From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A7B65C433E0 for ; Tue, 4 Aug 2020 17:15:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8BCEA207FC for ; Tue, 4 Aug 2020 17:15:22 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=kernel-dk.20150623.gappssmtp.com header.i=@kernel-dk.20150623.gappssmtp.com header.b="LAl3Qh8c" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728415AbgHDRPV (ORCPT ); Tue, 4 Aug 2020 13:15:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54760 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728244AbgHDRPT (ORCPT ); Tue, 4 Aug 2020 13:15:19 -0400 Received: from mail-il1-x144.google.com (mail-il1-x144.google.com [IPv6:2607:f8b0:4864:20::144]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 882DDC061756 for ; Tue, 4 Aug 2020 10:15:19 -0700 (PDT) Received: by mail-il1-x144.google.com with SMTP id e16so184094ilc.12 for ; Tue, 04 Aug 2020 10:15:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=LvVAc3higftpuTNQCEYcbhjK/E4SRXQZoiVYparcCz0=; b=LAl3Qh8cfi6/x34HJhytzP+56VvFuiPeE9QuikOooh9mVi1LOsSbxxg5MHndqXUvaa rjv25l7lH78bkq43mhXTkXwZMQjUgAQfP8z/bhmUR0Y7LYW8mfJxAM+mIbRDRueFe7ZO 1ZsHWKZi0iewd9asbj2ZJUtohBJmfwbSdygYzWBC16ZjcjnqPClPyoZwexmKf9baiOZi +uDsB0+SOeKBXSoopyuYCQwzBn0+gkRJ4yC6bVntNtRAjeHAAz00iCk+0yIkSoPSh/OP 41XvT2qfeAjXjQcxmPS08QXoskg3BIyUbmijE6X3gkAuAiK3P6Olw3K8FzJa0c6AdOYo xGkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=LvVAc3higftpuTNQCEYcbhjK/E4SRXQZoiVYparcCz0=; b=j9cnHql9dJ1A4Y+crUfD/A0pdFGQ3xRgmRZyabB4EkyqQ+wqG4KM+fyYz5XoE8g87S h9cJpakfG30Sk21sXiB3BykkAcXJ0CDTL9aGqh4U7s1fNihSSa3v4xv4Lcl4v2IBVQD7 db7q6Cf+4YLkklBivWTV7LDazrOF0QL7hcUKkVvKH39lZerjZkndFLmxz9g2C86kogfw YlCua1vkzk70e5IqbhLdPWatuUktGrvr43gM/o983npeY1dTfm/GwmNTPS6D1lMXbhTQ CQe8+Vx2rrylL7F/RWHVZLz7JyJfhEBx/Q88OUkLfaXCbWBoEJZisy5yJZxWnibVbWXX S1LQ== X-Gm-Message-State: AOAM531cwMGxvfx2QfvpKSnfJGGh4H3DTFeWaVYRCNfud7cr9Enhu/xj hABaDF7kmNqgVvSUoGSjWXIBk27EqXk= X-Google-Smtp-Source: ABdhPJzKVG+yuakPDy/1iTndB3wNH7/0L/lF2s3F1ndKOvmhn43Xl3piicg96Qv9R+2jV/DR1XEn7g== X-Received: by 2002:a92:35da:: with SMTP id c87mr5541076ilf.61.1596561318668; Tue, 04 Aug 2020 10:15:18 -0700 (PDT) Received: from [192.168.1.58] ([65.144.74.34]) by smtp.gmail.com with ESMTPSA id t18sm10670432ild.46.2020.08.04.10.15.17 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 04 Aug 2020 10:15:18 -0700 (PDT) Subject: Re: [PATCH] fs/io_uring.c: fix null ptr deference in io_send_recvmsg() To: xiao lin Cc: Pavel Begunkov , "linux-block@vger.kernel.org" , io-uring References: <20200804125637.GA22088@ubuntu> <701640d6-fa20-0b38-f86b-b1eff07597dd@gmail.com> <0350a653-8a3e-2e09-c7fc-15fcea727d8a@kernel.dk> From: Jens Axboe Message-ID: Date: Tue, 4 Aug 2020 11:15:17 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: io-uring-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org On 8/4/20 11:02 AM, xiao lin wrote: > 在 2020年8月4日星期二,Jens Axboe > 写道: > > On 8/4/20 7:18 AM, Pavel Begunkov wrote: > > On 04/08/2020 15:56, Liu Yong wrote: > >> In io_send_recvmsg(), there is no check for the req->file. > >> User can change the opcode from IORING_OP_NOP to IORING_OP_SENDMSG > >> through competition after the io_req_set_file(). > > > > After sqe->opcode is read and copied in io_init_req(), it only uses > > in-kernel req->opcode. Also, io_init_req() should check for req->file > > NULL, so shouldn't happen after. > > > > Do you have a reproducer? What kernel version did you use? > > Was looking at this too, and I'm guessing this is some 5.4 based kernel. > Unfortunately the oops doesn't include that information. > Sorry, I forgot to mention that the kernel version I am using is 5.4.55. I think there are two options here: 1) Backport the series that ensured we only read those important bits once 2) Make s->sqe a full sqe, and memcpy it in -- Jens Axboe