Merge patch series "poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll()"

Oleg Nesterov <oleg@redhat.com> says: The waitqueue_active() helper can only be used if both waker and waiter have memory barriers that pair with each other. But __pollwait() is broken in this respect. Fix it. * patches from https://lore.kernel.org/r/20250107162649.GA18886@redhat.com: poll: kill poll_does_not_wait() sock_poll_wait: kill the no longer necessary barrier after poll_wait() io_uring_poll: kill the no longer necessary barrier after poll_wait() poll_wait: kill the obsolete wait_address check poll_wait: add mb() to fix theoretical race between waitqueue_active() and .poll() Link: https://lore.kernel.org/r/20250107162649.GA18886@redhat.com Signed-off-by: Christian Brauner <brauner@kernel.org>
2025-01-15 01:24:33 +00:00 · 2025-01-10 11:59:08 +01:00 · 2025-01-10 11:59:08 +01:00 · 67cd2e23c0
commit 67cd2e23c0
parent 40384c840e f005bf18a5
3 changed files with 23 additions and 29 deletions
--- a/include/linux/poll.h
+++ b/include/linux/poll.h
@ -25,14 +25,14 @@

 struct poll_table_struct;

-/* 
+/*
 * structures and helpers for f_op->poll implementations
 */
 typedef void (*poll_queue_proc)(struct file *, wait_queue_head_t *, struct poll_table_struct *);

 /*
- * Do not touch the structure directly, use the access functions
- * poll_does_not_wait() and poll_requested_events() instead.
+ * Do not touch the structure directly, use the access function
+ * poll_requested_events() instead.
 */
 typedef struct poll_table_struct {
 	poll_queue_proc _qproc;
@ -41,18 +41,16 @@ typedef struct poll_table_struct {

 static inline void poll_wait(struct file * filp, wait_queue_head_t * wait_address, poll_table *p)
 {
-	if (p && p->_qproc && wait_address)
+	if (p && p->_qproc) {
 		p->_qproc(filp, wait_address, p);
-}
-
-/*
- * Return true if it is guaranteed that poll will not wait. This is the case
- * if the poll() of another file descriptor in the set got an event, so there
- * is no need for waiting.
- */
-static inline bool poll_does_not_wait(const poll_table *p)
-{
-	return p == NULL || p->_qproc == NULL;
+		/*
+		 * This memory barrier is paired in the wq_has_sleeper().
+		 * See the comment above prepare_to_wait(), we need to
+		 * ensure that subsequent tests in this thread can't be
+		 * reordered with __add_wait_queue() in _qproc() paths.
+		 */
+		smp_mb();
+	}
 }

 /*
--- a/include/net/sock.h
+++ b/include/net/sock.h
@ -2291,7 +2291,7 @@ static inline bool skwq_has_sleeper(struct socket_wq *wq)
 }

 /**
- * sock_poll_wait - place memory barrier behind the poll_wait call.
+ * sock_poll_wait - wrapper for the poll_wait call.
 * @filp:           file
 * @sock:           socket to wait on
 * @p:              poll_table
@ -2301,15 +2301,12 @@ static inline bool skwq_has_sleeper(struct socket_wq *wq)
 static inline void sock_poll_wait(struct file *filp, struct socket *sock,
 				  poll_table *p)
 {
-	if (!poll_does_not_wait(p)) {
-		poll_wait(filp, &sock->wq.wait, p);
-		/* We need to be sure we are in sync with the
-		 * socket flags modification.
-		 *
-		 * This memory barrier is paired in the wq_has_sleeper.
-		 */
-		smp_mb();
-	}
+	/* Provides a barrier we need to be sure we are in sync
+	 * with the socket flags modification.
+	 *
+	 * This memory barrier is paired in the wq_has_sleeper.
+	 */
+	poll_wait(filp, &sock->wq.wait, p);
 }

 static inline void skb_set_hash_from_sk(struct sk_buff *skb, struct sock *sk)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@ -2809,13 +2809,12 @@ static __poll_t io_uring_poll(struct file *file, poll_table *wait)

 	if (unlikely(!ctx->poll_activated))
 		io_activate_pollwq(ctx);
-
-	poll_wait(file, &ctx->poll_wq, wait);
 	/*
-	 * synchronizes with barrier from wq_has_sleeper call in
-	 * io_commit_cqring
+	 * provides mb() which pairs with barrier from wq_has_sleeper
+	 * call in io_commit_cqring
 	 */
-	smp_rmb();
+	poll_wait(file, &ctx->poll_wq, wait);
+
 	if (!io_sqring_full(ctx))
 		mask |= EPOLLOUT | EPOLLWRNORM;