[v3,0/5] aio: fix use-after-free and missing wakeups

Message ID	20211209010455.42744-1-ebiggers@kernel.org
Headers	show Return-Path: <stable-owner@kernel.org> From: Eric Biggers <ebiggers@kernel.org> To: Alexander Viro <viro@zeniv.linux.org.uk>, Benjamin LaHaise <bcrl@kvack.org> Cc: linux-aio@kvack.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Ramji Jiyani <ramjiyani@google.com>, Christoph Hellwig <hch@lst.de>, Linus Torvalds <torvalds@linux-foundation.org>, Oleg Nesterov <oleg@redhat.com>, Jens Axboe <axboe@kernel.dk>, Martijn Coenen <maco@android.com>, stable@vger.kernel.org Subject: [PATCH v3 0/5] aio: fix use-after-free and missing wakeups Date: Wed, 8 Dec 2021 17:04:50 -0800 Message-Id: <20211209010455.42744-1-ebiggers@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	aio: fix use-after-free and missing wakeups \| expand [v3,0/5] aio: fix use-after-free and missing wakeups [v3,2/5] binder: use wake_up_pollfree() [v3,4/5] aio: keep poll requests on waitqueue until completed

Message ID

20211209010455.42744-1-ebiggers@kernel.org

Headers

From: Eric Biggers <ebiggers@kernel.org>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
        Benjamin LaHaise <bcrl@kvack.org>
Cc: linux-aio@kvack.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, Ramji Jiyani <ramjiyani@google.com>,
        Christoph Hellwig <hch@lst.de>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Oleg Nesterov <oleg@redhat.com>, Jens Axboe <axboe@kernel.dk>,
        Martijn Coenen <maco@android.com>, stable@vger.kernel.org
Subject: [PATCH v3 0/5] aio: fix use-after-free and missing wakeups
Date: Wed,  8 Dec 2021 17:04:50 -0800
Message-Id: <20211209010455.42744-1-ebiggers@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

aio: fix use-after-free and missing wakeups | expand

Message

Eric Biggers Dec. 9, 2021, 1:04 a.m. UTC

This series fixes two bugs in aio poll, and one issue with POLLFREE more
broadly.  This is intended to replace
"[PATCH v5] aio: Add support for the POLLFREE"
(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)
which has some bugs.

Careful review is appreciated; the aio poll code is very hard to work
with, and it doesn't appear to have many tests.  I've verified that it
passes the libaio test suite, which provides some coverage of poll.

Note, it looks like io_uring has the same bugs as aio poll.  I haven't
tried to fix io_uring.

This series applies to v5.16-rc4.

Changed v2 => v3:
  - Fixed a few commit messages and comments.
  - Mention that libaio test suite still passes.

Changed v1 => v2:
  - Added wake_up_pollfree().
  - Various fixes to the aio poll fixes.
  - Improved some comments in aio poll.

Eric Biggers (5):
  wait: add wake_up_pollfree()
  binder: use wake_up_pollfree()
  signalfd: use wake_up_pollfree()
  aio: keep poll requests on waitqueue until completed
  aio: fix use-after-free due to missing POLLFREE handling

 drivers/android/binder.c        |  21 ++--
 fs/aio.c                        | 184 ++++++++++++++++++++++++++------
 fs/signalfd.c                   |  12 +--
 include/linux/wait.h            |  26 +++++
 include/uapi/asm-generic/poll.h |   2 +-
 kernel/sched/wait.c             |   7 ++
 6 files changed, 195 insertions(+), 57 deletions(-)

Comments

Eric Biggers Dec. 13, 2021, 5:24 p.m. UTC | #1

On Mon, Dec 13, 2021 at 08:23:39AM +0100, Christoph Hellwig wrote:
> On Thu, Dec 09, 2021 at 10:37:28AM -0800, Eric Biggers wrote:
> > I was hoping that Al would review and apply these, given that he's listed as the
> > maintainer for this file, and he's worked on this code before.  I was also
> > hoping for review from Christoph, since he added IOCB_CMD_POLL originally.  But
> 
> I was planning to get to it,  but it seems like it got merged over this
> weekend?

There weren't any indications that anyone else was going to review it, and it
wasn't appropriate to wait any longer.  If you'd still like to review it, please
do so; if you find any problem I'll fix it in a follow-on fix.

- Eric

Eric Biggers Jan. 5, 2022, 3:26 p.m. UTC | #2

On Thu, Dec 09, 2021 at 02:46:45PM -0700, Jens Axboe wrote:
> On 12/9/21 11:00 AM, Linus Torvalds wrote:
> > On Wed, Dec 8, 2021 at 5:06 PM Eric Biggers <ebiggers@kernel.org> wrote:
> >>
> >> Careful review is appreciated; the aio poll code is very hard to work
> >> with, and it doesn't appear to have many tests.  I've verified that it
> >> passes the libaio test suite, which provides some coverage of poll.
> >>
> >> Note, it looks like io_uring has the same bugs as aio poll.  I haven't
> >> tried to fix io_uring.
> > 
> > I'm hoping Jens is looking at the io_ring case, but I'm also assuming
> > that I'll just get a pull request for this at some point.
> 
> Yes, when I saw this original posting I did discuss it with Pavel as
> well, and we agree that the same issue exists there. Which isn't too
> surprising, as that's where the io_uring poll code from originally.
> 

Jens, any update on fixing the io_uring version of the bug?  Note, syzbot has
managed to use io_uring poll to hit the WARN_ON_ONCE() that I added in
__wake_up_pollfree(), which proves that it is broken.

- Eric

Jens Axboe Jan. 5, 2022, 4:11 p.m. UTC | #3

On 1/5/22 7:26 AM, Eric Biggers wrote:
> On Thu, Dec 09, 2021 at 02:46:45PM -0700, Jens Axboe wrote:
>> On 12/9/21 11:00 AM, Linus Torvalds wrote:
>>> On Wed, Dec 8, 2021 at 5:06 PM Eric Biggers <ebiggers@kernel.org> wrote:
>>>>
>>>> Careful review is appreciated; the aio poll code is very hard to work
>>>> with, and it doesn't appear to have many tests.  I've verified that it
>>>> passes the libaio test suite, which provides some coverage of poll.
>>>>
>>>> Note, it looks like io_uring has the same bugs as aio poll.  I haven't
>>>> tried to fix io_uring.
>>>
>>> I'm hoping Jens is looking at the io_ring case, but I'm also assuming
>>> that I'll just get a pull request for this at some point.
>>
>> Yes, when I saw this original posting I did discuss it with Pavel as
>> well, and we agree that the same issue exists there. Which isn't too
>> surprising, as that's where the io_uring poll code from originally.
>>
> 
> Jens, any update on fixing the io_uring version of the bug?  Note,
> syzbot has managed to use io_uring poll to hit the WARN_ON_ONCE() that
> I added in __wake_up_pollfree(), which proves that it is broken.

There are two parts to this, first part is queued up for 5.17 for a few
weeks. Work in progress...