1. 27 1月, 2021 3 次提交
  2. 18 1月, 2021 7 次提交
    • P
      io_uring: remove racy overflow list fast checks · 6b0b39ed
      Pavel Begunkov 提交于
      stable inclusion
      from stable-5.10.5
      commit c7b04d27c9107fbc0d22dee67316f8584439df35
      bugzilla: 46931
      
      --------------------------------
      
      [ Upstream commit 9cd2be51 ]
      
      list_empty_careful() is not racy only if some conditions are met, i.e.
      no re-adds after del_init. io_cqring_overflow_flush() does list_move(),
      so it's actually racy.
      
      Remove those checks, we have ->cq_check_overflow for the fast path.
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      6b0b39ed
    • X
      io_uring: check kthread stopped flag when sq thread is unparked · c52fc272
      Xiaoguang Wang 提交于
      stable inclusion
      from stable-5.10.5
      commit b5a2f093b6b16db004619d6403f68c75ee85d794
      bugzilla: 46931
      
      --------------------------------
      
      commit 65b2b213 upstream.
      
      syzbot reports following issue:
      INFO: task syz-executor.2:12399 can't die for more than 143 seconds.
      task:syz-executor.2  state:D stack:28744 pid:12399 ppid:  8504 flags:0x00004004
      Call Trace:
       context_switch kernel/sched/core.c:3773 [inline]
       __schedule+0x893/0x2170 kernel/sched/core.c:4522
       schedule+0xcf/0x270 kernel/sched/core.c:4600
       schedule_timeout+0x1d8/0x250 kernel/time/timer.c:1847
       do_wait_for_common kernel/sched/completion.c:85 [inline]
       __wait_for_common kernel/sched/completion.c:106 [inline]
       wait_for_common kernel/sched/completion.c:117 [inline]
       wait_for_completion+0x163/0x260 kernel/sched/completion.c:138
       kthread_stop+0x17a/0x720 kernel/kthread.c:596
       io_put_sq_data fs/io_uring.c:7193 [inline]
       io_sq_thread_stop+0x452/0x570 fs/io_uring.c:7290
       io_finish_async fs/io_uring.c:7297 [inline]
       io_sq_offload_create fs/io_uring.c:8015 [inline]
       io_uring_create fs/io_uring.c:9433 [inline]
       io_uring_setup+0x19b7/0x3730 fs/io_uring.c:9507
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45deb9
      Code: Unable to access opcode bytes at RIP 0x45de8f.
      RSP: 002b:00007f174e51ac78 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
      RAX: ffffffffffffffda RBX: 0000000000008640 RCX: 000000000045deb9
      RDX: 0000000000000000 RSI: 0000000020000140 RDI: 00000000000050e5
      RBP: 000000000118bf58 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c
      R13: 00007ffed9ca723f R14: 00007f174e51b9c0 R15: 000000000118bf2c
      INFO: task syz-executor.2:12399 blocked for more than 143 seconds.
            Not tainted 5.10.0-rc3-next-20201110-syzkaller #0
      "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
      
      Currently we don't have a reproducer yet, but seems that there is a
      race in current codes:
      => io_put_sq_data
            ctx_list is empty now.       |
      ==> kthread_park(sqd->thread);     |
                                         | T1: sq thread is parked now.
      ==> kthread_stop(sqd->thread);     |
          KTHREAD_SHOULD_STOP is set now.|
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      
      ===> kthread_unpark(k);            |
                                         | T2: sq thread is now unparkd, run again.
                                         |
                                         | T3: sq thread is now preempted out.
                                         |
      ===> wake_up_process(k);           |
                                         |
                                         | T4: Since sqd ctx_list is empty, needs_sched will be true,
                                         | then sq thread sets task state to TASK_INTERRUPTIBLE,
                                         | and schedule, now sq thread will never be waken up.
      ===> wait_for_completion           |
      
      I have artificially used mdelay() to simulate above race, will get same
      stack like this syzbot report, but to be honest, I'm not sure this code
      race triggers syzbot report.
      
      To fix this possible code race, when sq thread is unparked, need to check
      whether sq thread has been stopped.
      
      Reported-by: syzbot+03beeb595f074db9cfd1@syzkaller.appspotmail.com
      Signed-off-by: NXiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      c52fc272
    • P
      io_uring: fix io_sqe_files_unregister() hangs · 72779b06
      Pavel Begunkov 提交于
      stable inclusion
      from stable-5.10.5
      commit ce00a7d0d9523192d0a9dd954f9993358f19a536
      bugzilla: 46931
      
      --------------------------------
      
      commit 1ffc5422 upstream.
      
      io_sqe_files_unregister() uninterruptibly waits for enqueued ref nodes,
      however requests keeping them may never complete, e.g. because of some
      userspace dependency. Make sure it's interruptible otherwise it would
      hang forever.
      
      Cc: stable@vger.kernel.org # 5.6+
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      72779b06
    • P
      io_uring: add a helper for setting a ref node · dd81dbb9
      Pavel Begunkov 提交于
      stable inclusion
      from stable-5.10.5
      commit b25b86936a8dccd6f6ec9045bede4774b6c7c7cf
      bugzilla: 46931
      
      --------------------------------
      
      commit 1642b445 upstream.
      
      Setting a new reference node to a file data is not trivial, don't repeat
      it, add and use a helper.
      
      Cc: stable@vger.kernel.org # 5.6+
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      dd81dbb9
    • J
      io_uring: use bottom half safe lock for fixed file data · 94fe557f
      Jens Axboe 提交于
      stable inclusion
      from stable-5.10.5
      commit 25a2de679b5d55ead2f99881c7d3e9b745325f39
      bugzilla: 46931
      
      --------------------------------
      
      commit ac0648a5 upstream.
      
      io_file_data_ref_zero() can be invoked from soft-irq from the RCU core,
      hence we need to ensure that the file_data lock is bottom half safe. Use
      the _bh() variants when grabbing this lock.
      
      Reported-by: syzbot+1f4ba1e5520762c523c6@syzkaller.appspotmail.com
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      94fe557f
    • J
      io_uring: don't assume mm is constant across submits · 8b40a98b
      Jens Axboe 提交于
      stable inclusion
      from stable-5.10.5
      commit 7247bc60e8e1458d89ea53179fce02d2307aac7f
      bugzilla: 46931
      
      --------------------------------
      
      commit 77788775 upstream.
      
      If we COW the identity, we assume that ->mm never changes. But this
      isn't true of multiple processes end up sharing the ring. Hence treat
      id->mm like like any other process compontent when it comes to the
      identity mapping. This is pretty trivial, just moving the existing grab
      into io_grab_identity(), and including a check for the match.
      
      Cc: stable@vger.kernel.org # 5.10
      Fixes: 1e6fa521 ("io_uring: COW io_identity on mismatch")
      Reported-by: Christian Brauner <christian.brauner@ubuntu.com>:
      Tested-by: Christian Brauner <christian.brauner@ubuntu.com>:
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      8b40a98b
    • P
      io_uring: close a small race gap for files cancel · b3818042
      Pavel Begunkov 提交于
      stable inclusion
      from stable-5.10.5
      commit 52504a61ab999289d406f5dec930d3e3f386365d
      bugzilla: 46931
      
      --------------------------------
      
      commit dfea9fce upstream.
      
      The purpose of io_uring_cancel_files() is to wait for all requests
      matching ->files to go/be cancelled. We should first drop files of a
      request in io_req_drop_files() and only then make it undiscoverable for
      io_uring_cancel_files.
      
      First drop, then delete from list. It's ok to leave req->id->files
      dangling, because it's not dereferenced by cancellation code, only
      compared against. It would potentially go to sleep and be awaken by
      following in io_req_drop_files() wake_up().
      
      Fixes: 0f212204 ("io_uring: don't rely on weak ->files references")
      Cc: <stable@vger.kernel.org> # 5.5+
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NChen Jun <chenjun102@huawei.com>
      Acked-by: NXie XiuQi <xiexiuqi@huawei.com>
      b3818042
  3. 12 1月, 2021 11 次提交
  4. 08 12月, 2020 1 次提交
    • H
      io_uring: fix file leak on error path of io ctx creation · f26c08b4
      Hillf Danton 提交于
      Put file as part of error handling when setting up io ctx to fix
      memory leaks like the following one.
      
         BUG: memory leak
         unreferenced object 0xffff888101ea2200 (size 256):
           comm "syz-executor355", pid 8470, jiffies 4294953658 (age 32.400s)
           hex dump (first 32 bytes):
             00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
             20 59 03 01 81 88 ff ff 80 87 a8 10 81 88 ff ff   Y..............
           backtrace:
             [<000000002e0a7c5f>] kmem_cache_zalloc include/linux/slab.h:654 [inline]
             [<000000002e0a7c5f>] __alloc_file+0x1f/0x130 fs/file_table.c:101
             [<000000001a55b73a>] alloc_empty_file+0x69/0x120 fs/file_table.c:151
             [<00000000fb22349e>] alloc_file+0x33/0x1b0 fs/file_table.c:193
             [<000000006e1465bb>] alloc_file_pseudo+0xb2/0x140 fs/file_table.c:233
             [<000000007118092a>] anon_inode_getfile fs/anon_inodes.c:91 [inline]
             [<000000007118092a>] anon_inode_getfile+0xaa/0x120 fs/anon_inodes.c:74
             [<000000002ae99012>] io_uring_get_fd fs/io_uring.c:9198 [inline]
             [<000000002ae99012>] io_uring_create fs/io_uring.c:9377 [inline]
             [<000000002ae99012>] io_uring_setup+0x1125/0x1630 fs/io_uring.c:9411
             [<000000008280baad>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
             [<00000000685d8cf0>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Reported-by: syzbot+71c4697e27c99fddcf17@syzkaller.appspotmail.com
      Fixes: 0f212204 ("io_uring: don't rely on weak ->files references")
      Cc: Pavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NHillf Danton <hdanton@sina.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      f26c08b4
  5. 07 12月, 2020 1 次提交
  6. 01 12月, 2020 1 次提交
  7. 26 11月, 2020 1 次提交
    • P
      io_uring: fix files grab/cancel race · af604703
      Pavel Begunkov 提交于
      When one task is in io_uring_cancel_files() and another is doing
      io_prep_async_work() a race may happen. That's because after accounting
      a request inflight in first call to io_grab_identity() it still may fail
      and go to io_identity_cow(), which migh briefly keep dangling
      work.identity and not only.
      
      Grab files last, so io_prep_async_work() won't fail if it did get into
      ->inflight_list.
      
      note: the bug shouldn't exist after making io_uring_cancel_files() not
      poking into other tasks' requests.
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      af604703
  8. 24 11月, 2020 2 次提交
    • P
      io_uring: fix ITER_BVEC check · 9c3a205c
      Pavel Begunkov 提交于
      iov_iter::type is a bitmask that also keeps direction etc., so it
      shouldn't be directly compared against ITER_*. Use proper helper.
      
      Fixes: ff6165b2 ("io_uring: retain iov_iter state over io_read/io_write calls")
      Reported-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Cc: <stable@vger.kernel.org> # 5.9
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      9c3a205c
    • J
      io_uring: fix shift-out-of-bounds when round up cq size · eb2667b3
      Joseph Qi 提交于
      Abaci Fuzz reported a shift-out-of-bounds BUG in io_uring_create():
      
      [ 59.598207] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
      [ 59.599665] shift exponent 64 is too large for 64-bit type 'long unsigned int'
      [ 59.601230] CPU: 0 PID: 963 Comm: a.out Not tainted 5.10.0-rc4+ #3
      [ 59.602502] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
      [ 59.603673] Call Trace:
      [ 59.604286] dump_stack+0x107/0x163
      [ 59.605237] ubsan_epilogue+0xb/0x5a
      [ 59.606094] __ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e
      [ 59.607335] ? lock_downgrade+0x6c0/0x6c0
      [ 59.608182] ? rcu_read_lock_sched_held+0xaf/0xe0
      [ 59.609166] io_uring_create.cold+0x99/0x149
      [ 59.610114] io_uring_setup+0xd6/0x140
      [ 59.610975] ? io_uring_create+0x2510/0x2510
      [ 59.611945] ? lockdep_hardirqs_on_prepare+0x286/0x400
      [ 59.613007] ? syscall_enter_from_user_mode+0x27/0x80
      [ 59.614038] ? trace_hardirqs_on+0x5b/0x180
      [ 59.615056] do_syscall_64+0x2d/0x40
      [ 59.615940] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [ 59.617007] RIP: 0033:0x7f2bb8a0b239
      
      This is caused by roundup_pow_of_two() if the input entries larger
      enough, e.g. 2^32-1. For sq_entries, it will check first and we allow
      at most IORING_MAX_ENTRIES, so it is okay. But for cq_entries, we do
      round up first, that may overflow and truncate it to 0, which is not
      the expected behavior. So check the cq size first and then do round up.
      
      Fixes: 88ec3211 ("io_uring: round-up cq size before comparing with rounded sq size")
      Reported-by: NAbaci Fuzz <abaci@linux.alibaba.com>
      Signed-off-by: NJoseph Qi <joseph.qi@linux.alibaba.com>
      Reviewed-by: NStefano Garzarella <sgarzare@redhat.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      eb2667b3
  9. 18 11月, 2020 3 次提交
  10. 15 11月, 2020 1 次提交
    • J
      io_uring: handle -EOPNOTSUPP on path resolution · 944d1444
      Jens Axboe 提交于
      Any attempt to do path resolution on /proc/self from an async worker will
      yield -EOPNOTSUPP. We can safely do that resolution from the task itself,
      and without blocking, so retry it from there.
      
      Ideally io_uring would know this upfront and not have to go through the
      worker thread to find out, but that doesn't currently seem feasible.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      944d1444
  11. 12 11月, 2020 1 次提交
    • J
      io_uring: round-up cq size before comparing with rounded sq size · 88ec3211
      Jens Axboe 提交于
      If an application specifies IORING_SETUP_CQSIZE to set the CQ ring size
      to a specific size, we ensure that the CQ size is at least that of the
      SQ ring size. But in doing so, we compare the already rounded up to power
      of two SQ size to the as-of yet unrounded CQ size. This means that if an
      application passes in non power of two sizes, we can return -EINVAL when
      the final value would've been fine. As an example, an application passing
      in 100/100 for sq/cq size should end up with 128 for both. But since we
      round the SQ size first, we compare the CQ size of 100 to 128, and return
      -EINVAL as that is too small.
      
      Cc: stable@vger.kernel.org
      Fixes: 33a107f0 ("io_uring: allow application controlled CQ ring size")
      Reported-by: NDan Melnic <dmm@fb.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      88ec3211
  12. 11 11月, 2020 1 次提交
  13. 06 11月, 2020 3 次提交
  14. 05 11月, 2020 4 次提交
    • P
      io_uring: fix overflowed cancel w/ linked ->files · 99b32808
      Pavel Begunkov 提交于
      Current io_match_files() check in io_cqring_overflow_flush() is useless
      because requests drop ->files before going to the overflow list, however
      linked to it request do not, and we don't check them.
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      99b32808
    • J
      io_uring: drop req/tctx io_identity separately · cb8a8ae3
      Jens Axboe 提交于
      We can't bundle this into one operation, as the identity may not have
      originated from the tctx to begin with. Drop one ref for each of them
      separately, if they don't match the static assignment. If we don't, then
      if the identity is a lookup from registered credentials, we could be
      freeing that identity as we're dropping a reference assuming it came from
      the tctx. syzbot reports this as a use-after-free, as the identity is
      still referencable from idr lookup:
      
      ==================================================================
      BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
      BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
      BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
      BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
      BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
      BUG: KASAN: use-after-free in io_init_req fs/io_uring.c:6700 [inline]
      BUG: KASAN: use-after-free in io_submit_sqes+0x15a9/0x25f0 fs/io_uring.c:6774
      Write of size 4 at addr ffff888011e08e48 by task syz-executor165/8487
      
      CPU: 1 PID: 8487 Comm: syz-executor165 Not tainted 5.10.0-rc1-next-20201102-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x107/0x163 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
       __kasan_report mm/kasan/report.c:545 [inline]
       kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
       check_memory_region_inline mm/kasan/generic.c:186 [inline]
       check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
       instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
       atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
       __refcount_add include/linux/refcount.h:193 [inline]
       __refcount_inc include/linux/refcount.h:250 [inline]
       refcount_inc include/linux/refcount.h:267 [inline]
       io_init_req fs/io_uring.c:6700 [inline]
       io_submit_sqes+0x15a9/0x25f0 fs/io_uring.c:6774
       __do_sys_io_uring_enter+0xc8e/0x1b50 fs/io_uring.c:9159
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x440e19
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fff644ff178 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
      RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000440e19
      RDX: 0000000000000000 RSI: 000000000000450c RDI: 0000000000000003
      RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000022b4850
      R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000000000
      
      Allocated by task 8487:
       kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
       kasan_set_track mm/kasan/common.c:56 [inline]
       __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461
       kmalloc include/linux/slab.h:552 [inline]
       io_register_personality fs/io_uring.c:9638 [inline]
       __io_uring_register fs/io_uring.c:9874 [inline]
       __do_sys_io_uring_register+0x10f0/0x40a0 fs/io_uring.c:9924
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Freed by task 8487:
       kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
       kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
       kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
       __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422
       slab_free_hook mm/slub.c:1544 [inline]
       slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577
       slab_free mm/slub.c:3140 [inline]
       kfree+0xdb/0x360 mm/slub.c:4122
       io_identity_cow fs/io_uring.c:1380 [inline]
       io_prep_async_work+0x903/0xbc0 fs/io_uring.c:1492
       io_prep_async_link fs/io_uring.c:1505 [inline]
       io_req_defer fs/io_uring.c:5999 [inline]
       io_queue_sqe+0x212/0xed0 fs/io_uring.c:6448
       io_submit_sqe fs/io_uring.c:6542 [inline]
       io_submit_sqes+0x14f6/0x25f0 fs/io_uring.c:6784
       __do_sys_io_uring_enter+0xc8e/0x1b50 fs/io_uring.c:9159
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The buggy address belongs to the object at ffff888011e08e00
       which belongs to the cache kmalloc-96 of size 96
      The buggy address is located 72 bytes inside of
       96-byte region [ffff888011e08e00, ffff888011e08e60)
      The buggy address belongs to the page:
      page:00000000a7104751 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e08
      flags: 0xfff00000000200(slab)
      raw: 00fff00000000200 ffffea00004f8540 0000001f00000002 ffff888010041780
      raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff888011e08d00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
       ffff888011e08d80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
      > ffff888011e08e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                                    ^
       ffff888011e08e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
       ffff888011e08f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
      ==================================================================
      
      Reported-by: syzbot+625ce3bb7835b63f7f3d@syzkaller.appspotmail.com
      Fixes: 1e6fa521 ("io_uring: COW io_identity on mismatch")
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      cb8a8ae3
    • J
      io_uring: ensure consistent view of original task ->mm from SQPOLL · 4b70cf9d
      Jens Axboe 提交于
      Ensure we get a valid view of the task mm, by using task_lock() when
      attempting to grab the original task mm.
      
      Reported-by: syzbot+b57abf7ee60829090495@syzkaller.appspotmail.com
      Fixes: 2aede0e4 ("io_uring: stash ctx task reference for SQPOLL")
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      4b70cf9d
    • J
      io_uring: properly handle SQPOLL request cancelations · fdaf083c
      Jens Axboe 提交于
      Track if a given task io_uring context contains SQPOLL instances, so we
      can iterate those for cancelation (and request counts). This ensures that
      we properly wait on SQPOLL contexts, and find everything that needs
      canceling.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      fdaf083c