From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Jan Kara <jack@suse.cz>
Subject: [PATCH 5.4 11/11] select: Fix indefinitely sleeping task in poll_schedule_timeout()
Date: Thu, 27 Jan 2022 19:09:12 +0100 [thread overview]
Message-ID: <20220127180258.742791870@linuxfoundation.org> (raw)
In-Reply-To: <20220127180258.362000607@linuxfoundation.org>
From: Jan Kara <jack@suse.cz>
commit 68514dacf2715d11b91ca50d88de047c086fea9c upstream.
A task can end up indefinitely sleeping in do_select() ->
poll_schedule_timeout() when the following race happens:
TASK1 (thread1) TASK2 TASK1 (thread2)
do_select()
setup poll_wqueues table
with 'fd'
write data to 'fd'
pollwake()
table->triggered = 1
closes 'fd' thread1 is
waiting for
poll_schedule_timeout()
- sees table->triggered
table->triggered = 0
return -EINTR
loop back in do_select()
But at this point when TASK1 loops back, the fdget() in the setup of
poll_wqueues fails. So now so we never find 'fd' is ready for reading
and sleep in poll_schedule_timeout() indefinitely.
Treat an fd that got closed as a fd on which some event happened. This
makes sure cannot block indefinitely in do_select().
Another option would be to return -EBADF in this case but that has a
potential of subtly breaking applications that excercise this behavior
and it happens to work for them. So returning fd as active seems like a
safer choice.
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/select.c | 63 +++++++++++++++++++++++++++++++-----------------------------
1 file changed, 33 insertions(+), 30 deletions(-)
--- a/fs/select.c
+++ b/fs/select.c
@@ -458,9 +458,11 @@ get_max:
return max;
}
-#define POLLIN_SET (EPOLLRDNORM | EPOLLRDBAND | EPOLLIN | EPOLLHUP | EPOLLERR)
-#define POLLOUT_SET (EPOLLWRBAND | EPOLLWRNORM | EPOLLOUT | EPOLLERR)
-#define POLLEX_SET (EPOLLPRI)
+#define POLLIN_SET (EPOLLRDNORM | EPOLLRDBAND | EPOLLIN | EPOLLHUP | EPOLLERR |\
+ EPOLLNVAL)
+#define POLLOUT_SET (EPOLLWRBAND | EPOLLWRNORM | EPOLLOUT | EPOLLERR |\
+ EPOLLNVAL)
+#define POLLEX_SET (EPOLLPRI | EPOLLNVAL)
static inline void wait_key_set(poll_table *wait, unsigned long in,
unsigned long out, unsigned long bit,
@@ -527,6 +529,7 @@ static int do_select(int n, fd_set_bits
break;
if (!(bit & all_bits))
continue;
+ mask = EPOLLNVAL;
f = fdget(i);
if (f.file) {
wait_key_set(wait, in, out, bit,
@@ -534,34 +537,34 @@ static int do_select(int n, fd_set_bits
mask = vfs_poll(f.file, wait);
fdput(f);
- if ((mask & POLLIN_SET) && (in & bit)) {
- res_in |= bit;
- retval++;
- wait->_qproc = NULL;
- }
- if ((mask & POLLOUT_SET) && (out & bit)) {
- res_out |= bit;
- retval++;
- wait->_qproc = NULL;
- }
- if ((mask & POLLEX_SET) && (ex & bit)) {
- res_ex |= bit;
- retval++;
- wait->_qproc = NULL;
- }
- /* got something, stop busy polling */
- if (retval) {
- can_busy_loop = false;
- busy_flag = 0;
-
- /*
- * only remember a returned
- * POLL_BUSY_LOOP if we asked for it
- */
- } else if (busy_flag & mask)
- can_busy_loop = true;
-
}
+ if ((mask & POLLIN_SET) && (in & bit)) {
+ res_in |= bit;
+ retval++;
+ wait->_qproc = NULL;
+ }
+ if ((mask & POLLOUT_SET) && (out & bit)) {
+ res_out |= bit;
+ retval++;
+ wait->_qproc = NULL;
+ }
+ if ((mask & POLLEX_SET) && (ex & bit)) {
+ res_ex |= bit;
+ retval++;
+ wait->_qproc = NULL;
+ }
+ /* got something, stop busy polling */
+ if (retval) {
+ can_busy_loop = false;
+ busy_flag = 0;
+
+ /*
+ * only remember a returned
+ * POLL_BUSY_LOOP if we asked for it
+ */
+ } else if (busy_flag & mask)
+ can_busy_loop = true;
+
}
if (res_in)
*rinp = res_in;
next prev parent reply other threads:[~2022-01-27 18:10 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-27 18:09 [PATCH 5.4 00/11] 5.4.175-rc1 review Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.4 01/11] drm/i915: Flush TLBs before releasing backing store Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.4 02/11] rcu: Tighten rcu_advance_cbs_nowake() checks Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.4 03/11] pinctrl: bcm2835: Drop unused define Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.4 04/11] pinctrl: bcm2835: Refactor platform data Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.4 05/11] pinctrl: bcm2835: Add support for all GPIOs on BCM2711 Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.4 06/11] pinctrl: bcm2835: Match BCM7211 compatible string Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.4 07/11] pinctrl: bcm2835: Add support for wake-up interrupts Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.4 08/11] pinctrl: bcm2835: Change init order for gpio hogs Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.4 09/11] ARM: dts: gpio-ranges property is now required Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.4 10/11] mmc: sdhci-esdhc-imx: disable CMDQ support Greg Kroah-Hartman
2022-01-27 18:09 ` Greg Kroah-Hartman [this message]
2022-01-27 19:00 ` [PATCH 5.4 00/11] 5.4.175-rc1 review Florian Fainelli
2022-01-28 1:17 ` Shuah Khan
2022-01-28 11:38 ` Naresh Kamboju
2022-01-28 14:24 ` Sudip Mukherjee
2022-01-29 1:06 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220127180258.742791870@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jack@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).