From: Eric Biggers <ebiggers@kernel.org>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
Benjamin LaHaise <bcrl@kvack.org>
Cc: linux-aio@kvack.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, Ramji Jiyani <ramjiyani@google.com>,
Christoph Hellwig <hch@lst.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
Oleg Nesterov <oleg@redhat.com>, Jens Axboe <axboe@kernel.dk>,
Martijn Coenen <maco@android.com>,
stable@vger.kernel.org
Subject: [PATCH v2 0/5] aio: fix use-after-free and missing wakeups
Date: Tue, 7 Dec 2021 01:57:21 -0800 [thread overview]
Message-ID: <20211207095726.169766-1-ebiggers@kernel.org> (raw)
This series fixes two bugs in aio poll, and one issue with POLLFREE more
broadly. This is intended to replace
"[PATCH v5] aio: Add support for the POLLFREE"
(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)
which has some bugs.
Careful review is appreciated; the aio poll code is very hard to work
with, and I don't know of an easy way to test it. Suggestions of any
aio poll tests to run would be greatly appreciated.
Note, it looks like io_uring has the same bugs as aio poll. I haven't
tried to fix io_uring.
This series applies to v5.16-rc4.
Changed v1 => v2:
- Added wake_up_pollfree().
- Various fixes to the aio poll fixes.
- Improved some comments in aio poll.
Eric Biggers (5):
wait: add wake_up_pollfree()
binder: use wake_up_pollfree()
signalfd: use wake_up_pollfree()
aio: keep poll requests on waitqueue until completed
aio: fix use-after-free due to missing POLLFREE handling
drivers/android/binder.c | 21 ++--
fs/aio.c | 184 ++++++++++++++++++++++++++------
fs/signalfd.c | 12 +--
include/linux/wait.h | 26 +++++
include/uapi/asm-generic/poll.h | 2 +-
kernel/sched/wait.c | 7 ++
6 files changed, 195 insertions(+), 57 deletions(-)
--
2.34.1
next reply other threads:[~2021-12-07 9:59 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-07 9:57 Eric Biggers [this message]
2021-12-07 9:57 ` [PATCH v2 1/5] wait: add wake_up_pollfree() Eric Biggers
2021-12-07 9:57 ` [PATCH v2 2/5] binder: use wake_up_pollfree() Eric Biggers
2021-12-07 19:11 ` Eric Biggers
2021-12-07 9:57 ` [PATCH v2 3/5] signalfd: " Eric Biggers
2021-12-07 9:57 ` [PATCH v2 4/5] aio: keep poll requests on waitqueue until completed Eric Biggers
2021-12-07 9:57 ` [PATCH v2 5/5] aio: fix use-after-free due to missing POLLFREE handling Eric Biggers
2021-12-07 11:17 ` [PATCH v2 0/5] aio: fix use-after-free and missing wakeups Christoph Hellwig
2021-12-07 19:10 ` Eric Biggers
2021-12-07 23:24 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211207095726.169766-1-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=axboe@kernel.dk \
--cc=bcrl@kvack.org \
--cc=hch@lst.de \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maco@android.com \
--cc=oleg@redhat.com \
--cc=ramjiyani@google.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.