From: "zhengbin (A)" <zhengbin13@huawei.com>
To: Al Viro <viro@ZenIV.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: Eric Dumazet <eric.dumazet@gmail.com>,
David Miller <davem@davemloft.net>,
Jason Baron <jbaron@akamai.com>, <kgraul@linux.ibm.com>,
<ktkhai@virtuozzo.com>, <kyeongdon.kim@lge.com>,
Linux List Kernel Mailing <linux-kernel@vger.kernel.org>,
Netdev <netdev@vger.kernel.org>, <pabeni@redhat.com>,
<syzkaller-bugs@googlegroups.com>, <xiyou.wangcong@gmail.com>,
Christoph Hellwig <hch@lst.de>, <bcrl@kvack.org>,
<linux-fsdevel@vger.kernel.org>, <linux-aio@kvack.org>,
<houtao1@huawei.com>, <yi.zhang@huawei.com>
Subject: Re: [PATCH 3/8] aio_poll(): sanitize the logics after vfs_poll(), get rid of leak on error
Date: Thu, 7 Mar 2019 10:11:02 +0800 [thread overview]
Message-ID: <0c631d6f-48b6-3691-eec5-29eb55817346@huawei.com> (raw)
In-Reply-To: <20190307000316.31133-3-viro@ZenIV.linux.org.uk>
+ if (async && !apt.error) --->may be this should be if (!async && !apt.error) ?
On 2019/3/7 8:03, Al Viro wrote:
> From: Al Viro <viro@zeniv.linux.org.uk>
>
> We want iocb_put() happening on errors, to balance the extra reference
> we'd taken. As it is, we end up with a leak. The rules should be
> * error: iocb_put() to deal with the extra ref, return error,
> let the caller do another iocb_put().
> * async: iocb_put() to deal with the extra ref, return 0.
> * no error, event present immediately: aio_poll_complete() to
> report it, iocb_put() to deal with the extra ref, return 0.
>
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
> fs/aio.c | 25 +++++++++++--------------
> 1 file changed, 11 insertions(+), 14 deletions(-)
>
> diff --git a/fs/aio.c b/fs/aio.c
> index 3a8b894378e0..22b288997441 100644
> --- a/fs/aio.c
> +++ b/fs/aio.c
> @@ -1724,6 +1724,7 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb)
> struct kioctx *ctx = aiocb->ki_ctx;
> struct poll_iocb *req = &aiocb->poll;
> struct aio_poll_table apt;
> + bool async = false;
> __poll_t mask;
>
> /* reject any unknown events outside the normal event mask. */
> @@ -1760,30 +1761,26 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb)
>
> spin_lock_irq(&ctx->ctx_lock);
> spin_lock(&req->head->lock);
> - if (req->woken) {
> - /* wake_up context handles the rest */
> - mask = 0;
> + if (req->woken) { /* already taken up by aio_poll_wake() */
> + async = true;
> apt.error = 0;
> - } else if (mask || apt.error) {
> - /* if we get an error or a mask we are done */
> - WARN_ON_ONCE(list_empty(&req->wait.entry));
> - list_del_init(&req->wait.entry);
> - } else {
> - /* actually waiting for an event */
> + } else if (!mask && !apt.error) { /* actually waiting for an event */
> list_add_tail(&aiocb->ki_list, &ctx->active_reqs);
> aiocb->ki_cancel = aio_poll_cancel;
> + async = true;
> + } else { /* if we get an error or a mask we are done */
> + WARN_ON_ONCE(list_empty(&req->wait.entry));
> + list_del_init(&req->wait.entry);
> + /* no wakeup in the future either; aiocb is ours to dispose of */
> }
> spin_unlock(&req->head->lock);
> spin_unlock_irq(&ctx->ctx_lock);
>
> out:
> - if (unlikely(apt.error))
> - return apt.error;
> -
> - if (mask)
> + if (async && !apt.error)
> aio_poll_complete(aiocb, mask);
> iocb_put(aiocb);
> - return 0;
> + return apt.error;
> }
>
> static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb,
>
next prev parent reply other threads:[~2019-03-07 2:11 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-03 10:22 KASAN: use-after-free Read in unix_dgram_poll syzbot
2019-03-03 13:55 ` Al Viro
2019-03-03 15:18 ` [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll) Al Viro
2019-03-03 18:37 ` Eric Dumazet
2019-03-03 19:44 ` Linus Torvalds
2019-03-03 20:13 ` Linus Torvalds
2019-03-03 20:30 ` Al Viro
2019-03-03 22:23 ` Linus Torvalds
2019-03-04 2:36 ` Al Viro
2019-03-04 21:22 ` Linus Torvalds
2019-03-07 0:03 ` [PATCH 1/8] aio: make sure file is pinned Al Viro
2019-03-07 0:03 ` [PATCH 2/8] aio_poll_wake(): don't set ->woken if we ignore the wakeup Al Viro
2019-03-07 2:18 ` Al Viro
2019-03-08 11:16 ` zhengbin (A)
2019-03-07 0:03 ` [PATCH 3/8] aio_poll(): sanitize the logics after vfs_poll(), get rid of leak on error Al Viro
2019-03-07 2:11 ` zhengbin (A) [this message]
2019-03-07 0:03 ` [PATCH 4/8] aio_poll(): get rid of weird refcounting Al Viro
2019-03-07 0:03 ` [PATCH 5/8] make aio_read()/aio_write() return int Al Viro
2019-03-07 0:03 ` [PATCH 6/8] move dropping ->ki_eventfd into iocb_put() Al Viro
2019-03-07 0:03 ` [PATCH 7/8] deal with get_reqs_available() in aio_get_req() itself Al Viro
2019-03-07 0:03 ` [PATCH 8/8] aio: move sanity checks and request allocation to io_submit_one() Al Viro
2019-03-07 0:23 ` [PATCH 1/8] aio: make sure file is pinned Linus Torvalds
2019-03-07 0:41 ` Al Viro
2019-03-07 0:48 ` Al Viro
2019-03-07 1:20 ` Al Viro
2019-03-07 1:30 ` Linus Torvalds
2019-03-08 3:36 ` Al Viro
2019-03-08 15:50 ` Christoph Hellwig
2019-03-10 7:06 ` Al Viro
2019-03-10 7:08 ` [PATCH 1/8] pin iocb through aio Al Viro
2019-03-10 7:08 ` [PATCH 2/8] keep io_event in aio_kiocb Al Viro
2019-03-11 19:43 ` Christoph Hellwig
2019-03-11 21:17 ` Al Viro
2019-03-10 7:08 ` [PATCH 3/8] aio: store event at final iocb_put() Al Viro
2019-03-11 19:44 ` Christoph Hellwig
2019-03-11 21:13 ` Al Viro
2019-03-11 22:52 ` Al Viro
2019-03-10 7:08 ` [PATCH 4/8] Fix aio_poll() races Al Viro
2019-03-11 19:58 ` Christoph Hellwig
2019-03-11 21:06 ` Al Viro
2019-03-12 19:18 ` Christoph Hellwig
2019-03-10 7:08 ` [PATCH 5/8] make aio_read()/aio_write() return int Al Viro
2019-03-11 19:44 ` Christoph Hellwig
2019-03-10 7:08 ` [PATCH 6/8] move dropping ->ki_eventfd into iocb_destroy() Al Viro
2019-03-11 19:46 ` Christoph Hellwig
2019-03-10 7:08 ` [PATCH 7/8] deal with get_reqs_available() in aio_get_req() itself Al Viro
2019-03-11 19:46 ` Christoph Hellwig
2019-03-10 7:08 ` [PATCH 8/8] aio: move sanity checks and request allocation to io_submit_one() Al Viro
2019-03-11 19:48 ` Christoph Hellwig
2019-03-11 21:12 ` Al Viro
2019-03-11 19:41 ` [PATCH 1/8] pin iocb through aio Christoph Hellwig
2019-03-11 19:41 ` [PATCH 1/8] aio: make sure file is pinned Christoph Hellwig
2019-03-04 7:53 ` [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll) Dmitry Vyukov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0c631d6f-48b6-3691-eec5-29eb55817346@huawei.com \
--to=zhengbin13@huawei.com \
--cc=bcrl@kvack.org \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=hch@lst.de \
--cc=houtao1@huawei.com \
--cc=jbaron@akamai.com \
--cc=kgraul@linux.ibm.com \
--cc=ktkhai@virtuozzo.com \
--cc=kyeongdon.kim@lge.com \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
--cc=xiyou.wangcong@gmail.com \
--cc=yi.zhang@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.