Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-01-01 10:45:49 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c2844d5e58
linux-stable/io_uring
History
Jens Axboe c2844d5e58 io_uring: check for non-NULL file pointer in io_file_can_poll() 
commit 5fc16fa5f1 upstream.

In earlier kernels, it was possible to trigger a NULL pointer
dereference off the forced async preparation path, if no file had
been assigned. The trace leading to that looks as follows:

BUG: kernel NULL pointer dereference, address: 00000000000000b0
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 67 PID: 1633 Comm: buf-ring-invali Not tainted 6.8.0-rc3+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS unknown 2/2/2022
RIP: 0010:io_buffer_select+0xc3/0x210
Code: 00 00 48 39 d1 0f 82 ae 00 00 00 48 81 4b 48 00 00 01 00 48 89 73 70 0f b7 50 0c 66 89 53 42 85 ed 0f 85 d2 00 00 00 48 8b 13 <48> 8b 92 b0 00 00 00 48 83 7a 40 00 0f 84 21 01 00 00 4c 8b 20 5b
RSP: 0018:ffffb7bec38c7d88 EFLAGS: 00010246
RAX: ffff97af2be61000 RBX: ffff97af234f1700 RCX: 0000000000000040
RDX: 0000000000000000 RSI: ffff97aecfb04820 RDI: ffff97af234f1700
RBP: 0000000000000000 R08: 0000000000200030 R09: 0000000000000020
R10: ffffb7bec38c7dc8 R11: 000000000000c000 R12: ffffb7bec38c7db8
R13: ffff97aecfb05800 R14: ffff97aecfb05800 R15: ffff97af2be5e000
FS:  00007f852f74b740(0000) GS:ffff97b1eeec0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000b0 CR3: 000000016deab005 CR4: 0000000000370ef0
Call Trace:
 <TASK>
 ? __die+0x1f/0x60
 ? page_fault_oops+0x14d/0x420
 ? do_user_addr_fault+0x61/0x6a0
 ? exc_page_fault+0x6c/0x150
 ? asm_exc_page_fault+0x22/0x30
 ? io_buffer_select+0xc3/0x210
 __io_import_iovec+0xb5/0x120
 io_readv_prep_async+0x36/0x70
 io_queue_sqe_fallback+0x20/0x260
 io_submit_sqes+0x314/0x630
 __do_sys_io_uring_enter+0x339/0xbc0
 ? __do_sys_io_uring_register+0x11b/0xc50
 ? vm_mmap_pgoff+0xce/0x160
 do_syscall_64+0x5f/0x180
 entry_SYSCALL_64_after_hwframe+0x46/0x4e
RIP: 0033:0x55e0a110a67e
Code: ba cc 00 00 00 45 31 c0 44 0f b6 92 d0 00 00 00 31 d2 41 b9 08 00 00 00 41 83 e2 01 41 c1 e2 04 41 09 c2 b8 aa 01 00 00 0f 05 <c3> 90 89 30 eb a9 0f 1f 40 00 48 8b 42 20 8b 00 a8 06 75 af 85 f6

because the request is marked forced ASYNC and has a bad file fd, and
hence takes the forced async prep path.

Current kernels with the request async prep cleaned up can no longer hit
this issue, but for ease of backporting, let's add this safety check in
here too as it really doesn't hurt. For both cases, this will inevitably
end with a CQE posted with -EBADF.

Cc: stable@vger.kernel.org
Fixes: a76c0b31ee ("io_uring: commit non-pollable provided mapped buffers upfront")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-06-21 14:35:42 +02:00
..
advise.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
advise.h io_uring: split out fadvise/madvise operations 2022-07-24 18:39:11 -06:00
alloc_cache.h io_uring: fix poll/netmsg alloc caches 2023-04-06 12:10:52 +02:00
cancel.c io_uring/cancel: re-grab ctx mutex after finishing wait 2023-01-12 12:02:38 +01:00
cancel.h io_uring: add sync cancelation API through io_uring_register() 2022-07-24 18:39:15 -06:00
epoll.c io_uring: undeprecate epoll_ctl support 2023-06-09 10:34:23 +02:00
epoll.h io_uring: move epoll handler to its own file 2022-07-24 18:39:11 -06:00
fdinfo.c io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid 2023-11-02 09:35:29 +01:00
fdinfo.h io_uring: move fdinfo helpers to its own file 2022-07-24 18:39:12 -06:00
filetable.c io_uring: drop any code related to SCM_RIGHTS 2024-03-26 18:20:22 -04:00
filetable.h io_uring: kill hot path fixed file bitmap debug checks 2022-10-16 17:07:53 -06:00
fs.c io_uring/fs: consider link->flags when getting path for LINKAT 2023-12-03 07:32:11 +01:00
fs.h io_uring: split out filesystem related operations 2022-07-24 18:39:11 -06:00
io_uring.c io_uring: Fix io_cqring_wait() not restoring sigmask on get_timespec64() failure 2024-04-27 17:07:04 +02:00
io_uring.h io_uring: use the right type for work_llist empty check 2024-06-12 11:03:05 +02:00
io-wq.c io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used 2023-09-19 12:27:54 +02:00
io-wq.h io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used 2023-09-19 12:27:54 +02:00
kbuf.c io_uring: check for non-NULL file pointer in io_file_can_poll() 2024-06-21 14:35:42 +02:00
kbuf.h io_uring: allow buffer recycling in READV 2022-09-21 10:30:43 -06:00
Makefile io_uring: add zc notification infrastructure 2022-07-24 18:41:06 -06:00
msg_ring.c io_uring/msg_ring: fix missing lock on overflow for IOPOLL 2023-08-30 16:11:05 +02:00
msg_ring.h io_uring: get rid of double locking 2023-08-30 16:11:04 +02:00
net.c io_uring/net: restore msg_control on sendzc retry 2024-04-17 11:18:26 +02:00
net.h io_uring/net: zerocopy sendmsg 2022-09-21 13:15:02 -06:00
nop.c io_uring: fail NOP if non-zero op flags is passed in 2024-06-12 11:02:55 +02:00
nop.h io_uring: move nop into its own file 2022-07-24 18:39:11 -06:00
notif.c io_uring/net: introduce IORING_SEND_ZC_REPORT_USAGE flag 2022-12-31 13:33:11 +01:00
notif.h io_uring/net: introduce IORING_SEND_ZC_REPORT_USAGE flag 2022-12-31 13:33:11 +01:00
opdef.c io_uring: get rid of double locking 2023-08-30 16:11:04 +02:00
opdef.h io_uring: dont remove file from msg_ring reqs 2022-12-31 13:33:12 +01:00
openclose.c io_uring: correct check for O_TMPFILE 2023-08-16 18:27:24 +02:00
openclose.h io_uring: split out fixed file installation and removal 2022-07-24 18:39:16 -06:00
poll.c io_uring: always lock in io_apoll_task_func 2023-09-19 12:27:54 +02:00
poll.h io_uring/poll: allow some retries for poll triggering spuriously 2023-03-11 13:55:43 +01:00
refs.h io_uring: make io_uring_types.h public 2022-07-24 18:39:14 -06:00
rsrc.c io_uring: drop any code related to SCM_RIGHTS 2024-03-26 18:20:22 -04:00
rsrc.h io_uring: drop any code related to SCM_RIGHTS 2024-03-26 18:20:22 -04:00
rw.c io_uring/rw: ensure io->bytes_done is always initialized 2024-01-25 15:27:41 -08:00
rw.h io_uring/rw: don't lose partial IO result on fail 2022-09-21 13:15:02 -06:00
slist.h io_uring: move list helpers to a separate file 2022-07-24 18:39:15 -06:00
splice.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
splice.h io_uring: split out splice related operations 2022-07-24 18:39:11 -06:00
sqpoll.c io_uring: Don't set affinity on a dying sqpoll thread 2023-09-19 12:27:54 +02:00
sqpoll.h io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used 2023-09-19 12:27:54 +02:00
statx.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
statx.h io_uring: move statx handling to its own file 2022-07-24 18:39:11 -06:00
sync.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
sync.h io_uring: split out fs related sync/fallocate functions 2022-07-24 18:39:11 -06:00
tctx.c io_uring: remove io_register_submitter 2022-10-07 12:25:30 -06:00
tctx.h io_uring: simplify __io_uring_add_tctx_node 2022-10-07 12:25:30 -06:00
timeout.c io_uring: annotate offset timeout races 2023-08-11 12:08:24 +02:00
timeout.h io_uring: remove unused return from io_disarm_next 2022-09-21 13:15:01 -06:00
uring_cmd.c block/io_uring: pass in issue_flags for uring_cmd task_work handling 2023-04-06 12:10:51 +02:00
uring_cmd.h io_uring: move uring_cmd handling to its own file 2022-07-24 18:39:11 -06:00
xattr.c __io_setxattr(): constify path 2022-09-01 17:39:05 -04:00
xattr.h io_uring: move xattr related opcodes to its own file 2022-07-24 18:39:11 -06:00