iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Jens Axboe 8706e04ed7 io_uring: always delete double poll wait entry on match 
syzbot reports a crash with tty polling, which is using the double poll
handling:

general protection fault, probably for non-canonical address 0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
CPU: 0 PID: 6874 Comm: syz-executor749 Not tainted 5.9.0-rc6-next-20200924-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:io_poll_get_single fs/io_uring.c:4778 [inline]
RIP: 0010:io_poll_double_wake+0x51/0x510 fs/io_uring.c:4845
Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 9e 03 00 00 48 b8 00 00 00 00 00 fc ff df 49 8b 5d 08 48 8d 7b 48 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 06 0f 8e 63 03 00 00 0f b6 6b 48 bf 06 00 00
RSP: 0018:ffffc90001c1fb70 EFLAGS: 00010006
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000004
RDX: 0000000000000009 RSI: ffffffff81d9b3ad RDI: 0000000000000048
RBP: dffffc0000000000 R08: ffff8880a3cac798 R09: ffffc90001c1fc60
R10: fffff52000383f73 R11: 0000000000000000 R12: 0000000000000004
R13: ffff8880a3cac798 R14: ffff8880a3cac7a0 R15: 0000000000000004
FS:  0000000001f98880(0000) GS:ffff8880ae400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f18886916c0 CR3: 0000000094c5a000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __wake_up_common+0x147/0x650 kernel/sched/wait.c:93
 __wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:123
 tty_ldisc_hangup+0x1cf/0x680 drivers/tty/tty_ldisc.c:735
 __tty_hangup.part.0+0x403/0x870 drivers/tty/tty_io.c:625
 __tty_hangup drivers/tty/tty_io.c:575 [inline]
 tty_vhangup+0x1d/0x30 drivers/tty/tty_io.c:698
 pty_close+0x3f5/0x550 drivers/tty/pty.c:79
 tty_release+0x455/0xf60 drivers/tty/tty_io.c:1679
 __fput+0x285/0x920 fs/file_table.c:281
 task_work_run+0xdd/0x190 kernel/task_work.c:141
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:165 [inline]
 exit_to_user_mode_prepare+0x1e2/0x1f0 kernel/entry/common.c:192
 syscall_exit_to_user_mode+0x7a/0x2c0 kernel/entry/common.c:267
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x401210

which is due to a failure in removing the double poll wait entry if we
hit a wakeup match. This can cause multiple invocations of the wakeup,
which isn't safe.

Cc: stable@vger.kernel.org # v5.8
Reported-by: syzbot+81b3883093f772addf6d@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2020-09-28 08:38:54 -06:00
..
9p
9p: Remove unneeded cast from memory allocation
2020-07-31 07:28:25 +02:00
adfs
block: move struct block_device to blk_types.h
2020-06-24 09:16:02 -06:00
affs
block: move block-related definitions out of fs.h
2020-06-24 09:16:02 -06:00
afs
Remove uninitialized_var() macro for v5.9-rc1
2020-08-04 13:49:43 -07:00
autofs
fs: autofs: delete repeated words in comments
2020-08-14 19:56:56 -07:00
befs
block: move struct block_device to blk_types.h
2020-06-24 09:16:02 -06:00
bfs
docs: filesystems: fix renamed references
2020-04-20 15:45:22 -06:00
btrfs
for-5.9-tag
2020-08-13 12:26:18 -07:00
cachefiles
cachefiles: switch to kernel_write
2020-07-08 08:27:56 +02:00
ceph
ceph: handle zero-length feature mask in session messages
2020-08-05 17:47:07 +02:00
cifs
3 small cifs/smb3 fixes, one for stable fixing mkdir path with idsfromsid mount option
2020-08-15 08:31:39 -07:00
coda
docs: filesystems: convert coda.txt to ReST
2020-05-05 09:22:21 -06:00
configfs
A fair amount of stuff this time around, dominated by yet another massive
2020-06-01 15:45:27 -07:00
cramfs
docs: filesystems: fix renamed references
2020-04-20 15:45:22 -06:00
crypto
mm, treewide: rename kzfree() to kfree_sensitive()
2020-08-07 11:33:22 -07:00
debugfs
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2020-08-05 20:13:21 -07:00
devpts
dlm
dlm for 5.9
2020-08-06 19:44:25 -07:00
ecryptfs
mm, treewide: rename kzfree() to kfree_sensitive()
2020-08-07 11:33:22 -07:00
efivarfs
efi/efivars: Expose RT service availability via efivars abstraction
2020-07-09 10:14:29 +03:00
efs
block: move struct block_device to blk_types.h
2020-06-24 09:16:02 -06:00
erofs
Changes since last update:
2020-08-06 19:22:51 -07:00
exfat
exfat: retain 'VolumeFlags' properly
2020-08-12 08:31:13 +09:00
exportfs
ext2
ext2: ext2.h: fix duplicated word + typos
2020-07-27 10:58:06 +02:00
ext4
New code for 5.9:
2020-08-06 19:35:12 -07:00
f2fs
f2fs-for-5.9-rc1
2020-08-10 18:33:22 -07:00
fat
fat: fix fat_ra_init() for data clusters == 0
2020-08-12 10:58:01 -07:00
freevxfs
fscache
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2020-06-03 16:27:18 -07:00
fuse
virtio: fixes, features
2020-08-11 14:34:17 -07:00
gfs2
Changes in gfs2:
2020-08-10 18:22:43 -07:00
hfs
block: move block-related definitions out of fs.h
2020-06-24 09:16:02 -06:00
hfsplus
treewide: Remove uninitialized_var() usage
2020-07-16 12:35:15 -07:00
hostfs
hostfs: Use kasprintf() instead of fixed buffer formatting
2020-03-29 23:23:00 +02:00
hpfs
hpfs: fix warning due to superfluous semicolon
2020-06-06 10:08:17 -07:00
hugetlbfs
hugetlbfs: prevent filesystem stacking of hugetlbfs
2020-08-12 10:57:56 -07:00
iomap
iomap: fall back to buffered writes for invalidation failures
2020-08-05 09:24:16 -07:00
isofs
Remove uninitialized_var() macro for v5.9-rc1
2020-08-04 13:49:43 -07:00
jbd2
This is the second round of ext4 commits for 5.8 merge window. It
2020-06-15 09:32:10 -07:00
jffs2
This pull request contains changes for JFFS2, UBI and UBIFS
2020-08-10 18:20:04 -07:00
jfs
block: move struct block_device to blk_types.h
2020-06-24 09:16:02 -06:00
kernfs
fsnotify: pass dir and inode arguments to fsnotify()
2020-07-27 23:15:48 +02:00
lockd
proc: convert everything to "struct proc_ops"
2020-02-04 03:05:26 +00:00
minix
fs/minix: remove expected error message in block_to_path()
2020-08-12 10:58:00 -07:00
nfs
NFS client updates for Linux 5.9
2020-08-15 08:26:55 -07:00
nfs_common
nfsd
Highlights:
2020-08-09 13:58:04 -07:00
nilfs2
nilfs2: use a more common logging style
2020-08-12 10:58:01 -07:00
nls
treewide: replace '---help---' in Kconfig files with 'help'
2020-06-14 01:57:21 +09:00
notify
fanotify: compare fsid when merging name event
2020-07-28 10:58:07 +02:00
ntfs
ntfs: fix ntfs_test_inode and ntfs_init_locked_inode function type
2020-08-07 11:33:21 -07:00
ocfs2
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2020-08-07 21:14:30 -07:00
omfs
treewide: Remove uninitialized_var() usage
2020-07-16 12:35:15 -07:00
openpromfs
orangefs
orangefs: remove unnecessary assignment to variable ret
2020-08-04 15:01:58 -04:00
overlayfs
Remove uninitialized_var() macro for v5.9-rc1
2020-08-04 13:49:43 -07:00
proc
mm, oom: make the calculation of oom badness more accurate
2020-08-12 10:57:56 -07:00
pstore
pstore: Fix linking when crypto API disabled
2020-07-06 19:42:31 -07:00
qnx4
qnx6
fs: convert mpage_readpages to mpage_readahead
2020-06-02 10:59:07 -07:00
quota
\n
2020-08-06 19:28:26 -07:00
ramfs
fs_parse: fold fs_parameter_desc/fs_parameter_spec
2020-02-07 14:48:37 -05:00
reiserfs
\n
2020-08-06 19:28:26 -07:00
romfs
treewide: replace '---help---' in Kconfig files with 'help'
2020-06-14 01:57:21 +09:00
squashfs
squashfs: fix length field overlap check in metadata reading
2020-07-24 12:42:41 -07:00
sysfs
RDMA 5.8 merge window pull request
2020-06-05 14:05:57 -07:00
sysv
docs: filesystems: fix renamed references
2020-04-20 15:45:22 -06:00
tracefs
ubifs
This pull request contains changes for JFFS2, UBI and UBIFS
2020-08-10 18:20:04 -07:00
udf
\n
2020-08-06 19:28:26 -07:00
ufs
fs/ufs: avoid potential u32 multiplication overflow
2020-08-12 10:58:01 -07:00
unicode
.gitignore: add SPDX License Identifier
2020-03-25 11:50:48 +01:00
vboxsf
vboxsf: don't use the source name in the bdi name
2020-05-07 08:45:47 -06:00
verity
fs-verity: use smp_load_acquire() for ->i_verity_info
2020-07-21 16:02:41 -07:00
xfs
Fixes for 5.9-rc1:
2020-08-13 12:22:19 -07:00
zonefs
zonefs: add zone-capacity support
2020-08-11 17:42:24 +09:00
aio.c
mm: remove unnecessary wrapper function do_mmap_pgoff()
2020-08-07 11:33:27 -07:00
anon_inodes.c
attr.c
bad_inode.c
fs: move the fiemap definitions out of fs.h
2020-06-03 23:16:55 -04:00
binfmt_aout.c
exec: Rename flush_old_exec begin_new_exec
2020-05-07 16:55:47 -05:00
binfmt_elf_fdpic.c
Merge branch 'work.fdpic' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2020-08-07 13:29:39 -07:00
binfmt_elf.c
kill elf_fpxregs_t
2020-07-27 14:29:23 -04:00
binfmt_em86.c
Merge branch 'akpm' (patches from Andrew)
2020-06-04 19:18:29 -07:00
binfmt_flat.c
Merge branch 'uaccess.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2020-06-10 16:02:54 -07:00
binfmt_misc.c
Merge branch 'akpm' (patches from Andrew)
2020-06-04 19:18:29 -07:00
binfmt_script.c
Merge branch 'akpm' (patches from Andrew)
2020-06-04 19:18:29 -07:00
block_dev.c
for-5.9/io_uring-20200802
2020-08-03 13:01:22 -07:00
buffer.c
for-5.9/block-20200802
2020-08-03 11:57:03 -07:00
char_dev.c
vfs: allow unprivileged whiteout creation
2020-05-14 16:44:23 +02:00
compat_binfmt_elf.c
Split the old READ_IMPLIES_EXEC workaround from executable PT_GNU_STACK
2020-06-05 13:45:21 -07:00
compat.c
coredump.c
coredump: add %f for executable filename
2020-08-12 10:58:01 -07:00
d_path.c
dax.c
dax: Fix incorrect argument passed to xas_set_err()
2020-07-30 18:14:33 -06:00
dcache.c
vfs: Use sequence counter with associated spinlock
2020-07-29 16:14:27 +02:00
dcookies.c
direct-io.c
block: remove the bd_queue field from struct block_device
2020-07-01 08:08:20 -06:00
drop_caches.c
sysctl: pass kernel pointers to ->proc_handler
2020-04-27 02:07:40 -04:00
eventfd.c
eventfd: convert to f_op->read_iter()
2020-05-06 22:33:43 -04:00
eventpoll.c
epoll: call final ep_events_available() check under the lock
2020-05-14 10:00:35 -07:00
exec.c
mm/gup: remove task_struct pointer for all gup code
2020-08-12 10:58:04 -07:00
fcntl.c
fcntl: Distribute switch variables for initialization
2020-03-03 10:55:06 -05:00
fhandle.c
file_table.c
Revert "fs: Do not check if there is a fsnotify watcher on pseudo inodes"
2020-06-29 09:40:55 -07:00
file.c
Merge branch 'hch.init_path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2020-08-07 09:40:34 -07:00
filesystems.c
fs/filesystems.c: downgrade user-reachable WARN_ONCE() to pr_warn_once()
2020-04-10 15:36:22 -07:00
fs_context.c
vfs: don't parse "silent" option
2020-05-14 16:44:25 +02:00
fs_parser.c
fs_parse: remove pr_notice() about each validation
2020-04-02 09:35:26 -07:00
fs_pin.c
fs_struct.c
vfs: Use sequence counter with associated spinlock
2020-07-29 16:14:27 +02:00
fs_types.c
fs-writeback.c
A lot of bug fixes and cleanups for ext4, including:
2020-06-05 16:19:28 -07:00
fsopen.c
add prefix to fs_context->log
2020-02-07 14:48:35 -05:00
init.c
init: add an init_dup helper
2020-08-04 21:02:38 -04:00
inode.c
AFS Changes
2020-06-05 16:26:36 -07:00
internal.h
Merge branch 'hch.init_path' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2020-08-07 09:40:34 -07:00
io_uring.c
io_uring: always delete double poll wait entry on match
2020-09-28 08:38:54 -06:00
io-wq.c
io-wq: fix hang after cancelling pending hashed work
2020-08-23 11:38:50 -06:00
io-wq.h
io_uring/io-wq: move RLIMIT_FSIZE to io-wq
2020-07-24 13:00:44 -06:00
ioctl.c
fs: remove ksys_ioctl
2020-07-31 08:16:01 +02:00
Kconfig
tmpfs: support 64-bit inums per-sb
2020-08-07 11:33:24 -07:00
Kconfig.binfmt
treewide: replace '---help---' in Kconfig files with 'help'
2020-06-14 01:57:21 +09:00
libfs.c
block: remove the error_sector argument to blkdev_issue_flush
2020-05-22 08:45:46 -06:00
locks.c
Highlights:
2020-08-09 13:58:04 -07:00
Makefile
init: add an init_mount helper
2020-07-31 08:17:51 +02:00
mbcache.c
mount.h
proc/mounts: add cursor
2020-05-14 16:44:24 +02:00
mpage.c
fs: convert mpage_readpages to mpage_readahead
2020-06-02 10:59:07 -07:00
namei.c
exec: restore EACCES of S_ISDIR execve()
2020-08-14 19:56:56 -07:00
namespace.c
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2020-08-07 21:03:25 -07:00
no-block.c
nsfs.c
nsproxy: attach to namespaces via pidfds
2020-05-13 11:41:22 +02:00
open.c
exec: move S_ISREG() check earlier
2020-08-12 10:58:01 -07:00
pipe.c
Notifications over pipes + Keyring notifications
2020-06-13 09:56:21 -07:00
pnode.c
propagate_one(): mnt_set_mountpoint() needs mount_lock
2020-04-27 10:37:14 -04:00
pnode.h
posix_acl.c
vfs: clean up posix_acl_permission() logic aroudn MAY_NOT_BLOCK
2020-06-08 11:04:19 -07:00
proc_namespace.c
Merge branch 'proc-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2020-06-04 13:54:34 -07:00
read_write.c
initrd: switch initrd loading to struct file based APIs
2020-07-30 08:22:47 +02:00
readdir.c
fs: remove ksys_getdents64
2020-07-31 08:16:00 +02:00
select.c
pselect6() and friends: take handling the combined 6th/7th args into helper
2020-05-29 19:10:42 -04:00
seq_file.c
fs/seq_file.c: seq_read: Update pr_info_ratelimited
2020-06-04 19:06:25 -07:00
signalfd.c
fs/signalfd.c: fix inconsistent return codes for signalfd4
2020-08-12 10:58:01 -07:00
splice.c
Notifications over pipes + Keyring notifications
2020-06-13 09:56:21 -07:00
stack.c
stat.c
New code for 5.8:
2020-06-02 19:45:12 -07:00
statfs.c
super.c
Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2020-06-10 16:09:11 -07:00
sync.c
overlayfs update for 5.8
2020-06-09 15:40:50 -07:00
timerfd.c
userfaultfd.c
A set of locking fixes and updates:
2020-08-10 19:07:44 -07:00
utimes.c
fs: expose utimes_common
2020-07-31 08:16:01 +02:00
xattr.c
xattr: add a function to check if a namespace is supported
2020-07-13 17:27:03 -04:00