
aio: Fix incorrect usage of eventfd_signal_allowed() (2021-12-09 10:52:55 -0800)
----------------------------------------------------------------
Fix three bugs in aio poll, and one issue with POLLFREE more broadly:
- aio poll didn't handle POLLFREE, causing a use-after-free.
- aio poll could block while the file is ready.
- aio poll called eventfd_signal() when it isn't allowed.
- POLLFREE didn't handle multiple exclusive waiters correctly.
This has been tested with the libaio test suite, as well as with test
programs I wrote that reproduce the first two bugs. I am sending this
pull request myself as no one seems to be maintaining this code.
----------------------------------------------------------------
Eric Biggers (5):
wait: add wake_up_pollfree()
binder: use wake_up_pollfree()
signalfd: use wake_up_pollfree()
aio: keep poll requests on waitqueue until completed
aio: fix use-after-free due to missing POLLFREE handling
Xie Yongji (1):
aio: Fix incorrect usage of eventfd_signal_allowed()
drivers/android/binder.c | 21 ++---
fs/aio.c | 186 ++++++++++++++++++++++++++++++++--------
fs/signalfd.c | 12 +--
include/linux/wait.h | 26 ++++++
include/uapi/asm-generic/poll.h | 2 +-
kernel/sched/wait.c | 7 ++
6 files changed, 196 insertions(+), 58 deletions(-)
next reply other threads:[~2021-12-10 18:33 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-10 18:32 Eric Biggers [this message]
2021-12-10 22:18 ` [GIT PULL] aio poll fixes for 5.16-rc5 Linus Torvalds
2021-12-10 23:00 ` Eric Biggers
2021-12-11 0:45 ` Theodore Y. Ts'o
2021-12-13 7:23 ` Christoph Hellwig
2021-12-10 22:46 ` pr-tracker-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YbOdV8CPbyPAF234@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=axboe@kernel.dk \
--cc=bcrl@kvack.org \
--cc=hch@lst.de \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=oleg@redhat.com \
--cc=ramjiyani@google.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=xieyongji@bytedance.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).