unimore/kernel-hacking-2024-linux-steffo
unimore/kernel-hacking-2024-linux-steffo
1
Fork 0
Code Pull requests 5 Wiki Activity
kernel-hacking-2024-linux-s.../io_uring
History
Pavel Begunkov bcc87d978b io_uring: fix error pbuf checking 
Syz reports a problem, which boils down to NULL vs IS_ERR inconsistent
error handling in io_alloc_pbuf_ring().

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:__io_remove_buffers+0xac/0x700 io_uring/kbuf.c:341
Call Trace:
 <TASK>
 io_put_bl io_uring/kbuf.c:378 [inline]
 io_destroy_buffers+0x14e/0x490 io_uring/kbuf.c:392
 io_ring_ctx_free+0xa00/0x1070 io_uring/io_uring.c:2613
 io_ring_exit_work+0x80f/0x8a0 io_uring/io_uring.c:2844
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Cc: stable@vger.kernel.org
Reported-by: syzbot+2074b1a3d447915c6f1c@syzkaller.appspotmail.com
Fixes: 87585b0575 ("io_uring/kbuf: use vm_insert_pages() for mmap'ed pbuf ring")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/c5f9df20560bd9830401e8e48abc029e7cfd9f5e.1721329239.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-07-20 11:04:57 -06:00
..
advise.c io_uring/advise: support 64-bit lengths 2024-06-16 14:54:55 -06:00
advise.h
alloc_cache.h
cancel.c
cancel.h io_uring: fix cancellation overwriting req->flags 2024-06-13 19:25:28 -06:00
epoll.c
epoll.h
eventfd.c io_uring/eventfd: move eventfd handling to separate file 2024-06-16 14:54:55 -06:00
eventfd.h io_uring/eventfd: move eventfd handling to separate file 2024-06-16 14:54:55 -06:00
fdinfo.c
fdinfo.h
filetable.c
filetable.h
fs.c
fs.h
futex.c
futex.h
io-wq.c io_uring/io-wq: limit retrying worker initialisation 2024-07-11 01:51:44 -06:00
io-wq.h io_uring/io-wq: make io_wq_work flags atomic 2024-06-16 14:54:55 -06:00
io_uring.c for-6.11/io_uring-20240714 2024-07-15 13:49:10 -07:00
io_uring.h io_uring: add io_add_aux_cqe() helper 2024-06-24 08:39:45 -06:00
kbuf.c io_uring: fix error pbuf checking 2024-07-20 11:04:57 -06:00
kbuf.h
Makefile io_uring/eventfd: move eventfd handling to separate file 2024-06-16 14:54:55 -06:00
memmap.c io_uring: don't attempt to mmap larger than what the user asks for 2024-05-29 09:53:14 -06:00
memmap.h
msg_ring.c io_uring/msg_ring: use kmem_cache_free() to free request 2024-07-01 09:10:59 -06:00
msg_ring.h io_uring/msg_ring: add an alloc cache for io_kiocb entries 2024-06-24 08:39:55 -06:00
napi.c io_uring/napi: Remove unnecessary s64 cast 2024-07-10 00:20:52 -06:00
napi.h
net.c Networking changes for 6.11. Not much excitement - a handful of large 2024-07-16 19:28:34 -07:00
net.h io_uring: Introduce IORING_OP_LISTEN 2024-06-19 07:57:21 -06:00
nop.c
nop.h
notif.c
notif.h
opdef.c io_uring: Fix probe of disabled operations 2024-06-19 08:58:00 -06:00
opdef.h io_uring: Fix probe of disabled operations 2024-06-19 08:58:00 -06:00
openclose.c
openclose.h
poll.c
poll.h
refs.h
register.c io_uring: Allocate only necessary memory in io_probe 2024-06-19 08:58:00 -06:00
register.h
rsrc.c for-6.11/io_uring-20240714 2024-07-15 13:49:10 -07:00
rsrc.h
rw.c fs: Initial atomic write support 2024-06-20 15:19:17 -06:00
rw.h
slist.h
splice.c
splice.h
sqpoll.c
sqpoll.h
statx.c vfs: retire user_path_at_empty and drop empty arg from getname_flags 2024-06-05 17:03:57 +02:00
statx.h
sync.c
sync.h
tctx.c
tctx.h
timeout.c
timeout.h
truncate.c
truncate.h
uring_cmd.c io_uring: fix lost getsockopt completions 2024-07-20 11:04:56 -06:00
uring_cmd.h
waitid.c
waitid.h
xattr.c vfs: retire user_path_at_empty and drop empty arg from getname_flags 2024-06-05 17:03:57 +02:00
xattr.h