TWxSoftware/twx-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
41d2e3be0f
twx-linux/io_uring
History
Pavel Begunkov 80120bb4ee io_uring/sqpoll: fix sqpoll error handling races 
commit e33ac68e5e21ec1292490dfe061e75c0dbdd3bd4 upstream.

BUG: KASAN: slab-use-after-free in __lock_acquire+0x370b/0x4a10 kernel/locking/lockdep.c:5089
Call Trace:
<TASK>
...
_raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
try_to_wake_up+0xb5/0x23c0 kernel/sched/core.c:4205
io_sq_thread_park+0xac/0xe0 io_uring/sqpoll.c:55
io_sq_thread_finish+0x6b/0x310 io_uring/sqpoll.c:96
io_sq_offload_create+0x162/0x11d0 io_uring/sqpoll.c:497
io_uring_create io_uring/io_uring.c:3724 [inline]
io_uring_setup+0x1728/0x3230 io_uring/io_uring.c:3806
...

Kun Hu reports that the SQPOLL creating error path has UAF, which
happens if io_uring_alloc_task_context() fails and then io_sq_thread()
manages to run and complete before the rest of error handling code,
which means io_sq_thread_finish() is looking at already killed task.

Note that this is mostly theoretical, requiring fault injection on
the allocation side to trigger in practice.

Cc: stable@vger.kernel.org
Reported-by: Kun Hu <huk23@m.fudan.edu.cn>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/0f2f1aa5729332612bd01fe0f2f385fd1f06ce7c.1735231717.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-01-02 10:32:10 +01:00
..
advise.c
advise.h
alloc_cache.h io_uring/rsrc: consolidate node caching 2023-04-12 12:09:41 -06:00
cancel.c io_uring: use fget/fput consistently 2024-01-20 11:51:38 +01:00
cancel.h io_uring/cancel: support opcode based lookup and cancelation 2023-07-17 10:05:48 -06:00
epoll.c io_uring: undeprecate epoll_ctl support 2023-05-26 20:22:41 -06:00
epoll.h
fdinfo.c io_uring/fdinfo: remove need for sqpoll lock for thread/pid retrieval 2023-11-28 17:19:52 +00:00
fdinfo.h
filetable.c io_uring: drop any code related to SCM_RIGHTS 2024-03-26 18:19:09 -04:00
filetable.h io_uring: add helpers to decode the fixed file file_ptr 2023-06-20 09:36:22 -06:00
fs.c io_uring/fs: consider link->flags when getting path for LINKAT 2023-12-03 07:33:07 +01:00
fs.h
io_uring.c io_uring/rw: avoid punting to io-wq directly 2024-12-27 13:58:57 +01:00
io_uring.h io_uring/rw: avoid punting to io-wq directly 2024-12-27 13:58:57 +01:00
io-wq.c io_uring/io-wq: inherit cpuset of cgroup in io worker 2024-10-04 16:29:01 +02:00
io-wq.h io_uring: break out of iowq iopoll on teardown 2023-09-07 09:02:27 -06:00
kbuf.c io_uring: check for non-NULL file pointer in io_file_can_poll() 2024-06-21 14:38:23 +02:00
kbuf.h io_uring/kbuf: hold io_buffer_list reference over mmap 2024-04-10 16:36:03 +02:00
Makefile
msg_ring.c io_uring: use io_file_from_index in io_msg_grab_file 2023-06-20 09:36:22 -06:00
msg_ring.h
net.c io_uring/net: harden multishot termination case for recv 2024-10-10 11:58:02 +02:00
net.h io_uring: Add KASAN support for alloc_caches 2023-04-03 07:16:14 -06:00
nop.c io_uring: fail NOP if non-zero op flags is passed in 2024-06-12 11:11:18 +02:00
nop.h
notif.c io_uring/notif: add constant for ubuf_info flags 2023-04-15 14:21:04 -06:00
notif.h io_uring/notif: add constant for ubuf_info flags 2023-04-15 14:21:04 -06:00
opdef.c io_uring: Pass whole sqe to commands 2023-05-04 08:19:05 -06:00
opdef.h
openclose.c io_uring: correct check for O_TMPFILE 2023-08-07 12:34:23 -06:00
openclose.h
poll.c io_uring: fix poll_remove stalled req completion 2024-03-26 18:20:09 -04:00
poll.h io_uring: avoid indirect function calls for the hottest task_work 2023-06-02 08:55:37 -06:00
refs.h
rsrc.c io_uring/rsrc: fix incorrect assignment of iter->nr_segs in io_import_fixed 2024-06-27 13:49:10 +02:00
rsrc.h io_uring: drop any code related to SCM_RIGHTS 2024-03-26 18:19:09 -04:00
rw.c io_uring/rw: avoid punting to io-wq directly 2024-12-27 13:58:57 +01:00
rw.h io_uring: avoid indirect function calls for the hottest task_work 2023-06-02 08:55:37 -06:00
slist.h io_uring: silence variable ‘prev’ set but not used warning 2023-03-09 10:10:58 -07:00
splice.c io_uring/splice: use fput() directly 2023-08-10 10:24:25 -06:00
splice.h
sqpoll.c io_uring/sqpoll: fix sqpoll error handling races 2025-01-02 10:32:10 +01:00
sqpoll.h io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used 2023-08-16 13:40:28 -06:00
statx.c
statx.h
sync.c
sync.h
tctx.c io_uring/tctx: work around xa_store() allocation error issue 2024-12-14 20:00:17 +01:00
tctx.h
timeout.c io_uring: fix io_match_task must_hold 2024-08-03 08:54:41 +02:00
timeout.h
uring_cmd.c io_uring/cmd: fix breakage in SOCKET_URING_OP_SIOC* implementation 2023-12-20 17:01:52 +01:00
uring_cmd.h io_uring: Remove unnecessary BUILD_BUG_ON 2023-05-04 08:19:05 -06:00
xattr.c
xattr.h