public inbox for [email protected]
 help / color / mirror / Atom feed
* [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path
@ 2021-10-27  8:01 Lee Jones
  2021-10-27  8:18 ` Greg KH
  0 siblings, 1 reply; 9+ messages in thread
From: Lee Jones @ 2021-10-27  8:01 UTC (permalink / raw)
  To: stable, axboe, asml.silence
  Cc: io-uring, Lee Jones, syzbot+59d8a1f4e60c20c066cf

792bb6eb86233 ("io_uring: don't take uring_lock during iowq cancel")
inadvertently fixed this issue in v5.12.  This patch cherry-picks the
hunk of commit which does so.

Syzbot vomit (snipped):

  ==================================================================
  BUG: KASAN: double-free or invalid-free in slab_free mm/slub.c:3195 [inline]
  BUG: KASAN: double-free or invalid-free in kfree+0xca/0x310 mm/slub.c:4183

  CPU: 1 PID: 431 Comm: syz-executor823 Not tainted 5.10.75-syzkaller-01082-g234d53d2bb60 #0
  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  Call Trace:
   __dump_stack lib/dump_stack.c:77 [inline]
   dump_stack_lvl+0x1e2/0x24b lib/dump_stack.c:118
   print_address_description+0x8d/0x3d0 mm/kasan/report.c:233
   kasan_report_invalid_free+0x58/0x130 mm/kasan/report.c:358
   ____kasan_slab_free+0x14b/0x170 mm/kasan/common.c:362
   __kasan_slab_free+0x11/0x20 mm/kasan/common.c:368
   kasan_slab_free include/linux/kasan.h:235 [inline]
   slab_free_hook mm/slub.c:1596 [inline]
   slab_free_freelist_hook+0xb2/0x180 mm/slub.c:1621
   slab_free mm/slub.c:3195 [inline]
   kfree+0xca/0x310 mm/slub.c:4183
   __io_queue_deferred fs/io_uring.c:1541 [inline]
   io_commit_cqring+0x76a/0xa00 fs/io_uring.c:1587
   io_iopoll_complete fs/io_uring.c:2378 [inline]
   io_do_iopoll+0x1e18/0x23f0 fs/io_uring.c:2431
   io_iopoll_try_reap_events+0x116/0x290 fs/io_uring.c:2470
   io_ring_ctx_wait_and_kill+0x295/0x670 fs/io_uring.c:8575
   io_uring_release+0x5b/0x70 fs/io_uring.c:8602
   __fput+0x348/0x7d0 fs/file_table.c:281
   ____fput+0x15/0x20 fs/file_table.c:314
   task_work_run+0x147/0x1b0 kernel/task_work.c:154
   exit_task_work include/linux/task_work.h:30 [inline]
   do_exit+0x70e/0x23a0 kernel/exit.c:813
   do_group_exit+0x16a/0x2d0 kernel/exit.c:910
   __do_sys_exit_group+0x17/0x20 kernel/exit.c:921
   __se_sys_exit_group+0x14/0x20 kernel/exit.c:919
   __x64_sys_exit_group+0x3b/0x40 kernel/exit.c:919
   do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
   entry_SYSCALL_64_after_hwframe+0x44/0xa9

Cc: stable <[email protected]> # 5.10.x
Reported-by: [email protected]
Signed-off-by: Lee Jones <[email protected]>
---
 fs/io_uring.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 26753d0cb4312..361f8ae96c36f 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2075,7 +2075,9 @@ static void io_req_task_cancel(struct callback_head *cb)
 	struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
 	struct io_ring_ctx *ctx = req->ctx;
 
+	mutex_lock(&ctx->uring_lock);
 	__io_req_task_cancel(req, -ECANCELED);
+	mutex_unlock(&ctx->uring_lock);
 	percpu_ref_put(&ctx->refs);
 }
 
-- 
2.33.0.1079.g6e70778dc9-goog


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* Re: [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path
  2021-10-27  8:01 [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path Lee Jones
@ 2021-10-27  8:18 ` Greg KH
  2021-10-27  8:37   ` Lee Jones
  0 siblings, 1 reply; 9+ messages in thread
From: Greg KH @ 2021-10-27  8:18 UTC (permalink / raw)
  To: Lee Jones
  Cc: stable, axboe, asml.silence, io-uring,
	syzbot+59d8a1f4e60c20c066cf

On Wed, Oct 27, 2021 at 09:01:28AM +0100, Lee Jones wrote:
> 792bb6eb86233 ("io_uring: don't take uring_lock during iowq cancel")
> inadvertently fixed this issue in v5.12.  This patch cherry-picks the
> hunk of commit which does so.

Why can't we take all of that commit?  Why only part of it?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path
  2021-10-27  8:18 ` Greg KH
@ 2021-10-27  8:37   ` Lee Jones
  2021-10-27  8:53     ` Greg KH
  0 siblings, 1 reply; 9+ messages in thread
From: Lee Jones @ 2021-10-27  8:37 UTC (permalink / raw)
  To: Greg KH; +Cc: stable, axboe, asml.silence, io-uring,
	syzbot+59d8a1f4e60c20c066cf

On Wed, 27 Oct 2021, Greg KH wrote:

> On Wed, Oct 27, 2021 at 09:01:28AM +0100, Lee Jones wrote:
> > 792bb6eb86233 ("io_uring: don't take uring_lock during iowq cancel")
> > inadvertently fixed this issue in v5.12.  This patch cherry-picks the
> > hunk of commit which does so.
> 
> Why can't we take all of that commit?  Why only part of it?

I don't know.

Why didn't the Stable team take it further than v5.11.y?

-- 
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path
  2021-10-27  8:37   ` Lee Jones
@ 2021-10-27  8:53     ` Greg KH
  2021-10-27  9:03       ` Lee Jones
  0 siblings, 1 reply; 9+ messages in thread
From: Greg KH @ 2021-10-27  8:53 UTC (permalink / raw)
  To: Lee Jones
  Cc: stable, axboe, asml.silence, io-uring,
	syzbot+59d8a1f4e60c20c066cf

On Wed, Oct 27, 2021 at 09:37:59AM +0100, Lee Jones wrote:
> On Wed, 27 Oct 2021, Greg KH wrote:
> 
> > On Wed, Oct 27, 2021 at 09:01:28AM +0100, Lee Jones wrote:
> > > 792bb6eb86233 ("io_uring: don't take uring_lock during iowq cancel")
> > > inadvertently fixed this issue in v5.12.  This patch cherry-picks the
> > > hunk of commit which does so.
> > 
> > Why can't we take all of that commit?  Why only part of it?
> 
> I don't know.
> 
> Why didn't the Stable team take it further than v5.11.y?

Look in the archives?  Did it not apply cleanly?

/me goes off and looks...

Looks like I asked for a backport, but no one did it, I only received a
5.11 version:
	https://lore.kernel.org/r/1839646480a26a2461eccc38a75e98998d2d6e11.1615375332.git.asml.silence@gmail.com

so a 5.10 version would be nice, as I said it failed as-is:
	https://lore.kernel.org/all/[email protected]/

lore archives are your friend :)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path
  2021-10-27  8:53     ` Greg KH
@ 2021-10-27  9:03       ` Lee Jones
  2021-10-27 12:46         ` Greg KH
  0 siblings, 1 reply; 9+ messages in thread
From: Lee Jones @ 2021-10-27  9:03 UTC (permalink / raw)
  To: Greg KH; +Cc: stable, axboe, asml.silence, io-uring,
	syzbot+59d8a1f4e60c20c066cf

On Wed, 27 Oct 2021, Greg KH wrote:

> On Wed, Oct 27, 2021 at 09:37:59AM +0100, Lee Jones wrote:
> > On Wed, 27 Oct 2021, Greg KH wrote:
> > 
> > > On Wed, Oct 27, 2021 at 09:01:28AM +0100, Lee Jones wrote:
> > > > 792bb6eb86233 ("io_uring: don't take uring_lock during iowq cancel")
> > > > inadvertently fixed this issue in v5.12.  This patch cherry-picks the
> > > > hunk of commit which does so.
> > > 
> > > Why can't we take all of that commit?  Why only part of it?
> > 
> > I don't know.
> > 
> > Why didn't the Stable team take it further than v5.11.y?
> 
> Look in the archives?  Did it not apply cleanly?
> 
> /me goes off and looks...
> 
> Looks like I asked for a backport, but no one did it, I only received a
> 5.11 version:
> 	https://lore.kernel.org/r/1839646480a26a2461eccc38a75e98998d2d6e11.1615375332.git.asml.silence@gmail.com
> 
> so a 5.10 version would be nice, as I said it failed as-is:
> 	https://lore.kernel.org/all/[email protected]/

Precisely.  This is the answer to your question:

  > > > Why can't we take all of that commit?  Why only part of it?

Same reason the Stable team didn't back-port it - it doesn't apply.

The second hunk is only relevant to v5.11+.

-- 
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path
  2021-10-27  9:03       ` Lee Jones
@ 2021-10-27 12:46         ` Greg KH
  2021-10-27 14:00           ` Lee Jones
  0 siblings, 1 reply; 9+ messages in thread
From: Greg KH @ 2021-10-27 12:46 UTC (permalink / raw)
  To: Lee Jones
  Cc: stable, axboe, asml.silence, io-uring,
	syzbot+59d8a1f4e60c20c066cf

On Wed, Oct 27, 2021 at 10:03:01AM +0100, Lee Jones wrote:
> On Wed, 27 Oct 2021, Greg KH wrote:
> 
> > On Wed, Oct 27, 2021 at 09:37:59AM +0100, Lee Jones wrote:
> > > On Wed, 27 Oct 2021, Greg KH wrote:
> > > 
> > > > On Wed, Oct 27, 2021 at 09:01:28AM +0100, Lee Jones wrote:
> > > > > 792bb6eb86233 ("io_uring: don't take uring_lock during iowq cancel")
> > > > > inadvertently fixed this issue in v5.12.  This patch cherry-picks the
> > > > > hunk of commit which does so.
> > > > 
> > > > Why can't we take all of that commit?  Why only part of it?
> > > 
> > > I don't know.
> > > 
> > > Why didn't the Stable team take it further than v5.11.y?
> > 
> > Look in the archives?  Did it not apply cleanly?
> > 
> > /me goes off and looks...
> > 
> > Looks like I asked for a backport, but no one did it, I only received a
> > 5.11 version:
> > 	https://lore.kernel.org/r/1839646480a26a2461eccc38a75e98998d2d6e11.1615375332.git.asml.silence@gmail.com
> > 
> > so a 5.10 version would be nice, as I said it failed as-is:
> > 	https://lore.kernel.org/all/[email protected]/
> 
> Precisely.  This is the answer to your question:
> 
>   > > > Why can't we take all of that commit?  Why only part of it?
> 
> Same reason the Stable team didn't back-port it - it doesn't apply.
> 
> The second hunk is only relevant to v5.11+.

Great, then use the "normal" stable style, but down in the s-o-b area
say "dropped second chunk as it is not relevant to 5.10.y".

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path
  2021-10-27 12:46         ` Greg KH
@ 2021-10-27 14:00           ` Lee Jones
  2021-10-27 14:38             ` Greg KH
  0 siblings, 1 reply; 9+ messages in thread
From: Lee Jones @ 2021-10-27 14:00 UTC (permalink / raw)
  To: Greg KH; +Cc: stable, axboe, asml.silence, io-uring,
	syzbot+59d8a1f4e60c20c066cf

On Wed, 27 Oct 2021, Greg KH wrote:

> On Wed, Oct 27, 2021 at 10:03:01AM +0100, Lee Jones wrote:
> > On Wed, 27 Oct 2021, Greg KH wrote:
> > 
> > > On Wed, Oct 27, 2021 at 09:37:59AM +0100, Lee Jones wrote:
> > > > On Wed, 27 Oct 2021, Greg KH wrote:
> > > > 
> > > > > On Wed, Oct 27, 2021 at 09:01:28AM +0100, Lee Jones wrote:
> > > > > > 792bb6eb86233 ("io_uring: don't take uring_lock during iowq cancel")
> > > > > > inadvertently fixed this issue in v5.12.  This patch cherry-picks the
> > > > > > hunk of commit which does so.
> > > > > 
> > > > > Why can't we take all of that commit?  Why only part of it?
> > > > 
> > > > I don't know.
> > > > 
> > > > Why didn't the Stable team take it further than v5.11.y?
> > > 
> > > Look in the archives?  Did it not apply cleanly?
> > > 
> > > /me goes off and looks...
> > > 
> > > Looks like I asked for a backport, but no one did it, I only received a
> > > 5.11 version:
> > > 	https://lore.kernel.org/r/1839646480a26a2461eccc38a75e98998d2d6e11.1615375332.git.asml.silence@gmail.com
> > > 
> > > so a 5.10 version would be nice, as I said it failed as-is:
> > > 	https://lore.kernel.org/all/[email protected]/
> > 
> > Precisely.  This is the answer to your question:
> > 
> >   > > > Why can't we take all of that commit?  Why only part of it?
> > 
> > Same reason the Stable team didn't back-port it - it doesn't apply.
> > 
> > The second hunk is only relevant to v5.11+.
> 
> Great, then use the "normal" stable style, but down in the s-o-b area
> say "dropped second chunk as it is not relevant to 5.10.y".

Just to clarify, by "normal", you mean:

 - Take the original patch
 - Apply an "[ Upstream commit <id> ]" tag (or similar)
 - Remove the hunk that doesn't apply
 - Make a note of the aforementioned action
 - Submit to Stable

Rather than submitting a bespoke patch.  Right?

-- 
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path
  2021-10-27 14:00           ` Lee Jones
@ 2021-10-27 14:38             ` Greg KH
  2021-10-27 14:42               ` Lee Jones
  0 siblings, 1 reply; 9+ messages in thread
From: Greg KH @ 2021-10-27 14:38 UTC (permalink / raw)
  To: Lee Jones
  Cc: stable, axboe, asml.silence, io-uring,
	syzbot+59d8a1f4e60c20c066cf

On Wed, Oct 27, 2021 at 03:00:20PM +0100, Lee Jones wrote:
> On Wed, 27 Oct 2021, Greg KH wrote:
> 
> > On Wed, Oct 27, 2021 at 10:03:01AM +0100, Lee Jones wrote:
> > > On Wed, 27 Oct 2021, Greg KH wrote:
> > > 
> > > > On Wed, Oct 27, 2021 at 09:37:59AM +0100, Lee Jones wrote:
> > > > > On Wed, 27 Oct 2021, Greg KH wrote:
> > > > > 
> > > > > > On Wed, Oct 27, 2021 at 09:01:28AM +0100, Lee Jones wrote:
> > > > > > > 792bb6eb86233 ("io_uring: don't take uring_lock during iowq cancel")
> > > > > > > inadvertently fixed this issue in v5.12.  This patch cherry-picks the
> > > > > > > hunk of commit which does so.
> > > > > > 
> > > > > > Why can't we take all of that commit?  Why only part of it?
> > > > > 
> > > > > I don't know.
> > > > > 
> > > > > Why didn't the Stable team take it further than v5.11.y?
> > > > 
> > > > Look in the archives?  Did it not apply cleanly?
> > > > 
> > > > /me goes off and looks...
> > > > 
> > > > Looks like I asked for a backport, but no one did it, I only received a
> > > > 5.11 version:
> > > > 	https://lore.kernel.org/r/1839646480a26a2461eccc38a75e98998d2d6e11.1615375332.git.asml.silence@gmail.com
> > > > 
> > > > so a 5.10 version would be nice, as I said it failed as-is:
> > > > 	https://lore.kernel.org/all/[email protected]/
> > > 
> > > Precisely.  This is the answer to your question:
> > > 
> > >   > > > Why can't we take all of that commit?  Why only part of it?
> > > 
> > > Same reason the Stable team didn't back-port it - it doesn't apply.
> > > 
> > > The second hunk is only relevant to v5.11+.
> > 
> > Great, then use the "normal" stable style, but down in the s-o-b area
> > say "dropped second chunk as it is not relevant to 5.10.y".
> 
> Just to clarify, by "normal", you mean:
> 
>  - Take the original patch
>  - Apply an "[ Upstream commit <id> ]" tag (or similar)
>  - Remove the hunk that doesn't apply
>  - Make a note of the aforementioned action
>  - Submit to Stable

Yes.

> Rather than submitting a bespoke patch.  Right?

Correct.

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path
  2021-10-27 14:38             ` Greg KH
@ 2021-10-27 14:42               ` Lee Jones
  0 siblings, 0 replies; 9+ messages in thread
From: Lee Jones @ 2021-10-27 14:42 UTC (permalink / raw)
  To: Greg KH; +Cc: stable, axboe, asml.silence, io-uring,
	syzbot+59d8a1f4e60c20c066cf

On Wed, 27 Oct 2021, Greg KH wrote:

> On Wed, Oct 27, 2021 at 03:00:20PM +0100, Lee Jones wrote:
> > On Wed, 27 Oct 2021, Greg KH wrote:
> > 
> > > On Wed, Oct 27, 2021 at 10:03:01AM +0100, Lee Jones wrote:
> > > > On Wed, 27 Oct 2021, Greg KH wrote:
> > > > 
> > > > > On Wed, Oct 27, 2021 at 09:37:59AM +0100, Lee Jones wrote:
> > > > > > On Wed, 27 Oct 2021, Greg KH wrote:
> > > > > > 
> > > > > > > On Wed, Oct 27, 2021 at 09:01:28AM +0100, Lee Jones wrote:
> > > > > > > > 792bb6eb86233 ("io_uring: don't take uring_lock during iowq cancel")
> > > > > > > > inadvertently fixed this issue in v5.12.  This patch cherry-picks the
> > > > > > > > hunk of commit which does so.
> > > > > > > 
> > > > > > > Why can't we take all of that commit?  Why only part of it?
> > > > > > 
> > > > > > I don't know.
> > > > > > 
> > > > > > Why didn't the Stable team take it further than v5.11.y?
> > > > > 
> > > > > Look in the archives?  Did it not apply cleanly?
> > > > > 
> > > > > /me goes off and looks...
> > > > > 
> > > > > Looks like I asked for a backport, but no one did it, I only received a
> > > > > 5.11 version:
> > > > > 	https://lore.kernel.org/r/1839646480a26a2461eccc38a75e98998d2d6e11.1615375332.git.asml.silence@gmail.com
> > > > > 
> > > > > so a 5.10 version would be nice, as I said it failed as-is:
> > > > > 	https://lore.kernel.org/all/[email protected]/
> > > > 
> > > > Precisely.  This is the answer to your question:
> > > > 
> > > >   > > > Why can't we take all of that commit?  Why only part of it?
> > > > 
> > > > Same reason the Stable team didn't back-port it - it doesn't apply.
> > > > 
> > > > The second hunk is only relevant to v5.11+.
> > > 
> > > Great, then use the "normal" stable style, but down in the s-o-b area
> > > say "dropped second chunk as it is not relevant to 5.10.y".
> > 
> > Just to clarify, by "normal", you mean:
> > 
> >  - Take the original patch
> >  - Apply an "[ Upstream commit <id> ]" tag (or similar)
> >  - Remove the hunk that doesn't apply
> >  - Make a note of the aforementioned action
> >  - Submit to Stable
> 
> Yes.
> 
> > Rather than submitting a bespoke patch.  Right?
> 
> Correct.

Got it, thanks.  Wilco.

-- 
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2021-10-27 14:42 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-10-27  8:01 [PATCH 5.10 1/1] io_uring: fix double free in the deferred/cancelled path Lee Jones
2021-10-27  8:18 ` Greg KH
2021-10-27  8:37   ` Lee Jones
2021-10-27  8:53     ` Greg KH
2021-10-27  9:03       ` Lee Jones
2021-10-27 12:46         ` Greg KH
2021-10-27 14:00           ` Lee Jones
2021-10-27 14:38             ` Greg KH
2021-10-27 14:42               ` Lee Jones

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox