From: Jens Axboe <axboe@kernel.dk>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Alexander Viro <viro@zeniv.linux.org.uk>,
Benjamin LaHaise <bcrl@kvack.org>,
linux-aio@kvack.org,
linux-fsdevel <linux-fsdevel@vger.kernel.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Ramji Jiyani <ramjiyani@google.com>,
Christoph Hellwig <hch@lst.de>, Oleg Nesterov <oleg@redhat.com>,
Martijn Coenen <maco@android.com>,
stable <stable@vger.kernel.org>
Subject: Re: [PATCH v3 0/5] aio: fix use-after-free and missing wakeups
Date: Wed, 5 Jan 2022 09:11:31 -0700 [thread overview]
Message-ID: <8289804d-dc19-2ecd-d03e-d4af97b5ee18@kernel.dk> (raw)
In-Reply-To: <YdW4sApUUBi/5UHh@sol.localdomain>
On 1/5/22 7:26 AM, Eric Biggers wrote:
> On Thu, Dec 09, 2021 at 02:46:45PM -0700, Jens Axboe wrote:
>> On 12/9/21 11:00 AM, Linus Torvalds wrote:
>>> On Wed, Dec 8, 2021 at 5:06 PM Eric Biggers <ebiggers@kernel.org> wrote:
>>>>
>>>> Careful review is appreciated; the aio poll code is very hard to work
>>>> with, and it doesn't appear to have many tests. I've verified that it
>>>> passes the libaio test suite, which provides some coverage of poll.
>>>>
>>>> Note, it looks like io_uring has the same bugs as aio poll. I haven't
>>>> tried to fix io_uring.
>>>
>>> I'm hoping Jens is looking at the io_ring case, but I'm also assuming
>>> that I'll just get a pull request for this at some point.
>>
>> Yes, when I saw this original posting I did discuss it with Pavel as
>> well, and we agree that the same issue exists there. Which isn't too
>> surprising, as that's where the io_uring poll code from originally.
>>
>
> Jens, any update on fixing the io_uring version of the bug? Note,
> syzbot has managed to use io_uring poll to hit the WARN_ON_ONCE() that
> I added in __wake_up_pollfree(), which proves that it is broken.
There are two parts to this, first part is queued up for 5.17 for a few
weeks. Work in progress...
--
Jens Axboe
prev parent reply other threads:[~2022-01-05 16:11 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-09 1:04 [PATCH v3 0/5] aio: fix use-after-free and missing wakeups Eric Biggers
2021-12-09 1:04 ` [PATCH v3 1/5] wait: add wake_up_pollfree() Eric Biggers
2021-12-09 1:04 ` [PATCH v3 2/5] binder: use wake_up_pollfree() Eric Biggers
2021-12-09 1:04 ` [PATCH v3 3/5] signalfd: " Eric Biggers
2021-12-09 1:04 ` [PATCH v3 4/5] aio: keep poll requests on waitqueue until completed Eric Biggers
2021-12-09 1:04 ` [PATCH v3 5/5] aio: fix use-after-free due to missing POLLFREE handling Eric Biggers
2021-12-09 18:00 ` [PATCH v3 0/5] aio: fix use-after-free and missing wakeups Linus Torvalds
2021-12-09 18:37 ` Eric Biggers
2021-12-13 7:23 ` Christoph Hellwig
2021-12-13 17:24 ` Eric Biggers
2021-12-09 21:46 ` Jens Axboe
2021-12-10 5:10 ` Eric Biggers
2021-12-10 8:07 ` Eric Biggers
2022-01-05 15:26 ` Eric Biggers
2022-01-05 16:11 ` Jens Axboe [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8289804d-dc19-2ecd-d03e-d4af97b5ee18@kernel.dk \
--to=axboe@kernel.dk \
--cc=bcrl@kvack.org \
--cc=ebiggers@kernel.org \
--cc=hch@lst.de \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=oleg@redhat.com \
--cc=ramjiyani@google.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.