From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 65FC6161925; Wed, 3 Apr 2024 17:19:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712164775; cv=none; b=Fqej9b6j+OVfjph9185kqRG7npJopRVfk6b0yJBGW4RFU4z+OAaG6pPqUihe6Yc1wrhGmlyH8Hnf+u2vHWNMawaBIi5mXqZhDh4XPw+2DU/MuSzq0QsxNFQ00sfkuqqZ7UONEoZ9GTaX+wOMFYubB9od014e0TeBnM6H3C/uwOA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712164775; c=relaxed/simple; bh=n+x5StEYqh8YD8dXWMUWdPHZZcntEZPt79LHRQAtZi0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fpzhhEeiA34R1OsW+FMQVI1fHziGiGSLovQMxr4pd5csnYZWGmtjOjJauibxu9XjoP4mzDmW5F7spDyHYcS/gJ+tiE8kAycVVDW52jIEbizMLTJJtO5rsyAEtke/RntjAT+Q2N6tf6fvDn2VIfCi37xiyNHI5lg5FsgS0CMlXxc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Rp/Ot69v; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Rp/Ot69v" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8F02DC433C7; Wed, 3 Apr 2024 17:19:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712164775; bh=n+x5StEYqh8YD8dXWMUWdPHZZcntEZPt79LHRQAtZi0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Rp/Ot69vv2/90JJPfvjfTxPw2bnCit8dnViSKwUzL0eXcNbD8cUMhR33/n1ZsDp0e zWtxuwM1wHvlSM0tD6xHeyPdzNVLn/R2rkE7sZAPEMGXZI/Ycp+fq82QrXG0pO+7E8 p90BFf7Z9mRVXicjv2eDgXBvbuV3sTQwljcn37AQNDpHY6a/JebJuST1QNp3aN6Jjk 803s23a/EO+kl1/e9467cLafcz8OhP20DrmyVbukLRk5YAEER1F/0PQzpU6a2JF20c KqR5gpAzAvHYSykoF3eQLdhrNj/dq3Lcdu4XSgHvZeN6jWZdFai96mCYUsbWPPRcgj +F/KKIJmb59+A== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Jens Axboe , syzbot+f8e9a371388aa62ecab4@syzkaller.appspotmail.com, Sasha Levin , io-uring@vger.kernel.org Subject: [PATCH AUTOSEL 6.1 13/15] io_uring: clear opcode specific data for an early failure Date: Wed, 3 Apr 2024 13:18:57 -0400 Message-ID: <20240403171909.345570-13-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240403171909.345570-1-sashal@kernel.org> References: <20240403171909.345570-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: io-uring@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.1.84 Content-Transfer-Encoding: 8bit From: Jens Axboe [ Upstream commit e21e1c45e1fe2e31732f40256b49c04e76a17cee ] If failure happens before the opcode prep handler is called, ensure that we clear the opcode specific area of the request, which holds data specific to that request type. This prevents errors where opcode handlers either don't get to clear per-request private data since prep isn't even called. Reported-and-tested-by: syzbot+f8e9a371388aa62ecab4@syzkaller.appspotmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- io_uring/io_uring.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 35894955b4549..493b5708c662b 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -1992,6 +1992,13 @@ static void io_init_req_drain(struct io_kiocb *req) } } +static __cold int io_init_fail_req(struct io_kiocb *req, int err) +{ + /* ensure per-opcode data is cleared if we fail before prep */ + memset(&req->cmd.data, 0, sizeof(req->cmd.data)); + return err; +} + static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, const struct io_uring_sqe *sqe) __must_hold(&ctx->uring_lock) @@ -2012,29 +2019,29 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, if (unlikely(opcode >= IORING_OP_LAST)) { req->opcode = 0; - return -EINVAL; + return io_init_fail_req(req, -EINVAL); } def = &io_op_defs[opcode]; if (unlikely(sqe_flags & ~SQE_COMMON_FLAGS)) { /* enforce forwards compatibility on users */ if (sqe_flags & ~SQE_VALID_FLAGS) - return -EINVAL; + return io_init_fail_req(req, -EINVAL); if (sqe_flags & IOSQE_BUFFER_SELECT) { if (!def->buffer_select) - return -EOPNOTSUPP; + return io_init_fail_req(req, -EOPNOTSUPP); req->buf_index = READ_ONCE(sqe->buf_group); } if (sqe_flags & IOSQE_CQE_SKIP_SUCCESS) ctx->drain_disabled = true; if (sqe_flags & IOSQE_IO_DRAIN) { if (ctx->drain_disabled) - return -EOPNOTSUPP; + return io_init_fail_req(req, -EOPNOTSUPP); io_init_req_drain(req); } } if (unlikely(ctx->restricted || ctx->drain_active || ctx->drain_next)) { if (ctx->restricted && !io_check_restriction(ctx, req, sqe_flags)) - return -EACCES; + return io_init_fail_req(req, -EACCES); /* knock it to the slow queue path, will be drained there */ if (ctx->drain_active) req->flags |= REQ_F_FORCE_ASYNC; @@ -2047,9 +2054,9 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, } if (!def->ioprio && sqe->ioprio) - return -EINVAL; + return io_init_fail_req(req, -EINVAL); if (!def->iopoll && (ctx->flags & IORING_SETUP_IOPOLL)) - return -EINVAL; + return io_init_fail_req(req, -EINVAL); if (def->needs_file) { struct io_submit_state *state = &ctx->submit_state; @@ -2073,12 +2080,12 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, req->creds = xa_load(&ctx->personalities, personality); if (!req->creds) - return -EINVAL; + return io_init_fail_req(req, -EINVAL); get_cred(req->creds); ret = security_uring_override_creds(req->creds); if (ret) { put_cred(req->creds); - return ret; + return io_init_fail_req(req, ret); } req->flags |= REQ_F_CREDS; } -- 2.43.0