lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Mar 2019 20:18:01 +0100 From: Christoph Hellwig <hch@....de> To: Al Viro <viro@...iv.linux.org.uk> Cc: Christoph Hellwig <hch@....de>, Linus Torvalds <torvalds@...ux-foundation.org>, Eric Dumazet <eric.dumazet@...il.com>, David Miller <davem@...emloft.net>, Jason Baron <jbaron@...mai.com>, kgraul@...ux.ibm.com, ktkhai@...tuozzo.com, kyeongdon.kim@....com, Linux List Kernel Mailing <linux-kernel@...r.kernel.org>, Netdev <netdev@...r.kernel.org>, pabeni@...hat.com, syzkaller-bugs@...glegroups.com, xiyou.wangcong@...il.com, zhengbin <zhengbin13@...wei.com>, bcrl@...ck.org, linux-fsdevel@...r.kernel.org, linux-aio@...ck.org, houtao1@...wei.com, yi.zhang@...wei.com Subject: Re: [PATCH 4/8] Fix aio_poll() races On Mon, Mar 11, 2019 at 09:06:18PM +0000, Al Viro wrote: > On Mon, Mar 11, 2019 at 08:58:31PM +0100, Christoph Hellwig wrote: > > Where do we put the second iocb reference in case we return from > > vfs_poll without ever being woken? > > Depends. If mask is non-zero (i.e. vfs_poll() has returned something > we care about) and it has never been woken, we steal it and drop the > reference ourselves. If it is zero and we see that ->poll() has tried > to put it on two queues, we steal it (again, assuming it's not on > waitqueue and _can_ be stolen) and return -EINVAL. In that case > __io_submit_one() (or, by the end of the series, io_submit_one()) > will call iocb_destroy(). And in the normal waiting case (nothing > interesting reported and no errors) it will end up on the list of > cancellables. Then it either will get completed by later wakeup, which > will drop the reference, or it will get eventually cancelled, which will > hit the same aio_poll_complete_work() and drop the reference... Ok, seems like the logic is sane. I was missing how the actual mask logic worked in aio_poll(). > > Also it seems like the complete code would still benefit from a little > > helper, something like: > > Umm... Not sure I like the name (something like aio_poll_done() seems > to be better), but other than that - no problem. I don't care about the name. Feel free to change it to whatever suits you.
Powered by blists - more mailing lists