mirrors/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-01-24 01:09:38 -05:00
Code Activity
linux/io_uring
History
Jens Axboe 8b51a3956d io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address 
If we specify a valid CQ ring address but an invalid SQ ring address,
we'll correctly spot this and free the allocated pages and clear them
to NULL. However, we don't clear the ring page count, and hence will
attempt to free the pages again. We've already cleared the address of
the page array when freeing them, but we don't check for that. This
causes the following crash:

Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Oops [#1]
Modules linked in:
CPU: 0 PID: 20 Comm: kworker/u2:1 Not tainted 6.6.0-rc5-dirty #56
Hardware name: ucbbar,riscvemu-bare (DT)
Workqueue: events_unbound io_ring_exit_work
epc : io_pages_free+0x2a/0x58
 ra : io_rings_free+0x3a/0x50
 epc : ffffffff808811a2 ra : ffffffff80881406 sp : ffff8f80000c3cd0
 status: 0000000200000121 badaddr: 0000000000000000 cause: 000000000000000d
 [<ffffffff808811a2>] io_pages_free+0x2a/0x58
 [<ffffffff80881406>] io_rings_free+0x3a/0x50
 [<ffffffff80882176>] io_ring_exit_work+0x37e/0x424
 [<ffffffff80027234>] process_one_work+0x10c/0x1f4
 [<ffffffff8002756e>] worker_thread+0x252/0x31c
 [<ffffffff8002f5e4>] kthread+0xc4/0xe0
 [<ffffffff8000332a>] ret_from_fork+0xa/0x1c

Check for a NULL array in io_pages_free(), but also clear the page counts
when we free them to be on the safer side.

Reported-by: rtm@csail.mit.edu
Fixes: 03d89a2de2 ("io_uring: support for user allocated memory for rings/sqes")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2023-10-18 09:22:14 -06:00
..
advise.c
advise.h
alloc_cache.h
cancel.c io_uring/cancel: wire up IORING_ASYNC_CANCEL_OP for sync cancel 2023-07-17 10:05:48 -06:00
cancel.h io_uring/cancel: support opcode based lookup and cancelation 2023-07-17 10:05:48 -06:00
epoll.c
epoll.h
fdinfo.c io_uring/fdinfo: only print ->sq_array[] if it's there 2023-09-01 15:08:29 -06:00
fdinfo.h
filetable.c
filetable.h
fs.c io_uring/fs: remove sqe->rw_flags checking from LINKAT 2023-09-29 03:07:09 -06:00
fs.h
io-wq.c io-wq: fully initialize wqe before calling cpuhp_state_add_instance_nocalls() 2023-10-05 14:11:18 -06:00
io-wq.h io_uring: break out of iowq iopoll on teardown 2023-09-07 09:02:27 -06:00
io_uring.c io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address 2023-10-18 09:22:14 -06:00
io_uring.h io_uring: ensure io_lockdep_assert_cq_locked() handles disabled rings 2023-10-03 08:12:54 -06:00
kbuf.c io_uring/kbuf: don't allow registered buffer rings on highmem pages 2023-10-03 08:12:28 -06:00
kbuf.h
Makefile
msg_ring.c
msg_ring.h
net.c io_uring/net: fix iter retargeting for selected buf 2023-09-14 10:12:55 -06:00
net.h
nop.c
nop.h
notif.c
notif.h
opdef.c
opdef.h
openclose.c io_uring: correct check for O_TMPFILE 2023-08-07 12:34:23 -06:00
openclose.h
poll.c io_uring: never overflow io_aux_cqe 2023-08-11 10:42:57 -06:00
poll.h
refs.h
rsrc.c io_uring/rsrc: keep one global dummy_ubuf 2023-08-11 10:42:57 -06:00
rsrc.h io_uring/rsrc: Annotate struct io_mapped_ubuf with __counted_by 2023-08-17 19:14:47 -06:00
rw.c for-6.6/io_uring-2023-08-28 2023-08-29 20:11:33 -07:00
rw.h
slist.h
splice.c io_uring/splice: use fput() directly 2023-08-10 10:24:25 -06:00
splice.h
sqpoll.c io_uring: Don't set affinity on a dying sqpoll thread 2023-08-30 09:53:44 -06:00
sqpoll.h io_uring/sqpoll: fix io-wq affinity when IORING_SETUP_SQPOLL is used 2023-08-16 13:40:28 -06:00
statx.c
statx.h
sync.c
sync.h
tctx.c
tctx.h
timeout.c io_uring: never overflow io_aux_cqe 2023-08-11 10:42:57 -06:00
timeout.h
uring_cmd.c io_uring: simplify big_cqe handling 2023-08-24 17:16:19 -06:00
uring_cmd.h
xattr.c
xattr.h