[PATCH AUTOSEL 5.15 67/68] io_uring: Fix undefined-behaviour in io_issue_sqe

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Ye Bin <yebin10@huawei.com>, Jens Axboe <axboe@kernel.dk>,
	Sasha Levin <sashal@kernel.org>,
	io-uring@vger.kernel.org
Subject: [PATCH AUTOSEL 5.15 67/68] io_uring: Fix undefined-behaviour in io_issue_sqe
Date: Tue, 30 Nov 2021 09:47:03 -0500	[thread overview]
Message-ID: <20211130144707.944580-67-sashal@kernel.org> (raw)
In-Reply-To: <20211130144707.944580-1-sashal@kernel.org>

From: Ye Bin <yebin10@huawei.com>

[ Upstream commit f6223ff799666235a80d05f8137b73e5580077b9 ]

We got issue as follows:
================================================================================
UBSAN: Undefined behaviour in ./include/linux/ktime.h:42:14
signed integer overflow:
-4966321760114568020 * 1000000000 cannot be represented in type 'long long int'
CPU: 1 PID: 2186 Comm: syz-executor.2 Not tainted 4.19.90+ #12
Hardware name: linux,dummy-virt (DT)
Call trace:
 dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78
 show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x170/0x1dc lib/dump_stack.c:118
 ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161
 handle_overflow+0x188/0x1dc lib/ubsan.c:192
 __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213
 ktime_set include/linux/ktime.h:42 [inline]
 timespec64_to_ktime include/linux/ktime.h:78 [inline]
 io_timeout fs/io_uring.c:5153 [inline]
 io_issue_sqe+0x42c8/0x4550 fs/io_uring.c:5599
 __io_queue_sqe+0x1b0/0xbc0 fs/io_uring.c:5988
 io_queue_sqe+0x1ac/0x248 fs/io_uring.c:6067
 io_submit_sqe fs/io_uring.c:6137 [inline]
 io_submit_sqes+0xed8/0x1c88 fs/io_uring.c:6331
 __do_sys_io_uring_enter fs/io_uring.c:8170 [inline]
 __se_sys_io_uring_enter fs/io_uring.c:8129 [inline]
 __arm64_sys_io_uring_enter+0x490/0x980 fs/io_uring.c:8129
 invoke_syscall arch/arm64/kernel/syscall.c:53 [inline]
 el0_svc_common+0x374/0x570 arch/arm64/kernel/syscall.c:121
 el0_svc_handler+0x190/0x260 arch/arm64/kernel/syscall.c:190
 el0_svc+0x10/0x218 arch/arm64/kernel/entry.S:1017
================================================================================

As ktime_set only judge 'secs' if big than KTIME_SEC_MAX, but if we pass
negative value maybe lead to overflow.
To address this issue, we must check if 'sec' is negative.

Signed-off-by: Ye Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/r/20211118015907.844807-1-yebin10@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/io_uring.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 365f8b350b7f0..d0933789bf3ce 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6147,6 +6147,9 @@ static int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe,
 	if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
 		return -EFAULT;
 
+	if (data->ts.tv_sec < 0 || data->ts.tv_nsec < 0)
+		return -EINVAL;
+
 	data->mode = io_translate_timeout_mode(flags);
 	hrtimer_init(&data->timer, io_timeout_get_clock(data), data->mode);
 
-- 
2.33.0

next prev parent reply	other threads:[~2021-11-30 14:52 UTC|newest]

Thread overview: 113+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-30 14:45 [PATCH AUTOSEL 5.15 01/68] ASoC: mediatek: mt8173-rt5650: Rename Speaker control to Ext Spk Sasha Levin
2021-11-30 14:45 ` Sasha Levin
2021-11-30 14:45 ` Sasha Levin
2021-11-30 14:45 ` Sasha Levin
2021-11-30 14:45 ` [PATCH AUTOSEL 5.15 02/68] ASoC: Intel: sof_sdw: Add support for SKU 0AF3 product Sasha Levin
2021-11-30 14:45   ` Sasha Levin
2021-11-30 14:45 ` [PATCH AUTOSEL 5.15 03/68] ASoC: Intel: soc-acpi: add SKU 0AF3 SoundWire configuration Sasha Levin
2021-11-30 14:45   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 04/68] ASoC: Intel: sof_sdw: Add support for SKU 0B00 and 0B01 products Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 05/68] ASoC: Intel: sof_sdw: Add support for SKU 0B11 product Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 06/68] ASoC: Intel: sof_sdw: Add support for SKU 0B13 product Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 07/68] ASoC: Intel: soc-acpi: add SKU 0B13 SoundWire configuration Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 08/68] ASoC: Intel: sof_sdw: Add support for SKU 0B29 product Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 09/68] ASoC: Intel: soc-acpi: add SKU 0B29 SoundWire configuration Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 10/68] ASoC: Intel: sof_sdw: Add support for SKU 0B12 product Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 11/68] ASoC: rt5682: Avoid the unexpected IRQ event during going to suspend Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 12/68] ASoC: rt5682: Re-detect the combo jack after resuming Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 13/68] ASoC: mediatek: mt8173: Fix debugfs registration for components Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 14/68] ASoC: qdsp6: q6adm: improve error reporting Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 15/68] ASoC: qdsp6: q6routing: validate port id before setting up route Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 16/68] xen/privcmd: make option visible in Kconfig Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 17/68] NFSv4.1: handle NFS4ERR_NOSPC by CREATE_SESSION Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 18/68] scsi: ufs: ufshpb: Fix warning in ufshpb_set_hpb_read_to_upiu() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 19/68] scsi: scsi_debug: Fix type in min_t to avoid stack OOB Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 20/68] scsi: ufs: ufs-mediatek: Add put_device() after of_find_device_by_node() Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 21/68] atlantic: fix double-free in aq_ring_tx_clean Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 22/68] stmmac_pci: Fix underflow size in stmmac_rx Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 23/68] HID: ft260: fix i2c probing for hwmon devices Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 24/68] HID: Ignore battery for Elan touchscreen on HP Envy X360 15-eu0xxx Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 25/68] HID: multitouch: Fix Iiyama ProLite T1931SAW (0eef:0001 again!) Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 26/68] parisc: Increase FRAME_WARN to 2048 bytes on parisc Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 27/68] parisc: Provide an extru_safe() macro to extract unsigned bits Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 28/68] parisc: Fix extraction of hash lock bits in syscall.S Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 29/68] parisc: Convert PTE lookup to use extru_safe() macro Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 30/68] selftests/tc-testing: match any qdisc type Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 31/68] selftests/tc-testings: Be compatible with newer tc output Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 32/68] block: avoid to touch unloaded module instance when opening bdev Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 33/68] scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 34/68] locking/rwsem: Optimize down_read_trylock() under highly contended case Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 35/68] i2c: i801: Fix interrupt storm from SMB_ALERT signal Sasha Levin
2021-12-03  8:30   ` Jean Delvare
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 36/68] mmc: spi: Add device-tree SPI IDs Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 37/68] net: chelsio: cxgb4vf: Fix an error code in cxgb4vf_pci_probe() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 38/68] cifs: populate server_hostname for extra channels Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 39/68] smb2: clarify rc initialization in smb2_reconnect Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 40/68] nvmet-tcp: fix a race condition between release_queue and io_work Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 41/68] nvmet-tcp: add an helper to free the cmd buffers Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 42/68] nvmet-tcp: fix memory leak when performing a controller reset Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 43/68] nvme-tcp: validate R2T PDU in nvme_tcp_handle_r2t() Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 44/68] nvme-tcp: fix memory leak when freeing a queue Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 45/68] nvme-pci: add NO APST quirk for Kioxia device Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 46/68] nvme-fabrics: ignore invalid fast_io_fail_tmo values Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 47/68] nvme: fix write zeroes pi Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 48/68] xen: add "not_essential" flag to struct xenbus_driver Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 49/68] xen: flag xen_drm_front to be not essential for system boot Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 50/68] xen: flag hvc_xen " Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 51/68] xen: flag pvcalls-front " Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 52/68] xen: flag xen_snd_front " Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 53/68] x86/boot: Mark prepare_command_line() __init Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 54/68] PM: hibernate: Fix snapshot partial write lengths Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 55/68] drm/amdgpu: Fix MMIO HDP flush on SRIOV Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 56/68] drm/amdgpu: Fix double free of dmabuf Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 57/68] drm/amd/display: Fixed DSC would not PG after removing DSC stream Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 58/68] drm/amdkfd: handle VMA remove race Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 59/68] drm/amdgpu: fix byteorder error in amdgpu discovery Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 60/68] drm/amd/display: update bios scratch when setting backlight Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 61/68] vhost-vdpa: clean irqs before reseting vdpa device Sasha Levin
2021-11-30 14:46   ` Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 62/68] MIPS: boot/compressed/: add __ashldi3 to target for ZSTD compression Sasha Levin
2021-11-30 14:46 ` [PATCH AUTOSEL 5.15 63/68] nfc: virtual_ncidev: change default device permissions Sasha Levin
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 64/68] net: qed: fix the array may be out of bound Sasha Levin
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 65/68] net: mscc: ocelot: create a function that replaces an existing VCAP filter Sasha Levin
2021-12-04 14:46   ` Vladimir Oltean
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 66/68] net: ptp: add a definition for the UDP port for IEEE 1588 general messages Sasha Levin
2021-11-30 14:47 ` Sasha Levin [this message]
2021-11-30 14:47 ` [PATCH AUTOSEL 5.15 68/68] fs: ntfs: Limit NTFS_RW to page sizes smaller than 64k Sasha Levin
2021-11-30 15:16 ` [PATCH AUTOSEL 5.15 01/68] ASoC: mediatek: mt8173-rt5650: Rename Speaker control to Ext Spk Mark Brown
2021-11-30 15:16   ` Mark Brown
2021-11-30 15:16   ` Mark Brown
2021-11-30 15:16   ` Mark Brown

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:365f8b350b7f dfblob:d0933789bf3c )
 OR (
bs:"[PATCH AUTOSEL 5.15 67/68] io_uring: Fix undefined-behaviour in io_issue_sqe" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211130144707.944580-67-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=axboe@kernel.dk \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=yebin10@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.