[RFC] Patch for null-ptr-deref read in io_uring

public inbox for [email protected]
 help / color / mirror / Atom feed

* [RFC] Patch for null-ptr-deref read in io_uring_create 5.11.12
@ 2021-04-17  7:56 Palash Oswal
  2021-04-19 10:33 ` Pavel Begunkov
  0 siblings, 1 reply; 4+ messages in thread
From: Palash Oswal @ 2021-04-17  7:56 UTC (permalink / raw)
  To: axboe, io-uring, Pavel Begunkov

Hello,

I have been trying to decipher a bug that my local syzkaller instance
discovered in the v5.11.12 stable tree. I have more details in [1].
Could someone please review.

[1] https://oswalpalash.com/exploring-null-ptr-deref-io-uring-submit/
Signed-off-by: Palash Oswal <[email protected]>
---
 fs/io_uring.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 8b4213de9e08..00b35079b91a 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -8995,7 +8995,7 @@ static void io_disable_sqo_submit(struct io_ring_ctx *ctx)
 {
     mutex_lock(&ctx->uring_lock);
     ctx->sqo_dead = 1;
-    if (ctx->flags & IORING_SETUP_R_DISABLED)
+    if (ctx->flags & IORING_SETUP_R_DISABLED && ctx->sq_data)
         io_sq_offload_start(ctx);
     mutex_unlock(&ctx->uring_lock);

-- 
2.27.0

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [RFC] Patch for null-ptr-deref read in io_uring_create 5.11.12
  2021-04-17  7:56 [RFC] Patch for null-ptr-deref read in io_uring_create 5.11.12 Palash Oswal
@ 2021-04-19 10:33 ` Pavel Begunkov
  2021-04-19 11:10   ` Palash Oswal
  0 siblings, 1 reply; 4+ messages in thread
From: Pavel Begunkov @ 2021-04-19 10:33 UTC (permalink / raw)
  To: Palash Oswal, axboe, io-uring

On 4/17/21 8:56 AM, Palash Oswal wrote:
> Hello,
> 
> I have been trying to decipher a bug that my local syzkaller instance
> discovered in the v5.11.12 stable tree. I have more details in [1].
> Could someone please review.

Can be, what is the hash of last commit you used? stable 5.11 is different
now, I'd guess it was fixed by

commit 0298ef969a110ca03654f0cea9b50e3f3b331acc
Author: Pavel Begunkov <[email protected]>
Date:   Mon Mar 8 13:20:57 2021 +0000

    io_uring: clean R_DISABLED startup mess



> 
> [1] https://oswalpalash.com/exploring-null-ptr-deref-io-uring-submit/
> Signed-off-by: Palash Oswal <[email protected]>
> ---
>  fs/io_uring.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 8b4213de9e08..00b35079b91a 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -8995,7 +8995,7 @@ static void io_disable_sqo_submit(struct io_ring_ctx *ctx)
>  {
>      mutex_lock(&ctx->uring_lock);
>      ctx->sqo_dead = 1;
> -    if (ctx->flags & IORING_SETUP_R_DISABLED)
> +    if (ctx->flags & IORING_SETUP_R_DISABLED && ctx->sq_data)
>          io_sq_offload_start(ctx);
>      mutex_unlock(&ctx->uring_lock);
> 

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RFC] Patch for null-ptr-deref read in io_uring_create 5.11.12
  2021-04-19 10:33 ` Pavel Begunkov
@ 2021-04-19 11:10   ` Palash Oswal
  2021-04-19 11:22     ` Pavel Begunkov
  0 siblings, 1 reply; 4+ messages in thread
From: Palash Oswal @ 2021-04-19 11:10 UTC (permalink / raw)
  To: Pavel Begunkov; +Cc: axboe, io-uring

The last commit I have is fe0d27d7358b89cd4cc43edda23044650827516e
(v5.11.12 release)

I see that the commit you pointed me to was merged by
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9278be92f22979a026a68206e226722138c9443d
is on top of 5.12-rc2. Is my patch needed for the v5.11 tree?

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [RFC] Patch for null-ptr-deref read in io_uring_create 5.11.12
  2021-04-19 11:10   ` Palash Oswal
@ 2021-04-19 11:22     ` Pavel Begunkov
  0 siblings, 0 replies; 4+ messages in thread
From: Pavel Begunkov @ 2021-04-19 11:22 UTC (permalink / raw)
  To: Palash Oswal; +Cc: axboe, io-uring

On 4/19/21 12:10 PM, Palash Oswal wrote:
> The last commit I have is fe0d27d7358b89cd4cc43edda23044650827516e

I assume your bug happened in io_uring_create(), and if so
fwiw confirm that your patch looks right ...

> (v5.11.12 release)
> 
> I see that the commit you pointed me to was merged by
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9278be92f22979a026a68206e226722138c9443d
> is on top of 5.12-rc2. Is my patch needed for the v5.11 tree?

... if the mentioned commit fixes the issue, then we should
backport it, because
1) there is more to that patch, so should be done in any case 
2) stable _highly_ prefers to take commits from upstream, but not
newly crafted ones.

However, that might be useless because a large chunk of patch
that's to be ported soon.

-- 
Pavel Begunkov

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-04-19 11:22 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-04-17  7:56 [RFC] Patch for null-ptr-deref read in io_uring_create 5.11.12 Palash Oswal
2021-04-19 10:33 ` Pavel Begunkov
2021-04-19 11:10   ` Palash Oswal
2021-04-19 11:22     ` Pavel Begunkov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox