On Wed, Oct 27, 2021 at 01:18:34AM +0000, Ramji Jiyani wrote: > Add support for the POLLFREE flag to force complete iocb inline in > aio_poll_wake(). A thread may use it to signal it's exit and/or request > to cleanup while pending poll request. In this case, aio_poll_wake() > needs to make sure it doesn't keep any reference to the queue entry > before returning from wake to avoid possible use after free via > poll_cancel() path. > > UAF issue was found during binder and aio interactions in certain > sequence of events [1]. > > The POLLFREE flag is no more exclusive to the epoll and is being > shared with the aio. Remove comment from poll.h to avoid confusion. > > [1] https://lore.kernel.org/r/CAKUd0B_TCXRY4h1hTztfwWbNSFQqsudDLn2S_28csgWZmZAG3Q@xxxxxxxxxxxxxx/ > > Fixes: af5c72b1fc7a ("Fix aio_poll() races") > Signed-off-by: Ramji Jiyani <ramjiyani@xxxxxxxxxx> > Reviewed-by: Jeff Moyer <jmoyer@xxxxxxxxxx> > Reviewed-by: Christoph Hellwig <hch@xxxxxx> > Cc: stable@xxxxxxxxxxxxxxx # 4.19+ > --- Looks good, feel free to add: Reviewed-by: Eric Biggers <ebiggers@xxxxxxxxxx> I'm still not 100% happy with the commit message, but it's good enough. The actual code looks correct. Who is going to take this patch? This is an important fix; it shouldn't be sitting ignored for months. get_maintainer.pl shows: $ ./scripts/get_maintainer.pl fs/aio.c Benjamin LaHaise <bcrl@xxxxxxxxx> (supporter:AIO) Alexander Viro <viro@xxxxxxxxxxxxxxxxxx> (maintainer:FILESYSTEMS (VFS and infrastructure)) linux-aio@xxxxxxxxx (open list:AIO) linux-fsdevel@xxxxxxxxxxxxxxx (open list:FILESYSTEMS (VFS and infrastructure)) linux-kernel@xxxxxxxxxxxxxxx (open list) - Eric
