• J
    io_uring: fix double free in case of fileset regitration failure · 25adf50f
    Jens Axboe 提交于
    Will Deacon reported the following KASAN complaint:
    
    [  149.890370] ==================================================================
    [  149.891266] BUG: KASAN: double-free or invalid-free in io_sqe_files_unregister+0xa8/0x140
    [  149.892218]
    [  149.892411] CPU: 113 PID: 3974 Comm: io_uring_regist Tainted: G    B             5.1.0-rc3-00012-g40b114779944 #3
    [  149.893623] Hardware name: linux,dummy-virt (DT)
    [  149.894169] Call trace:
    [  149.894539]  dump_backtrace+0x0/0x228
    [  149.895172]  show_stack+0x14/0x20
    [  149.895747]  dump_stack+0xe8/0x124
    [  149.896335]  print_address_description+0x60/0x258
    [  149.897148]  kasan_report_invalid_free+0x78/0xb8
    [  149.897936]  __kasan_slab_free+0x1fc/0x228
    [  149.898641]  kasan_slab_free+0x10/0x18
    [  149.899283]  kfree+0x70/0x1f8
    [  149.899798]  io_sqe_files_unregister+0xa8/0x140
    [  149.900574]  io_ring_ctx_wait_and_kill+0x190/0x3c0
    [  149.901402]  io_uring_release+0x2c/0x48
    [  149.902068]  __fput+0x18c/0x510
    [  149.902612]  ____fput+0xc/0x18
    [  149.903146]  task_work_run+0xf0/0x148
    [  149.903778]  do_notify_resume+0x554/0x748
    [  149.904467]  work_pending+0x8/0x10
    [  149.905060]
    [  149.905331] Allocated by task 3974:
    [  149.905934]  __kasan_kmalloc.isra.0.part.1+0x48/0xf8
    [  149.906786]  __kasan_kmalloc.isra.0+0xb8/0xd8
    [  149.907531]  kasan_kmalloc+0xc/0x18
    [  149.908134]  __kmalloc+0x168/0x248
    [  149.908724]  __arm64_sys_io_uring_register+0x2b8/0x15a8
    [  149.909622]  el0_svc_common+0x100/0x258
    [  149.910281]  el0_svc_handler+0x48/0xc0
    [  149.910928]  el0_svc+0x8/0xc
    [  149.911425]
    [  149.911696] Freed by task 3974:
    [  149.912242]  __kasan_slab_free+0x114/0x228
    [  149.912955]  kasan_slab_free+0x10/0x18
    [  149.913602]  kfree+0x70/0x1f8
    [  149.914118]  __arm64_sys_io_uring_register+0xc2c/0x15a8
    [  149.915009]  el0_svc_common+0x100/0x258
    [  149.915670]  el0_svc_handler+0x48/0xc0
    [  149.916317]  el0_svc+0x8/0xc
    [  149.916817]
    [  149.917101] The buggy address belongs to the object at ffff8004ce07ed00
    [  149.917101]  which belongs to the cache kmalloc-128 of size 128
    [  149.919197] The buggy address is located 0 bytes inside of
    [  149.919197]  128-byte region [ffff8004ce07ed00, ffff8004ce07ed80)
    [  149.921142] The buggy address belongs to the page:
    [  149.921953] page:ffff7e0013381f00 count:1 mapcount:0 mapping:ffff800503417c00 index:0x0 compound_mapcount: 0
    [  149.923595] flags: 0x1ffff00000010200(slab|head)
    [  149.924388] raw: 1ffff00000010200 dead000000000100 dead000000000200 ffff800503417c00
    [  149.925706] raw: 0000000000000000 0000000080400040 00000001ffffffff 0000000000000000
    [  149.927011] page dumped because: kasan: bad access detected
    [  149.927956]
    [  149.928224] Memory state around the buggy address:
    [  149.929054]  ffff8004ce07ec00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
    [  149.930274]  ffff8004ce07ec80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    [  149.931494] >ffff8004ce07ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    [  149.932712]                    ^
    [  149.933281]  ffff8004ce07ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    [  149.934508]  ffff8004ce07ee00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    [  149.935725] ==================================================================
    
    which is due to a failure in registrering a fileset. This frees the
    ctx->user_files pointer, but doesn't clear it. When the io_uring
    instance is later freed through the normal channels, we free this
    pointer again. At this point it's invalid.
    
    Ensure we clear the pointer when we free it for the error case.
    Reported-by: NWill Deacon <will.deacon@arm.com>
    Tested-by: NWill Deacon <will.deacon@arm.com>
    Signed-off-by: NJens Axboe <axboe@kernel.dk>
    25adf50f
io_uring.c 69.2 KB