Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll)

On Sun, Mar 3, 2019 at 6:36 PM Al Viro wrote: > > OK, having dug through the archives, the reasons were not strong. > So that part is OK... I've committed the patch. However, I didn't actually do the separate and independent cleanups: > > @@ -1060,6 +1071,8 @@ static inline void

Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll)

On Sun, Mar 3, 2019 at 4:19 PM Al Viro wrote: > > On Sun, Mar 03, 2019 at 01:55:02PM +, Al Viro wrote: > > > Maybe unrelated to this bug, but... What's to prevent a wakeup > > that happens just after we'd been added to a waitqueue by ->poll() > > triggering aio_poll_wake(), which gets to

Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll)

On Sun, Mar 03, 2019 at 02:23:33PM -0800, Linus Torvalds wrote: OK, having dug through the archives, the reasons were not strong. So that part is OK... > @@ -1060,6 +1071,8 @@ static inline void iocb_put(struct aio_kiocb *iocb) > { > if (refcount_read(>ki_refcnt) == 0 || >

Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll)

On Sun, Mar 3, 2019 at 12:30 PM Al Viro wrote: > > On Sun, Mar 03, 2019 at 11:44:33AM -0800, Linus Torvalds wrote: > > > > I'm assuming you're talking about the second vfs_poll() in > > aio_poll_complete_work()? The one we call before we check for > > "rew->cancelled" properly under the spinlock?

Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll)

On Sun, Mar 03, 2019 at 11:44:33AM -0800, Linus Torvalds wrote: > On Sun, Mar 3, 2019 at 7:18 AM Al Viro wrote: > > > > > Maybe unrelated to this bug, but... What's to prevent a wakeup > > > that happens just after we'd been added to a waitqueue by ->poll() > > > triggering aio_poll_wake(),

Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll)

On Sun, Mar 3, 2019 at 11:44 AM Linus Torvalds wrote: > > But doesn't it look nice to see > > 2 files changed, 41 insertions(+), 50 deletions(-) > > with actual code reduction, and a fundamental simplification in > handling of the file pointer? A coupl,e of the changes are "useless", and do the

Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll)

On Sun, Mar 3, 2019 at 7:18 AM Al Viro wrote: > > > Maybe unrelated to this bug, but... What's to prevent a wakeup > > that happens just after we'd been added to a waitqueue by ->poll() > > triggering aio_poll_wake(), which gets to aio_poll_complete() > > with its fput() *before* we'd reached

Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll)

On 03/03/2019 07:18 AM, Al Viro wrote: > Fixes: bfe4037e722ec > Cc: sta...@vger.kernel.org > Signed-off-by: Al Viro > --- > diff --git a/fs/aio.c b/fs/aio.c > index 3083180a54c8..7e88bfabdac2 100644 > --- a/fs/aio.c > +++ b/fs/aio.c > @@ -1767,6 +1767,7 @@ static ssize_t aio_poll(struct

[PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll)

On Sun, Mar 03, 2019 at 01:55:02PM +, Al Viro wrote: > Maybe unrelated to this bug, but... What's to prevent a wakeup > that happens just after we'd been added to a waitqueue by ->poll() > triggering aio_poll_wake(), which gets to aio_poll_complete() > with its fput() *before* we'd reached