github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-06 05:27:07 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
Linux kernel source tree
979,403 Commits 1 Branch 933 Tags 20 GiB
C 97%
Assembly 1%
Shell 0.6%
Rust 0.5%
Python 0.4%
Other 0.3%
47ffefd88a
Go to file
Eric Biggers 47ffefd88a aio: fix use-after-free due to missing POLLFREE handling 
commit 50252e4b5e upstream.

signalfd_poll() and binder_poll() are special in that they use a
waitqueue whose lifetime is the current task, rather than the struct
file as is normally the case.  This is okay for blocking polls, since a
blocking poll occurs within one task; however, non-blocking polls
require another solution.  This solution is for the queue to be cleared
before it is freed, by sending a POLLFREE notification to all waiters.

Unfortunately, only eventpoll handles POLLFREE.  A second type of
non-blocking poll, aio poll, was added in kernel v4.18, and it doesn't
handle POLLFREE.  This allows a use-after-free to occur if a signalfd or
binder fd is polled with aio poll, and the waitqueue gets freed.

Fix this by making aio poll handle POLLFREE.

A patch by Ramji Jiyani <ramjiyani@google.com>
(https://lore.kernel.org/r/20211027011834.2497484-1-ramjiyani@google.com)
tried to do this by making aio_poll_wake() always complete the request
inline if POLLFREE is seen.  However, that solution had two bugs.
First, it introduced a deadlock, as it unconditionally locked the aio
context while holding the waitqueue lock, which inverts the normal
locking order.  Second, it didn't consider that POLLFREE notifications
are missed while the request has been temporarily de-queued.

The second problem was solved by my previous patch.  This patch then
properly fixes the use-after-free by handling POLLFREE in a
deadlock-free way.  It does this by taking advantage of the fact that
freeing of the waitqueue is RCU-delayed, similar to what eventpoll does.

Fixes: 2c14fa838c ("aio: implement IOCB_CMD_POLL")
Cc: <stable@vger.kernel.org> # v4.18+
Link: https://lore.kernel.org/r/20211209010455.42744-6-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-12-14 11:32:40 +01:00
arch KVM: x86: Wait for IPIs to be delivered when handling Hyper-V TLB flush hypercall 2021-12-14 11:32:37 +01:00
block block: Check ADMIN before NICE for IOPRIO_CLASS_RT 2021-11-26 10:39:19 +01:00
certs certs: Trigger creation of RSA module signing key if it's not an RSA key 2021-09-15 09:50:29 +02:00
crypto crypto: pcrypt - Delay write to padata->info 2021-11-18 14:04:12 +01:00
Documentation netfilter: ipvs: Fix reuse connection if RS weight is 0 2021-12-01 09:19:02 +01:00
drivers binder: use wake_up_pollfree() 2021-12-14 11:32:40 +01:00
fs aio: fix use-after-free due to missing POLLFREE handling 2021-12-14 11:32:40 +01:00
include aio: fix use-after-free due to missing POLLFREE handling 2021-12-14 11:32:40 +01:00
init bootconfig: init: Fix memblock leak in xbc_make_cmdline() 2021-11-21 13:46:35 +01:00
ipc shm: extend forced shm destroy to support objects from several IPC nses 2021-12-01 09:19:10 +01:00
kernel wait: add wake_up_pollfree() 2021-12-14 11:32:39 +01:00
lib siphash: use _unaligned version by default 2021-12-08 09:03:23 +01:00
LICENSES LICENSES/deprecated: add Zlib license text 2020-09-16 14:33:49 +02:00
mm mm: bdi: initialize bdi_min_ratio when bdi is unregistered 2021-12-14 11:32:37 +01:00
net net/sched: fq_pie: prevent dismantle issue 2021-12-14 11:32:37 +01:00
samples samples/kretprobes: Fix return value if register_kretprobe() failed 2021-11-18 14:04:11 +01:00
scripts gcc-plugins: fix gcc 11 indigestion with plugins... 2021-12-14 11:32:33 +01:00
security selinux: fix NULL-pointer dereference when hashtab allocation fails 2021-11-26 10:39:21 +01:00
sound ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() 2021-12-14 11:32:38 +01:00
tools bpf: Fix the off-by-two error in range markings 2021-12-14 11:32:36 +01:00
usr Merge branch 'work.fdpic' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2020-08-07 13:29:39 -07:00
virt KVM: Disallow user memslot with size that exceeds "unsigned long" 2021-12-08 09:03:21 +01:00
.clang-format RDMA 5.10 pull request 2020-10-17 11:18:18 -07:00
.cocciconfig
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl 2019-05-16 10:53:40 -07:00
.gitattributes .gitattributes: use 'dts' diff driver for dts files 2019-12-04 19:44:11 -08:00
.gitignore kbuild: generate Module.symvers only when vmlinux exists 2021-05-19 10:12:59 +02:00
.mailmap mailmap: add two more addresses of Uwe Kleine-König 2020-12-06 10:19:07 -08:00
COPYING COPYING: state that all contributions really are covered by this file 2020-02-10 13:32:20 -08:00
CREDITS MAINTAINERS: Move Jason Cooper to CREDITS 2020-11-30 10:20:34 +01:00
Kbuild kbuild: rename hostprogs-y/always to hostprogs/always-y 2020-02-04 01:53:07 +09:00
Kconfig kbuild: ensure full rebuild when the compiler is updated 2020-05-12 13:28:33 +09:00
MAINTAINERS f2fs: move ioctl interface definitions to separated file 2021-05-19 10:13:00 +02:00
Makefile Linux 5.10.84 2021-12-08 09:03:30 +01:00
README Drop all 00-INDEX files from Documentation/ 2018-09-09 15:08:58 -06:00

README 

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.