[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 5 May 2024 20:01:32 +0000
From: David Laight <David.Laight@...LAB.COM>
To: 'Linus Torvalds' <torvalds@...ux-foundation.org>
CC: "axboe@...nel.dk" <axboe@...nel.dk>, "brauner@...nel.org"
<brauner@...nel.org>, "christian.koenig@....com" <christian.koenig@....com>,
"dri-devel@...ts.freedesktop.org" <dri-devel@...ts.freedesktop.org>,
"io-uring@...r.kernel.org" <io-uring@...r.kernel.org>, "jack@...e.cz"
<jack@...e.cz>, "keescook@...omium.org" <keescook@...omium.org>,
"laura@...bott.name" <laura@...bott.name>, "linaro-mm-sig@...ts.linaro.org"
<linaro-mm-sig@...ts.linaro.org>, "linux-fsdevel@...r.kernel.org"
<linux-fsdevel@...r.kernel.org>, "linux-kernel@...r.kernel.org"
<linux-kernel@...r.kernel.org>, "linux-media@...r.kernel.org"
<linux-media@...r.kernel.org>, "minhquangbui99@...il.com"
<minhquangbui99@...il.com>, "sumit.semwal@...aro.org"
<sumit.semwal@...aro.org>,
"syzbot+045b454ab35fd82a35fb@...kaller.appspotmail.com"
<syzbot+045b454ab35fd82a35fb@...kaller.appspotmail.com>,
"syzkaller-bugs@...glegroups.com" <syzkaller-bugs@...glegroups.com>,
"viro@...iv.linux.org.uk" <viro@...iv.linux.org.uk>
Subject: RE: [PATCH v2] epoll: be better about file lifetimes
From: Linus Torvalds
> Sent: 05 May 2024 18:56
>
> epoll can call out to vfs_poll() with a file pointer that may race with
> the last 'fput()'. That would make f_count go down to zero, and while
> the ep->mtx locking means that the resulting file pointer tear-down will
> be blocked until the poll returns, it means that f_count is already
> dead, and any use of it won't actually get a reference to the file any
> more: it's dead regardless.
>
> Make sure we have a valid ref on the file pointer before we call down to
> vfs_poll() from the epoll routines.
How much is the extra pair of atomics going to hurt performance?
IIRC a lot of work was done to (try to) make epoll lockless.
Perhaps the 'hook' into epoll (usually) from sys_close should be
done before any of the references are removed?
(Which is different from Q6/A6 in man epoll - but that seems to be
documenting a bug!)
Then the ->poll() callback can't happen (assuming it is properly
locked) after the ->release() one.
It seems better to add extra atomics to the close/final-fput path
rather than ever ->poll() call epoll makes.
I can get extra references to a driver by dup() open("/dev/fd/n")
and mmap() - but epoll is definitely fd based.
(Which may be why it has the fd number in its data.)
Is there another race between EPOLL_CTL_ADD and close() (from a
different thread)?
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
Powered by blists - more mailing lists