iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Jackie Liu d0ee879187 io_uring: fix KASAN use after free in io_sq_wq_submit_work 
[root@localhost ~]# ./liburing/test/link

QEMU Standard PC report that:

[   29.379892] CPU: 0 PID: 84 Comm: kworker/u2:2 Not tainted 5.3.0-rc2-00051-g4010b622f1d2-dirty #86
[   29.379902] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[   29.379913] Workqueue: io_ring-wq io_sq_wq_submit_work
[   29.379929] Call Trace:
[   29.379953]  dump_stack+0xa9/0x10e
[   29.379970]  ? io_sq_wq_submit_work+0xbf4/0xe90
[   29.379986]  print_address_description.cold.6+0x9/0x317
[   29.379999]  ? io_sq_wq_submit_work+0xbf4/0xe90
[   29.380010]  ? io_sq_wq_submit_work+0xbf4/0xe90
[   29.380026]  __kasan_report.cold.7+0x1a/0x34
[   29.380044]  ? io_sq_wq_submit_work+0xbf4/0xe90
[   29.380061]  kasan_report+0xe/0x12
[   29.380076]  io_sq_wq_submit_work+0xbf4/0xe90
[   29.380104]  ? io_sq_thread+0xaf0/0xaf0
[   29.380152]  process_one_work+0xb59/0x19e0
[   29.380184]  ? pwq_dec_nr_in_flight+0x2c0/0x2c0
[   29.380221]  worker_thread+0x8c/0xf40
[   29.380248]  ? __kthread_parkme+0xab/0x110
[   29.380265]  ? process_one_work+0x19e0/0x19e0
[   29.380278]  kthread+0x30b/0x3d0
[   29.380292]  ? kthread_create_on_node+0xe0/0xe0
[   29.380311]  ret_from_fork+0x3a/0x50

[   29.380635] Allocated by task 209:
[   29.381255]  save_stack+0x19/0x80
[   29.381268]  __kasan_kmalloc.constprop.6+0xc1/0xd0
[   29.381279]  kmem_cache_alloc+0xc0/0x240
[   29.381289]  io_submit_sqe+0x11bc/0x1c70
[   29.381300]  io_ring_submit+0x174/0x3c0
[   29.381311]  __x64_sys_io_uring_enter+0x601/0x780
[   29.381322]  do_syscall_64+0x9f/0x4d0
[   29.381336]  entry_SYSCALL_64_after_hwframe+0x49/0xbe

[   29.381633] Freed by task 84:
[   29.382186]  save_stack+0x19/0x80
[   29.382198]  __kasan_slab_free+0x11d/0x160
[   29.382210]  kmem_cache_free+0x8c/0x2f0
[   29.382220]  io_put_req+0x22/0x30
[   29.382230]  io_sq_wq_submit_work+0x28b/0xe90
[   29.382241]  process_one_work+0xb59/0x19e0
[   29.382251]  worker_thread+0x8c/0xf40
[   29.382262]  kthread+0x30b/0x3d0
[   29.382272]  ret_from_fork+0x3a/0x50

[   29.382569] The buggy address belongs to the object at ffff888067172140
                which belongs to the cache io_kiocb of size 224
[   29.384692] The buggy address is located 120 bytes inside of
                224-byte region [ffff888067172140, ffff888067172220)
[   29.386723] The buggy address belongs to the page:
[   29.387575] page:ffffea00019c5c80 refcount:1 mapcount:0 mapping:ffff88806ace5180 index:0x0
[   29.387587] flags: 0x100000000000200(slab)
[   29.387603] raw: 0100000000000200 dead000000000100 dead000000000122 ffff88806ace5180
[   29.387617] raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
[   29.387624] page dumped because: kasan: bad access detected

[   29.387920] Memory state around the buggy address:
[   29.388771]  ffff888067172080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[   29.390062]  ffff888067172100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[   29.391325] >ffff888067172180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   29.392578]                                         ^
[   29.393480]  ffff888067172200: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
[   29.394744]  ffff888067172280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   29.396003] ==================================================================
[   29.397260] Disabling lock debugging due to kernel taint

io_sq_wq_submit_work free and read req again.

Cc: Zhengyuan Liu <liuzhengyuan@kylinos.cn>
Cc: linux-block@vger.kernel.org
Cc: stable@vger.kernel.org
Fixes: f7b76ac9d17e ("io_uring: fix counter inc/dec mismatch in async_list")
Signed-off-by: Jackie Liu <liuyun01@kylinos.cn>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2019-07-31 08:45:10 -06:00
..
9p
9p: pass the correct prototype to read_cache_page
2019-07-12 11:05:43 -07:00
adfs
Merge branch 'work.adfs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 11:33:22 -07:00
affs
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
afs
afs: fsclient: Mark expected switch fall-throughs
2019-07-25 20:09:49 -05:00
autofs
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 83
2019-05-24 17:37:52 +02:00
befs
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
bfs
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
btrfs
for-5.3-rc1-tag
2019-07-26 11:08:37 -07:00
cachefiles
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36
2019-05-24 17:27:11 +02:00
ceph
Merge branch 'work.dcache2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-20 09:15:51 -07:00
cifs
cifs: update internal module number
2019-07-18 18:14:47 -05:00
coda
coda: add hinting support for partial file caching
2019-07-16 19:23:23 -07:00
configfs
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
cramfs
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
crypto
Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"
2019-07-10 18:43:43 -07:00
debugfs
Driver Core and debugfs changes for 5.3-rc1
2019-07-12 12:24:03 -07:00
devpts
devpts: call fsnotify_unlink() hook
2019-06-20 14:46:34 +02:00
dlm
dlm for 5.3
2019-07-12 17:37:53 -07:00
ecryptfs
- Fix error handling when ecryptfs_read_lower() encounters an error
2019-07-14 19:29:04 -07:00
efivarfs
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
efs
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
exportfs
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
ext2
New for 5.3:
2019-07-12 16:54:37 -07:00
ext4
- virtio_pmem: The new virtio_pmem facility introduces a paravirtualized
2019-07-18 10:52:08 -07:00
f2fs
mm: migrate: remove unused mode argument
2019-07-18 17:08:07 -07:00
fat
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 282
2019-06-05 17:36:37 +02:00
freevxfs
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
fscache
Revert "Merge tag 'keys-acl-20190703' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs"
2019-07-10 18:43:43 -07:00
fuse
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
gfs2
New for 5.3:
2019-07-12 16:54:37 -07:00
hfs
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
hfsplus
fs/hfsplus/xattr.c: replace strncpy with memcpy
2019-07-16 19:23:23 -07:00
hostfs
This pull request contains the following changes for UML:
2019-05-12 17:52:13 -04:00
hpfs
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
hugetlbfs
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
iomap
iomap: fix Invalid License ID
2019-07-25 11:05:11 +02:00
isofs
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 142
2019-05-30 11:25:17 -07:00
jbd2
jbd2: drop declaration of journal_sync_buffer()
2019-06-20 17:32:21 -04:00
jffs2
jffs2: pass the correct prototype to read_cache_page
2019-07-12 11:05:43 -07:00
jfs
vfs: create a generic checking and prep function for FS_IOC_SETFLAGS
2019-07-01 08:25:34 -07:00
kernfs
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 428
2019-06-05 17:37:16 +02:00
lockd
lockd: Make two symbols static
2019-07-03 17:52:09 -04:00
minix
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
nfs
Merge branch 'work.dcache2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-20 09:15:51 -07:00
nfs_common
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
nfsd
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
nilfs2
vfs: create a generic checking and prep function for FS_IOC_SETFLAGS
2019-07-01 08:25:34 -07:00
nls
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
notify
proc/sysctl: add shared variables for range check
2019-07-18 17:08:07 -07:00
ntfs
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 97
2019-05-24 17:37:53 +02:00
ocfs2
New for 5.3:
2019-07-12 16:54:37 -07:00
omfs
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 209
2019-05-30 11:29:53 -07:00
openpromfs
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
orangefs
orangefs: This simple pull request is just a fix for an
2019-07-16 15:15:29 -07:00
overlayfs
SPDX update for 5.2-rc6
2019-06-21 09:58:42 -07:00
proc
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
pstore
pstore: Fix double-free in pstore_mkfile() failure path
2019-07-08 21:04:42 -07:00
qnx4
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
qnx6
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
quota
\n
2019-07-10 20:27:07 -07:00
ramfs
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
reiserfs
fs/reiserfs/journal.c: change return type of dirty_one_transaction
2019-07-16 19:23:24 -07:00
romfs
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
squashfs
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 499
2019-06-19 17:09:53 +02:00
sysfs
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
sysv
treewide: Add SPDX license identifier - Makefile/Kconfig
2019-05-21 10:50:46 +02:00
tracefs
\n
2019-07-10 20:09:17 -07:00
ubifs
mm: migrate: remove unused mode argument
2019-07-18 17:08:07 -07:00
udf
\n
2019-07-10 20:27:07 -07:00
ufs
fs/ufs/super.c: remove set but not used variable 'usb3'
2019-07-16 19:23:23 -07:00
unicode
Many bug fixes and cleanups, and an optimization for case-insensitive
2019-07-10 21:06:01 -07:00
xfs
Also new for 5.3:
2019-07-18 11:18:00 -07:00
aio.c
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
anon_inodes.c
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
attr.c
bad_inode.c
binfmt_aout.c
treewide: Add SPDX license identifier for more missed files
2019-05-21 10:50:45 +02:00
binfmt_elf_fdpic.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
binfmt_elf.c
fs/binfmt_elf.c: delete stale comment
2019-07-16 19:23:22 -07:00
binfmt_em86.c
treewide: Add SPDX license identifier for more missed files
2019-05-21 10:50:45 +02:00
binfmt_flat.c
fs/binfmt_flat.c: remove set but not used variable 'inode'
2019-07-16 19:23:22 -07:00
binfmt_misc.c
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
binfmt_script.c
treewide: Add SPDX license identifier for more missed files
2019-05-21 10:50:45 +02:00
block_dev.c
loop: Fix mount(2) failure due to race with LOOP_SET_FD
2019-07-30 13:16:57 -06:00
buffer.c
for-linus-20190715
2019-07-15 21:20:52 -07:00
char_dev.c
chardev: set variable ret to -EBUSY before checking minor range overlap
2019-05-24 20:50:36 +02:00
compat_binfmt_elf.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 193
2019-05-30 11:29:21 -07:00
compat_ioctl.c
compat.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
coredump.c
d_path.c
unexport simple_dname()
2019-05-21 08:23:41 +01:00
dax.c
Also new for 5.3:
2019-07-19 11:38:12 -07:00
dcache.c
Merge branch 'work.dcache2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-20 09:15:51 -07:00
dcookies.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
direct-io.c
direct-io: use bio_release_pages in dio_bio_complete
2019-06-29 09:47:31 -06:00
drop_caches.c
fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
2019-02-01 15:46:24 -08:00
eventfd.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
eventpoll.c
proc/sysctl: add shared variables for range check
2019-07-18 17:08:07 -07:00
exec.c
sched/fair: Don't free p->numa_faults with concurrent readers
2019-07-25 15:37:04 +02:00
fcntl.c
fs: mark expected switch fall-throughs
2019-04-08 18:21:02 -05:00
fhandle.c
file_table.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
file.c
io_uring-2019-03-06
2019-03-08 14:48:40 -08:00
filesystems.c
vfs: Implement a filesystem superblock creation/configuration context
2019-02-28 03:29:26 -05:00
fs_context.c
move mount_capable() calls to vfs_get_tree()
2019-05-25 18:00:01 -04:00
fs_parser.c
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
fs_pin.c
switch the remnants of releasing the mountpoint away from fs_pin
2019-07-16 22:52:37 -04:00
fs_struct.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
fs_types.c
fs: common implementation of file type
2019-01-21 17:48:13 +01:00
fs-writeback.c
blkcg, writeback: Add wbc->no_cgroup_owner
2019-07-10 09:00:57 -06:00
fsopen.c
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
inode.c
New for 5.3:
2019-07-12 16:54:37 -07:00
internal.h
Merge branch 'work.dcache2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-20 09:15:51 -07:00
io_uring.c
io_uring: fix KASAN use after free in io_sq_wq_submit_work
2019-07-31 08:45:10 -06:00
ioctl.c
Remove 'type' argument from access_ok() function
2019-01-03 18:57:57 -08:00
Kconfig
fs: VALIDATE_FS_PARSER should default to n
2019-07-05 11:22:11 -04:00
Kconfig.binfmt
binfmt_flat: make support for old format binaries optional
2019-06-24 09:16:47 +10:00
libfs.c
Merge branch 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2019-07-19 10:42:02 -07:00
locks.c
Highlights:
2019-07-10 21:22:43 -07:00
Makefile
iomap: move the main iteration code into a separate file
2019-07-17 07:20:43 -07:00
mbcache.c
treewide: Add SPDX license identifier for more missed files
2019-05-21 10:50:45 +02:00
mount.h
switch the remnants of releasing the mountpoint away from fs_pin
2019-07-16 22:52:37 -04:00
mpage.c
blkcg, writeback: Rename wbc_account_io() to wbc_account_cgroup_owner()
2019-07-10 09:00:57 -06:00
namei.c
fsnotify: add empty fsnotify_{unlink,rmdir}() hooks
2019-06-20 14:44:55 +02:00
namespace.c
fix the struct mount leak in umount_tree()
2019-07-26 07:59:06 -04:00
no-block.c
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152
2019-05-30 11:26:32 -07:00
nsfs.c
vfs: Convert nsfs to use the new mount API
2019-05-25 18:00:06 -04:00
open.c
access: avoid the RCU grace period for the temporary subjective credentials
2019-07-24 10:12:09 -07:00
pipe.c
vfs: Convert pipe to use the new mount API
2019-05-25 18:00:07 -04:00
pnode.c
fs/namespace: fix unprivileged mount propagation
2019-06-17 17:36:09 -04:00
pnode.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 209
2019-05-30 11:29:53 -07:00
posix_acl.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
proc_namespace.c
read_write.c
vfs: allow copy_file_range to copy across devices
2019-06-09 10:06:20 -07:00
readdir.c
Remove 'type' argument from access_ok() function
2019-01-03 18:57:57 -08:00
select.c
fs/select.c: use struct_size() in kmalloc()
2019-07-16 19:23:25 -07:00
seq_file.c
nfsd: escape high characters in binary data
2019-07-03 17:52:50 -04:00
signalfd.c
fs: mark expected switch fall-throughs
2019-04-08 18:21:02 -05:00
splice.c
uio: make import_iovec()/compat_import_iovec() return bytes on success
2019-05-31 15:30:03 -06:00
stack.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00
stat.c
fs: move generic stat response attr handling to vfs_getattr_nosec
2019-02-01 01:55:45 -05:00
statfs.c
vfs: add vfs_get_fsid() helper
2019-02-07 16:38:35 +01:00
super.c
convenience helper: get_tree_single()
2019-07-04 22:01:58 -04:00
sync.c
fs/sync.c: sync_file_range(2) may use WB_SYNC_ALL writeback
2019-05-14 09:47:50 -07:00
timerfd.c
y2038: syscalls: rename y2038 compat syscalls
2019-02-07 00:13:27 +01:00
userfaultfd.c
fs/userfaultfd.c: disable irqs for fault_pending and event locks
2019-07-05 11:12:07 +09:00
utimes.c
y2038: syscalls: rename y2038 compat syscalls
2019-02-07 00:13:27 +01:00
xattr.c
treewide: Add SPDX license identifier for missed files
2019-05-21 10:50:45 +02:00