All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH stable-5.10 1/1] io_uring: disable polling pollfree files
@ 2022-09-01 15:16 Pavel Begunkov
  2022-09-01 15:25 ` Pavel Begunkov
  0 siblings, 1 reply; 4+ messages in thread
From: Pavel Begunkov @ 2022-09-01 15:16 UTC (permalink / raw)
  To: stable; +Cc: Jens Axboe, asml.silence

Older kernels lack io_uring POLLFREE handling. As only affected files
are signalfd and android binder the safest option would be to disable
polling those files via io_uring and hope there are no users.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 drivers/android/binder.c | 1 +
 fs/io_uring.c            | 5 +++++
 fs/signalfd.c            | 1 +
 include/linux/fs.h       | 1 +
 4 files changed, 8 insertions(+)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index 366b12405708..a5d5247c4f3e 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -6069,6 +6069,7 @@ const struct file_operations binder_fops = {
 	.open = binder_open,
 	.flush = binder_flush,
 	.release = binder_release,
+	.may_pollfree = true,
 };
 
 static int __init init_binder_device(const char *name)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index a952288b2ab8..9654b60a06a5 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5198,6 +5198,11 @@ static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
 	struct io_ring_ctx *ctx = req->ctx;
 	bool cancel = false;
 
+	if (req->file->f_op->may_pollfree) {
+		spin_lock_irq(&ctx->completion_lock);
+		return -EOPNOTSUPP;
+	}
+
 	INIT_HLIST_NODE(&req->hash_node);
 	io_init_poll_iocb(poll, mask, wake_func);
 	poll->file = req->file;
diff --git a/fs/signalfd.c b/fs/signalfd.c
index b94fb5f81797..41dc597b78cc 100644
--- a/fs/signalfd.c
+++ b/fs/signalfd.c
@@ -248,6 +248,7 @@ static const struct file_operations signalfd_fops = {
 	.poll		= signalfd_poll,
 	.read		= signalfd_read,
 	.llseek		= noop_llseek,
+	.may_pollfree	= true,
 };
 
 static int do_signalfd4(int ufd, sigset_t *mask, int flags)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 42d246a94228..c8f887641878 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1859,6 +1859,7 @@ struct file_operations {
 				   struct file *file_out, loff_t pos_out,
 				   loff_t len, unsigned int remap_flags);
 	int (*fadvise)(struct file *, loff_t, loff_t, int);
+	bool may_pollfree;
 } __randomize_layout;
 
 struct inode_operations {
-- 
2.37.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH stable-5.10 1/1] io_uring: disable polling pollfree files
  2022-09-01 15:16 [PATCH stable-5.10 1/1] io_uring: disable polling pollfree files Pavel Begunkov
@ 2022-09-01 15:25 ` Pavel Begunkov
  2022-09-02  6:13   ` Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: Pavel Begunkov @ 2022-09-01 15:25 UTC (permalink / raw)
  To: stable; +Cc: Jens Axboe

On 9/1/22 16:16, Pavel Begunkov wrote:
> Older kernels lack io_uring POLLFREE handling. As only affected files
> are signalfd and android binder the safest option would be to disable
> polling those files via io_uring and hope there are no users.

It differs from how it's fixed upstream, but IMHO porting is too
difficult to be reliable enough, this one is quick and simple.
The upstream fix:

commit 791f3465c4afde02d7f16cf7424ca87070b69396
Author: Pavel Begunkov <asml.silence@gmail.com>
Date:   Fri Jan 14 11:59:10 2022 +0000

     io_uring: fix UAF due to missing POLLFREE handling


I also forgot Fixes tag if required:

Fixes: 221c5eb233823 ("io_uring: add support for IORING_OP_POLL")


> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> ---
>   drivers/android/binder.c | 1 +
>   fs/io_uring.c            | 5 +++++
>   fs/signalfd.c            | 1 +
>   include/linux/fs.h       | 1 +
>   4 files changed, 8 insertions(+)
> 
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 366b12405708..a5d5247c4f3e 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -6069,6 +6069,7 @@ const struct file_operations binder_fops = {
>   	.open = binder_open,
>   	.flush = binder_flush,
>   	.release = binder_release,
> +	.may_pollfree = true,
>   };
>   
>   static int __init init_binder_device(const char *name)
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index a952288b2ab8..9654b60a06a5 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -5198,6 +5198,11 @@ static __poll_t __io_arm_poll_handler(struct io_kiocb *req,
>   	struct io_ring_ctx *ctx = req->ctx;
>   	bool cancel = false;
>   
> +	if (req->file->f_op->may_pollfree) {
> +		spin_lock_irq(&ctx->completion_lock);
> +		return -EOPNOTSUPP;
> +	}
> +
>   	INIT_HLIST_NODE(&req->hash_node);
>   	io_init_poll_iocb(poll, mask, wake_func);
>   	poll->file = req->file;
> diff --git a/fs/signalfd.c b/fs/signalfd.c
> index b94fb5f81797..41dc597b78cc 100644
> --- a/fs/signalfd.c
> +++ b/fs/signalfd.c
> @@ -248,6 +248,7 @@ static const struct file_operations signalfd_fops = {
>   	.poll		= signalfd_poll,
>   	.read		= signalfd_read,
>   	.llseek		= noop_llseek,
> +	.may_pollfree	= true,
>   };
>   
>   static int do_signalfd4(int ufd, sigset_t *mask, int flags)
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 42d246a94228..c8f887641878 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -1859,6 +1859,7 @@ struct file_operations {
>   				   struct file *file_out, loff_t pos_out,
>   				   loff_t len, unsigned int remap_flags);
>   	int (*fadvise)(struct file *, loff_t, loff_t, int);
> +	bool may_pollfree;
>   } __randomize_layout;
>   
>   struct inode_operations {

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH stable-5.10 1/1] io_uring: disable polling pollfree files
  2022-09-01 15:25 ` Pavel Begunkov
@ 2022-09-02  6:13   ` Greg KH
  2022-09-02 10:38     ` Pavel Begunkov
  0 siblings, 1 reply; 4+ messages in thread
From: Greg KH @ 2022-09-02  6:13 UTC (permalink / raw)
  To: Pavel Begunkov; +Cc: stable, Jens Axboe

On Thu, Sep 01, 2022 at 04:25:46PM +0100, Pavel Begunkov wrote:
> On 9/1/22 16:16, Pavel Begunkov wrote:
> > Older kernels lack io_uring POLLFREE handling. As only affected files
> > are signalfd and android binder the safest option would be to disable
> > polling those files via io_uring and hope there are no users.
> 
> It differs from how it's fixed upstream, but IMHO porting is too
> difficult to be reliable enough, this one is quick and simple.
> The upstream fix:
> 
> commit 791f3465c4afde02d7f16cf7424ca87070b69396
> Author: Pavel Begunkov <asml.silence@gmail.com>
> Date:   Fri Jan 14 11:59:10 2022 +0000
> 
>     io_uring: fix UAF due to missing POLLFREE handling
> 
> 
> I also forgot Fixes tag if required:
> 
> Fixes: 221c5eb233823 ("io_uring: add support for IORING_OP_POLL")

I'll go add it by hand, all now queued up, thanks!

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH stable-5.10 1/1] io_uring: disable polling pollfree files
  2022-09-02  6:13   ` Greg KH
@ 2022-09-02 10:38     ` Pavel Begunkov
  0 siblings, 0 replies; 4+ messages in thread
From: Pavel Begunkov @ 2022-09-02 10:38 UTC (permalink / raw)
  To: Greg KH; +Cc: stable, Jens Axboe

On 9/2/22 07:13, Greg KH wrote:
> On Thu, Sep 01, 2022 at 04:25:46PM +0100, Pavel Begunkov wrote:
>> On 9/1/22 16:16, Pavel Begunkov wrote:
>>> Older kernels lack io_uring POLLFREE handling. As only affected files
>>> are signalfd and android binder the safest option would be to disable
>>> polling those files via io_uring and hope there are no users.
>>
>> It differs from how it's fixed upstream, but IMHO porting is too
>> difficult to be reliable enough, this one is quick and simple.
>> The upstream fix:
>>
>> commit 791f3465c4afde02d7f16cf7424ca87070b69396
>> Author: Pavel Begunkov <asml.silence@gmail.com>
>> Date:   Fri Jan 14 11:59:10 2022 +0000
>>
>>      io_uring: fix UAF due to missing POLLFREE handling
>>
>>
>> I also forgot Fixes tag if required:
>>
>> Fixes: 221c5eb233823 ("io_uring: add support for IORING_OP_POLL")
> 
> I'll go add it by hand, all now queued up, thanks!

Perfect, thanks greg

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-09-02 10:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-01 15:16 [PATCH stable-5.10 1/1] io_uring: disable polling pollfree files Pavel Begunkov
2022-09-01 15:25 ` Pavel Begunkov
2022-09-02  6:13   ` Greg KH
2022-09-02 10:38     ` Pavel Begunkov

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.