iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/io_uring
History
Pavel Begunkov bcc87d978b io_uring: fix error pbuf checking 
Syz reports a problem, which boils down to NULL vs IS_ERR inconsistent
error handling in io_alloc_pbuf_ring().

KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:__io_remove_buffers+0xac/0x700 io_uring/kbuf.c:341
Call Trace:
 <TASK>
 io_put_bl io_uring/kbuf.c:378 [inline]
 io_destroy_buffers+0x14e/0x490 io_uring/kbuf.c:392
 io_ring_ctx_free+0xa00/0x1070 io_uring/io_uring.c:2613
 io_ring_exit_work+0x80f/0x8a0 io_uring/io_uring.c:2844
 process_one_work kernel/workqueue.c:3231 [inline]
 process_scheduled_works+0xa2c/0x1830 kernel/workqueue.c:3312
 worker_thread+0x86d/0xd40 kernel/workqueue.c:3390
 kthread+0x2f0/0x390 kernel/kthread.c:389
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Cc: stable@vger.kernel.org
Reported-by: syzbot+2074b1a3d447915c6f1c@syzkaller.appspotmail.com
Fixes: 87585b05757dc ("io_uring/kbuf: use vm_insert_pages() for mmap'ed pbuf ring")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/c5f9df20560bd9830401e8e48abc029e7cfd9f5e.1721329239.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-07-20 11:04:57 -06:00
..
advise.c
io_uring/advise: support 64-bit lengths
2024-06-16 14:54:55 -06:00
advise.h
alloc_cache.h
io_uring/alloc_cache: switch to array based caching
2024-04-15 08:10:25 -06:00
cancel.c
io_uring: fix warnings on shadow variables
2024-04-15 08:10:26 -06:00
cancel.h
io_uring: fix cancellation overwriting req->flags
2024-06-13 19:25:28 -06:00
epoll.c
io_uring: undeprecate epoll_ctl support
2023-05-26 20:22:41 -06:00
epoll.h
eventfd.c
io_uring/eventfd: move eventfd handling to separate file
2024-06-16 14:54:55 -06:00
eventfd.h
io_uring/eventfd: move eventfd handling to separate file
2024-06-16 14:54:55 -06:00
fdinfo.c
io_uring: fix warnings on shadow variables
2024-04-15 08:10:26 -06:00
fdinfo.h
filetable.c
io_uring/filetable: don't unnecessarily clear/reset bitmap
2024-05-08 08:27:45 -06:00
filetable.h
io_uring: expand main struct io_kiocb flags to 64-bits
2024-02-08 13:27:03 -07:00
fs.c
io_uring/fs: consider link->flags when getting path for LINKAT
2023-11-20 09:01:42 -07:00
fs.h
futex.c
io_uring/alloc_cache: switch to array based caching
2024-04-15 08:10:25 -06:00
futex.h
io_uring/alloc_cache: switch to array based caching
2024-04-15 08:10:25 -06:00
io_uring.c
for-6.11/io_uring-20240714
2024-07-15 13:49:10 -07:00
io_uring.h
io_uring: add io_add_aux_cqe() helper
2024-06-24 08:39:45 -06:00
io-wq.c
io_uring/io-wq: limit retrying worker initialisation
2024-07-11 01:51:44 -06:00
io-wq.h
io_uring/io-wq: make io_wq_work flags atomic
2024-06-16 14:54:55 -06:00
kbuf.c
io_uring: fix error pbuf checking
2024-07-20 11:04:57 -06:00
kbuf.h
io_uring/kbuf: add helpers for getting/peeking multiple buffers
2024-04-22 11:26:01 -06:00
Makefile
io_uring/eventfd: move eventfd handling to separate file
2024-06-16 14:54:55 -06:00
memmap.c
io_uring: don't attempt to mmap larger than what the user asks for
2024-05-29 09:53:14 -06:00
memmap.h
io_uring: move mapping/allocation helpers to a separate file
2024-04-15 08:10:26 -06:00
msg_ring.c
io_uring/msg_ring: use kmem_cache_free() to free request
2024-07-01 09:10:59 -06:00
msg_ring.h
io_uring/msg_ring: add an alloc cache for io_kiocb entries
2024-06-24 08:39:55 -06:00
napi.c
io_uring/napi: Remove unnecessary s64 cast
2024-07-10 00:20:52 -06:00
napi.h
io_uring: add register/unregister napi function
2024-02-09 11:54:32 -07:00
net.c
Networking changes for 6.11. Not much excitement - a handful of large
2024-07-16 19:28:34 -07:00
net.h
io_uring: Introduce IORING_OP_LISTEN
2024-06-19 07:57:21 -06:00
nop.c
io_uring: support to inject result for NOP
2024-05-10 06:09:45 -06:00
nop.h
notif.c
io_uring/notif: disable LAZY_WAKE for linked notifs
2024-04-30 13:06:27 -06:00
notif.h
io_uring/notif: implement notification stacking
2024-04-22 19:31:18 -06:00
opdef.c
io_uring: Fix probe of disabled operations
2024-06-19 08:58:00 -06:00
opdef.h
io_uring: Fix probe of disabled operations
2024-06-19 08:58:00 -06:00
openclose.c
io_uring: enable audit and restrict cred override for IORING_OP_FIXED_FD_INSTALL
2024-01-23 15:25:14 -07:00
openclose.h
io_uring/openclose: add support for IORING_OP_FIXED_FD_INSTALL
2023-12-12 07:42:57 -07:00
poll.c
io_uring/alloc_cache: switch to array based caching
2024-04-15 08:10:25 -06:00
poll.h
io_uring/poll: shrink alloc cache size to 32
2024-04-15 08:10:25 -06:00
refs.h
io_uring: kill dead code in io_req_complete_post
2024-04-15 08:10:26 -06:00
register.c
io_uring: Allocate only necessary memory in io_probe
2024-06-19 08:58:00 -06:00
register.h
io_uring/register: move io_uring_register(2) related code to register.c
2023-12-19 08:54:20 -07:00
rsrc.c
for-6.11/io_uring-20240714
2024-07-15 13:49:10 -07:00
rsrc.h
io_uring: remove io_req_put_rsrc_locked()
2024-04-15 08:10:26 -06:00
rw.c
fs: Initial atomic write support
2024-06-20 15:19:17 -06:00
rw.h
io_uring/alloc_cache: switch to array based caching
2024-04-15 08:10:25 -06:00
slist.h
io_uring: silence variable ‘prev’ set but not used warning
2023-03-09 10:10:58 -07:00
splice.c
splice: return type ssize_t from all helpers
2023-12-12 16:19:59 +01:00
splice.h
sqpoll.c
io_uring/sqpoll: ensure that normal task_work is also run timely
2024-05-21 13:41:14 -06:00
sqpoll.h
io_uring/sqpoll: statistics of the true utilization of sq threads
2024-03-01 06:28:19 -07:00
statx.c
vfs: retire user_path_at_empty and drop empty arg from getname_flags
2024-06-05 17:03:57 +02:00
statx.h
sync.c
io_uring: for requests that require async, force it
2023-01-29 15:18:26 -07:00
sync.h
tctx.c
io_uring: Add io_uring_setup flag to pre-register ring fd and never install it
2023-05-16 08:06:00 -06:00
tctx.h
io_uring: simplify __io_uring_add_tctx_node
2022-10-07 12:25:30 -06:00
timeout.c
io_uring/timeout: remove duplicate initialization of the io_timeout list.
2024-04-15 08:10:27 -06:00
timeout.h
io_uring: remove unused return from io_disarm_next
2022-09-21 13:15:01 -06:00
truncate.c
io_uring: add support for ftruncate
2024-02-09 09:04:39 -07:00
truncate.h
io_uring: add support for ftruncate
2024-02-09 09:04:39 -07:00
uring_cmd.c
io_uring: fix lost getsockopt completions
2024-07-20 11:04:56 -06:00
uring_cmd.h
io_uring/alloc_cache: switch to array based caching
2024-04-15 08:10:25 -06:00
waitid.c
io_uring: remove struct io_tw_state::locked
2024-04-15 08:10:24 -06:00
waitid.h
io_uring: add IORING_OP_WAITID support
2023-09-21 12:04:45 -06:00
xattr.c
vfs: retire user_path_at_empty and drop empty arg from getname_flags
2024-06-05 17:03:57 +02:00
xattr.h