[v2,0/5] aio: fix use-after-free and missing wakeups

Message ID	20211207095726.169766-1-ebiggers@kernel.org
Headers	show Return-Path: <stable-owner@kernel.org> From: Eric Biggers <ebiggers@kernel.org> To: Alexander Viro <viro@zeniv.linux.org.uk>, Benjamin LaHaise <bcrl@kvack.org> Cc: linux-aio@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Ramji Jiyani <ramjiyani@google.com>, Christoph Hellwig <hch@lst.de>, Linus Torvalds <torvalds@linux-foundation.org>, Oleg Nesterov <oleg@redhat.com>, Jens Axboe <axboe@kernel.dk>, Martijn Coenen <maco@android.com>, stable@vger.kernel.org Subject: [PATCH v2 0/5] aio: fix use-after-free and missing wakeups Date: Tue, 7 Dec 2021 01:57:21 -0800 Message-Id: <20211207095726.169766-1-ebiggers@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	aio: fix use-after-free and missing wakeups \| expand [v2,0/5] aio: fix use-after-free and missing wakeups [v2,2/5] binder: use wake_up_pollfree() [v2,3/5] signalfd: use wake_up_pollfree()

Message ID

20211207095726.169766-1-ebiggers@kernel.org

Headers

From: Eric Biggers <ebiggers@kernel.org>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
        Benjamin LaHaise <bcrl@kvack.org>
Cc: linux-aio@kvack.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, Ramji Jiyani <ramjiyani@google.com>,
        Christoph Hellwig <hch@lst.de>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Oleg Nesterov <oleg@redhat.com>, Jens Axboe <axboe@kernel.dk>,
        Martijn Coenen <maco@android.com>, stable@vger.kernel.org
Subject: [PATCH v2 0/5] aio: fix use-after-free and missing wakeups
Date: Tue,  7 Dec 2021 01:57:21 -0800
Message-Id: <20211207095726.169766-1-ebiggers@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

aio: fix use-after-free and missing wakeups | expand

Message

Eric Biggers Dec. 7, 2021, 9:57 a.m. UTC

This series fixes two bugs in aio poll, and one issue with POLLFREE more
broadly.  This is intended to replace
"[PATCH v5] aio: Add support for the POLLFREE"
(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)
which has some bugs.

Careful review is appreciated; the aio poll code is very hard to work
with, and I don't know of an easy way to test it.  Suggestions of any
aio poll tests to run would be greatly appreciated.

Note, it looks like io_uring has the same bugs as aio poll.  I haven't
tried to fix io_uring.

This series applies to v5.16-rc4.

Changed v1 => v2:
  - Added wake_up_pollfree().
  - Various fixes to the aio poll fixes.
  - Improved some comments in aio poll.

Eric Biggers (5):
  wait: add wake_up_pollfree()
  binder: use wake_up_pollfree()
  signalfd: use wake_up_pollfree()
  aio: keep poll requests on waitqueue until completed
  aio: fix use-after-free due to missing POLLFREE handling

 drivers/android/binder.c        |  21 ++--
 fs/aio.c                        | 184 ++++++++++++++++++++++++++------
 fs/signalfd.c                   |  12 +--
 include/linux/wait.h            |  26 +++++
 include/uapi/asm-generic/poll.h |   2 +-
 kernel/sched/wait.c             |   7 ++
 6 files changed, 195 insertions(+), 57 deletions(-)