iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

io_uring: NULL files dereference by SQPOLL

Browse Source 
SQPOLL task may find sqo_task->files == NULL and
__io_sq_thread_acquire_files() would leave it unset, so following
fget_many() and others try to dereference NULL and fault. Propagate
an error files are missing.

[  118.962785] BUG: kernel NULL pointer dereference, address:
	0000000000000020
[  118.963812] #PF: supervisor read access in kernel mode
[  118.964534] #PF: error_code(0x0000) - not-present page
[  118.969029] RIP: 0010:__fget_files+0xb/0x80
[  119.005409] Call Trace:
[  119.005651]  fget_many+0x2b/0x30
[  119.005964]  io_file_get+0xcf/0x180
[  119.006315]  io_submit_sqes+0x3a4/0x950
[  119.007481]  io_sq_thread+0x1de/0x6a0
[  119.007828]  kthread+0x114/0x150
[  119.008963]  ret_from_fork+0x22/0x30

Reported-by: Josef Grieb <josef.grieb@gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
Pavel Begunkov 2020-11-08 12:55:55 +00:00 committed by Jens Axboe
parent c73ebb685f
commit 1a38ffc9cb
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
fs/io_uring.c
View File

@ -1061,7 +1061,7 @@ static void io_sq_thread_drop_mm_files(void)
} }
} }
static void __io_sq_thread_acquire_files(struct io_ring_ctx *ctx) static int __io_sq_thread_acquire_files(struct io_ring_ctx *ctx)
{ {
if (!current->files) { if (!current->files) {
struct files_struct *files; struct files_struct *files;
@ -1071,7 +1071,7 @@ static void __io_sq_thread_acquire_files(struct io_ring_ctx *ctx)
files = ctx->sqo_task->files; files = ctx->sqo_task->files;
if (!files) { if (!files) {
task_unlock(ctx->sqo_task); task_unlock(ctx->sqo_task);
return; return -EOWNERDEAD;
} }
atomic_inc(&files->count); atomic_inc(&files->count);
get_nsproxy(ctx->sqo_task->nsproxy); get_nsproxy(ctx->sqo_task->nsproxy);
@ -1083,6 +1083,7 @@ static void __io_sq_thread_acquire_files(struct io_ring_ctx *ctx)
current->nsproxy = nsproxy; current->nsproxy = nsproxy;
task_unlock(current); task_unlock(current);
} }
return 0;
} }
static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx) static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx)
@ -1114,15 +1115,19 @@ static int io_sq_thread_acquire_mm_files(struct io_ring_ctx *ctx,
struct io_kiocb *req) struct io_kiocb *req)
{ {
const struct io_op_def *def = &io_op_defs[req->opcode]; const struct io_op_def *def = &io_op_defs[req->opcode];
int ret;
if (def->work_flags & IO_WQ_WORK_MM) { if (def->work_flags & IO_WQ_WORK_MM) {
int ret = __io_sq_thread_acquire_mm(ctx); ret = __io_sq_thread_acquire_mm(ctx);
if (unlikely(ret)) if (unlikely(ret))
return ret; return ret;
} }
if (def->needs_file || (def->work_flags & IO_WQ_WORK_FILES)) if (def->needs_file || (def->work_flags & IO_WQ_WORK_FILES)) {
__io_sq_thread_acquire_files(ctx); ret = __io_sq_thread_acquire_files(ctx);
if (unlikely(ret))
return ret;
}
return 0; return 0;
} }
@ -2130,8 +2135,8 @@ static void __io_req_task_submit(struct io_kiocb *req)
{ {
struct io_ring_ctx *ctx = req->ctx; struct io_ring_ctx *ctx = req->ctx;
if (!__io_sq_thread_acquire_mm(ctx)) { if (!__io_sq_thread_acquire_mm(ctx) &&
__io_sq_thread_acquire_files(ctx); !__io_sq_thread_acquire_files(ctx)) {
mutex_lock(&ctx->uring_lock); mutex_lock(&ctx->uring_lock);
__io_queue_sqe(req, NULL); __io_queue_sqe(req, NULL);
mutex_unlock(&ctx->uring_lock); mutex_unlock(&ctx->uring_lock);