public inbox for [email protected]
 help / color / mirror / Atom feed
From: Tadeusz Struk <[email protected]>
To: Jens Axboe <[email protected]>
Cc: Alexander Viro <[email protected]>,
	[email protected], [email protected],
	[email protected], [email protected],
	[email protected]
Subject: Re: [PATCH] io_uring: prevent io_put_identity() from freeing a static identity
Date: Thu, 3 Feb 2022 11:34:17 -0800	[thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>

On 12/15/21 12:27, Tadeusz Struk wrote:
> On 11/15/21 08:38, Tadeusz Struk wrote:
>> On 11/3/21 18:21, Tadeusz Struk wrote:
>>> Note: this applies to 5.10 stable only. It doesn't trigger on anything
>>> above 5.10 as the code there has been substantially reworked. This also
>>> doesn't apply to any stable kernel below 5.10 afaict.
>>>
>>> Syzbot found a bug: KASAN: invalid-free in io_dismantle_req
>>> https://syzkaller.appspot.com/bug?id=123d9a852fc88ba573ffcb2dbcf4f9576c3b0559
>>>
>>> The test submits bunch of io_uring writes and exits, which then triggers
>>> uring_task_cancel() and io_put_identity(), which in some corner cases,
>>> tries to free a static identity. This causes a panic as shown in the
>>> trace below:
>>>
>>>   BUG: KASAN: double-free or invalid-free in kfree+0xd5/0x310
>>>   CPU: 0 PID: 4618 Comm: repro Not tainted 5.10.76-05281-g4944ec82ebb9-dirty #17
>>>   Call Trace:
>>>    dump_stack_lvl+0x1b2/0x21b
>>>    print_address_description+0x8d/0x3b0
>>>    kasan_report_invalid_free+0x58/0x130
>>>    ____kasan_slab_free+0x14b/0x170
>>>    __kasan_slab_free+0x11/0x20
>>>    slab_free_freelist_hook+0xcc/0x1a0
>>>    kfree+0xd5/0x310
>>>    io_dismantle_req+0x9b0/0xd90
>>>    io_do_iopoll+0x13a4/0x23e0
>>>    io_iopoll_try_reap_events+0x116/0x290
>>>    io_uring_cancel_task_requests+0x197d/0x1ee0
>>>    io_uring_flush+0x170/0x6d0
>>>    filp_close+0xb0/0x150
>>>    put_files_struct+0x1d4/0x350
>>>    exit_files+0x80/0xa0
>>>    do_exit+0x6d9/0x2390
>>>    do_group_exit+0x16a/0x2d0
>>>    get_signal+0x133e/0x1f80
>>>    arch_do_signal+0x7b/0x610
>>>    exit_to_user_mode_prepare+0xaa/0xe0
>>>    syscall_exit_to_user_mode+0x24/0x40
>>>    do_syscall_64+0x3d/0x70
>>>    entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>>
>>>   Allocated by task 4611:
>>>    ____kasan_kmalloc+0xcd/0x100
>>>    __kasan_kmalloc+0x9/0x10
>>>    kmem_cache_alloc_trace+0x208/0x390
>>>    io_uring_alloc_task_context+0x57/0x550
>>>    io_uring_add_task_file+0x1f7/0x290
>>>    io_uring_create+0x2195/0x3490
>>>    __x64_sys_io_uring_setup+0x1bf/0x280
>>>    do_syscall_64+0x31/0x70
>>>    entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>>
>>>   The buggy address belongs to the object at ffff88810732b500
>>>    which belongs to the cache kmalloc-192 of size 192
>>>   The buggy address is located 88 bytes inside of
>>>    192-byte region [ffff88810732b500, ffff88810732b5c0)
>>>   Kernel panic - not syncing: panic_on_warn set ...
>>>
>>> This issue bisected to this commit:
>>> commit 186725a80c4e ("io_uring: fix skipping disabling sqo on exec")
>>>
>>> Simple reverting the offending commit doesn't work as it hits some
>>> other, related issues like:
>>>
>>> /* sqo_dead check is for when this happens after cancellation */
>>> WARN_ON_ONCE(ctx->sqo_task == current && !ctx->sqo_dead &&
>>>          !xa_load(&tctx->xa, (unsigned long)file));
>>>
>>>   ------------[ cut here ]------------
>>>   WARNING: CPU: 1 PID: 5622 at fs/io_uring.c:8960 io_uring_flush+0x5bc/0x6d0
>>>   Modules linked in:
>>>   CPU: 1 PID: 5622 Comm: repro Not tainted 5.10.76-05281-g4944ec82ebb9-dirty #16
>>>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-6.fc35 
>>> 04/01/2014
>>>   RIP: 0010:io_uring_flush+0x5bc/0x6d0
>>>   Call Trace:
>>>   filp_close+0xb0/0x150
>>>   put_files_struct+0x1d4/0x350
>>>   reset_files_struct+0x88/0xa0
>>>   bprm_execve+0x7f2/0x9f0
>>>   do_execveat_common+0x46f/0x5d0
>>>   __x64_sys_execve+0x92/0xb0
>>>   do_syscall_64+0x31/0x70
>>>   entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>>
>>> Changing __io_uring_task_cancel() to call io_disable_sqo_submit() directly,
>>> as the comment suggests, only if __io_uring_files_cancel() is not executed
>>> seems to fix the issue.
>>>
>>> Cc: Jens Axboe <[email protected]>
>>> Cc: Alexander Viro <[email protected]>
>>> Cc: <[email protected]>
>>> Cc: <[email protected]>
>>> Cc: <[email protected]>
>>> Cc: <[email protected]>
>>> Reported-by: [email protected]
>>> Signed-off-by: Tadeusz Struk <[email protected]>
>>> ---
>>>   fs/io_uring.c | 21 +++++++++++++++++----
>>>   1 file changed, 17 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/fs/io_uring.c b/fs/io_uring.c
>>> index 0736487165da..fcf9ffe9b209 100644
>>> --- a/fs/io_uring.c
>>> +++ b/fs/io_uring.c
>>> @@ -8882,20 +8882,18 @@ void __io_uring_task_cancel(void)
>>>       struct io_uring_task *tctx = current->io_uring;
>>>       DEFINE_WAIT(wait);
>>>       s64 inflight;
>>> +    int canceled = 0;
>>>       /* make sure overflow events are dropped */
>>>       atomic_inc(&tctx->in_idle);
>>> -    /* trigger io_disable_sqo_submit() */
>>> -    if (tctx->sqpoll)
>>> -        __io_uring_files_cancel(NULL);
>>> -
>>>       do {
>>>           /* read completions before cancelations */
>>>           inflight = tctx_inflight(tctx);
>>>           if (!inflight)
>>>               break;
>>>           __io_uring_files_cancel(NULL);
>>> +        canceled = 1;
>>>           prepare_to_wait(&tctx->wait, &wait, TASK_UNINTERRUPTIBLE);
>>> @@ -8909,6 +8907,21 @@ void __io_uring_task_cancel(void)
>>>           finish_wait(&tctx->wait, &wait);
>>>       } while (1);
>>> +    /*
>>> +     * trigger io_disable_sqo_submit()
>>> +     * if not already done by __io_uring_files_cancel()
>>> +     */
>>> +    if (tctx->sqpoll && !canceled) {
>>> +        struct file *file;
>>> +        unsigned long index;
>>> +
>>> +        xa_for_each(&tctx->xa, index, file) {
>>> +            struct io_ring_ctx *ctx = file->private_data;
>>> +
>>> +            io_disable_sqo_submit(ctx);
>>> +        }
>>> +    }
>>> +
>>>       atomic_dec(&tctx->in_idle);
>>>       io_uring_remove_task_files(tctx);
>>>
>>
>> Hi,
>> Any comments on this one? It needs to be ACK'ed by the maintainer before
>> it is applied to 5.10 stable.
>>
> 
> This still triggers on 5.10.85. Anyone want to have a look?
> 

Any last call? Nobody cares about 5.10 anymore?

-- 
Thanks,
Tadeusz

      reply	other threads:[~2022-02-03 19:34 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-04  1:21 [PATCH] io_uring: prevent io_put_identity() from freeing a static identity Tadeusz Struk
2021-11-15 16:38 ` Tadeusz Struk
2021-12-15 20:27   ` Tadeusz Struk
2022-02-03 19:34     ` Tadeusz Struk [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox