diff options
author | David Howells <dhowells@redhat.com> | 2022-03-11 16:24:36 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-03-16 16:23:44 +0300 |
commit | eb38c2e9fc740b5218dc94d2a6f43802d49e811c (patch) | |
tree | eeae4b3150ec47f259f078820073e51d01e741e2 /fs/pipe.c | |
parent | 82ff8a2243f79072178f6a741bdead88e0b0c324 (diff) | |
download | linux-eb38c2e9fc740b5218dc94d2a6f43802d49e811c.tar.xz |
watch_queue: Fix lack of barrier/sync/lock between post and read
commit 2ed147f015af2b48f41c6f0b6746aa9ea85c19f3 upstream.
There's nothing to synchronise post_one_notification() versus
pipe_read(). Whilst posting is done under pipe->rd_wait.lock, the
reader only takes pipe->mutex which cannot bar notification posting as
that may need to be made from contexts that cannot sleep.
Fix this by setting pipe->head with a barrier in post_one_notification()
and reading pipe->head with a barrier in pipe_read().
If that's not sufficient, the rd_wait.lock will need to be taken,
possibly in a ->confirm() op so that it only applies to notifications.
The lock would, however, have to be dropped before copy_page_to_iter()
is invoked.
Fixes: c73be61cede5 ("pipe: Add general notification queue support")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/pipe.c')
-rw-r--r-- | fs/pipe.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/pipe.c b/fs/pipe.c index 8b0f6979fb49..751d5b36c84b 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -252,7 +252,8 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to) */ was_full = pipe_full(pipe->head, pipe->tail, pipe->max_usage); for (;;) { - unsigned int head = pipe->head; + /* Read ->head with a barrier vs post_one_notification() */ + unsigned int head = smp_load_acquire(&pipe->head); unsigned int tail = pipe->tail; unsigned int mask = pipe->ring_size - 1; |