[PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel_sqpoll
       [not found] <e67b2f55-dd0a-1e1f-e34b-87e8613cd701@gmail.com>
@ 2021-04-27 12:51 ` Palash Oswal
  2021-04-27 13:08   ` Pavel Begunkov
  2021-04-27 13:37   ` Jens Axboe
  0 siblings, 2 replies; 6+ messages in thread
From: Palash Oswal @ 2021-04-27 12:51 UTC (permalink / raw)
  To: asml.silence
  Cc: axboe, dvyukov, io-uring, linux-kernel, oswalpalash,
	syzbot+be51ca5a4d97f017cd50, syzkaller-bugs, Palash Oswal, stable

syzkaller identified KASAN: null-ptr-deref Write in
io_uring_cancel_sqpoll on v5.12

io_uring_cancel_sqpoll is called by io_sq_thread before calling
io_uring_alloc_task_context. This leads to current->io_uring being
NULL. io_uring_cancel_sqpoll should not have to deal with threads
where current->io_uring is NULL.

In order to cast a wider safety net, perform input sanitisation
directly in io_uring_cancel_sqpoll and return for NULL value of
current->io_uring.

Reported-by: syzbot+be51ca5a4d97f017cd50@syzkaller.appspotmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Palash Oswal <hello@oswalpalash.com>
---
 fs/io_uring.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index dff34975d86b..eccad51b7954 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -8998,6 +8998,8 @@ static void io_uring_cancel_sqpoll(struct io_ring_ctx *ctx)
 	s64 inflight;
 	DEFINE_WAIT(wait);
 
+	if (!current->io_uring)
+		return;
 	WARN_ON_ONCE(!sqd || ctx->sq_data->thread != current);
 
 	atomic_inc(&tctx->in_idle);
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel_sqpoll
  2021-04-27 12:51 ` [PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel_sqpoll Palash Oswal
@ 2021-04-27 13:08   ` Pavel Begunkov
  2021-04-27 13:37   ` Jens Axboe
  1 sibling, 0 replies; 6+ messages in thread
From: Pavel Begunkov @ 2021-04-27 13:08 UTC (permalink / raw)
  To: Palash Oswal
  Cc: axboe, dvyukov, io-uring, linux-kernel, oswalpalash,
	syzbot+be51ca5a4d97f017cd50, syzkaller-bugs, stable

On 4/27/21 1:51 PM, Palash Oswal wrote:
> syzkaller identified KASAN: null-ptr-deref Write in
> io_uring_cancel_sqpoll on v5.12
> 
> io_uring_cancel_sqpoll is called by io_sq_thread before calling
> io_uring_alloc_task_context. This leads to current->io_uring being
> NULL. io_uring_cancel_sqpoll should not have to deal with threads
> where current->io_uring is NULL.
> 
> In order to cast a wider safety net, perform input sanitisation
> directly in io_uring_cancel_sqpoll and return for NULL value of
> current->io_uring.

Looks good to me, but better to add a comment why it can be ignored,
e.g. "can skip it as it couldn't have submitted requests without tctx"

Also a nit: s/current->io_uring/tctx/

> 
> Reported-by: syzbot+be51ca5a4d97f017cd50@syzkaller.appspotmail.com
> Cc: stable@vger.kernel.org
> Signed-off-by: Palash Oswal <hello@oswalpalash.com>
> ---
>  fs/io_uring.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index dff34975d86b..eccad51b7954 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -8998,6 +8998,8 @@ static void io_uring_cancel_sqpoll(struct io_ring_ctx *ctx)
>  	s64 inflight;
>  	DEFINE_WAIT(wait);
>  
> +	if (!current->io_uring)
> +		return;
>  	WARN_ON_ONCE(!sqd || ctx->sq_data->thread != current);
>  
>  	atomic_inc(&tctx->in_idle);
> 

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel_sqpoll
  2021-04-27 12:51 ` [PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel_sqpoll Palash Oswal
  2021-04-27 13:08   ` Pavel Begunkov
@ 2021-04-27 13:37   ` Jens Axboe
  2021-04-27 17:00     ` Pavel Begunkov
  1 sibling, 1 reply; 6+ messages in thread
From: Jens Axboe @ 2021-04-27 13:37 UTC (permalink / raw)
  To: Palash Oswal, asml.silence
  Cc: dvyukov, io-uring, linux-kernel, oswalpalash,
	syzbot+be51ca5a4d97f017cd50, syzkaller-bugs, stable

On 4/27/21 6:51 AM, Palash Oswal wrote:
> syzkaller identified KASAN: null-ptr-deref Write in
> io_uring_cancel_sqpoll on v5.12
> 
> io_uring_cancel_sqpoll is called by io_sq_thread before calling
> io_uring_alloc_task_context. This leads to current->io_uring being
> NULL. io_uring_cancel_sqpoll should not have to deal with threads
> where current->io_uring is NULL.
> 
> In order to cast a wider safety net, perform input sanitisation
> directly in io_uring_cancel_sqpoll and return for NULL value of
> current->io_uring.

Thanks applied - I augmented the commit message a bit.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel_sqpoll
  2021-04-27 13:37   ` Jens Axboe
@ 2021-04-27 17:00     ` Pavel Begunkov
  2021-04-27 17:00       ` Jens Axboe
  0 siblings, 1 reply; 6+ messages in thread
From: Pavel Begunkov @ 2021-04-27 17:00 UTC (permalink / raw)
  To: Jens Axboe, Palash Oswal
  Cc: dvyukov, io-uring, linux-kernel, oswalpalash,
	syzbot+be51ca5a4d97f017cd50, syzkaller-bugs, stable

On 4/27/21 2:37 PM, Jens Axboe wrote:
> On 4/27/21 6:51 AM, Palash Oswal wrote:
>> syzkaller identified KASAN: null-ptr-deref Write in
>> io_uring_cancel_sqpoll on v5.12
>>
>> io_uring_cancel_sqpoll is called by io_sq_thread before calling
>> io_uring_alloc_task_context. This leads to current->io_uring being
>> NULL. io_uring_cancel_sqpoll should not have to deal with threads
>> where current->io_uring is NULL.
>>
>> In order to cast a wider safety net, perform input sanitisation
>> directly in io_uring_cancel_sqpoll and return for NULL value of
>> current->io_uring.
> 
> Thanks applied - I augmented the commit message a bit.

btw, does it fixes the replied before syz report? Should 
syz fix or tag it if so.
Reported-by: syzbot+be51ca5a4d97f017cd50@syzkaller.appspotmail.com

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel_sqpoll
  2021-04-27 17:00     ` Pavel Begunkov
@ 2021-04-27 17:00       ` Jens Axboe
  2021-04-27 17:04         ` Pavel Begunkov
  0 siblings, 1 reply; 6+ messages in thread
From: Jens Axboe @ 2021-04-27 17:00 UTC (permalink / raw)
  To: Pavel Begunkov, Palash Oswal
  Cc: dvyukov, io-uring, linux-kernel, oswalpalash,
	syzbot+be51ca5a4d97f017cd50, syzkaller-bugs, stable

On 4/27/21 11:00 AM, Pavel Begunkov wrote:
> On 4/27/21 2:37 PM, Jens Axboe wrote:
>> On 4/27/21 6:51 AM, Palash Oswal wrote:
>>> syzkaller identified KASAN: null-ptr-deref Write in
>>> io_uring_cancel_sqpoll on v5.12
>>>
>>> io_uring_cancel_sqpoll is called by io_sq_thread before calling
>>> io_uring_alloc_task_context. This leads to current->io_uring being
>>> NULL. io_uring_cancel_sqpoll should not have to deal with threads
>>> where current->io_uring is NULL.
>>>
>>> In order to cast a wider safety net, perform input sanitisation
>>> directly in io_uring_cancel_sqpoll and return for NULL value of
>>> current->io_uring.
>>
>> Thanks applied - I augmented the commit message a bit.
> 
> btw, does it fixes the replied before syz report? Should 
> syz fix or tag it if so.
> Reported-by: syzbot+be51ca5a4d97f017cd50@syzkaller.appspotmail.com

That tag was already there.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel_sqpoll
  2021-04-27 17:00       ` Jens Axboe
@ 2021-04-27 17:04         ` Pavel Begunkov
  0 siblings, 0 replies; 6+ messages in thread
From: Pavel Begunkov @ 2021-04-27 17:04 UTC (permalink / raw)
  To: Jens Axboe, Palash Oswal
  Cc: dvyukov, io-uring, linux-kernel, oswalpalash,
	syzbot+be51ca5a4d97f017cd50, syzkaller-bugs, stable

On 4/27/21 6:00 PM, Jens Axboe wrote:
> On 4/27/21 11:00 AM, Pavel Begunkov wrote:
>> On 4/27/21 2:37 PM, Jens Axboe wrote:
>>> On 4/27/21 6:51 AM, Palash Oswal wrote:
>>>> syzkaller identified KASAN: null-ptr-deref Write in
>>>> io_uring_cancel_sqpoll on v5.12
>>>>
>>>> io_uring_cancel_sqpoll is called by io_sq_thread before calling
>>>> io_uring_alloc_task_context. This leads to current->io_uring being
>>>> NULL. io_uring_cancel_sqpoll should not have to deal with threads
>>>> where current->io_uring is NULL.
>>>>
>>>> In order to cast a wider safety net, perform input sanitisation
>>>> directly in io_uring_cancel_sqpoll and return for NULL value of
>>>> current->io_uring.
>>>
>>> Thanks applied - I augmented the commit message a bit.
>>
>> btw, does it fixes the replied before syz report? Should 
>> syz fix or tag it if so.
>> Reported-by: syzbot+be51ca5a4d97f017cd50@syzkaller.appspotmail.com
> 
> That tag was already there.

Oh, right, missed it

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2021-04-27 17:04 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <e67b2f55-dd0a-1e1f-e34b-87e8613cd701@gmail.com>
2021-04-27 12:51 ` [PATCH 5.13] io_uring: Check current->io_uring in io_uring_cancel_sqpoll Palash Oswal
2021-04-27 13:08   ` Pavel Begunkov
2021-04-27 13:37   ` Jens Axboe
2021-04-27 17:00     ` Pavel Begunkov
2021-04-27 17:00       ` Jens Axboe
2021-04-27 17:04         ` Pavel Begunkov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox