MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-07-05 13:25:20 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
83b4161a63
linux-yocto/io_uring
History
Pavel Begunkov 73ef4f6e37 io_uring/net: fix sendzc double notif flush 
commit 67c007d6c12da3e456c005083696c20d4498ae72 upstream.

refcount_t: underflow; use-after-free.
WARNING: CPU: 0 PID: 5823 at lib/refcount.c:28 refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28
RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28
Call Trace:
 <TASK>
 io_notif_flush io_uring/notif.h:40 [inline]
 io_send_zc_cleanup+0x121/0x170 io_uring/net.c:1222
 io_clean_op+0x58c/0x9a0 io_uring/io_uring.c:406
 io_free_batch_list io_uring/io_uring.c:1429 [inline]
 __io_submit_flush_completions+0xc16/0xd20 io_uring/io_uring.c:1470
 io_submit_flush_completions io_uring/io_uring.h:159 [inline]

Before the blamed commit, sendzc relied on io_req_msg_cleanup() to clear
REQ_F_NEED_CLEANUP, so after the following snippet the request will
never hit the core io_uring cleanup path.

io_notif_flush();
io_req_msg_cleanup();

The easiest fix is to null the notification. io_send_zc_cleanup() can
still be called after, but it's tolerated.

Reported-by: syzbot+cf285a028ffba71b2ef5@syzkaller.appspotmail.com
Tested-by: syzbot+cf285a028ffba71b2ef5@syzkaller.appspotmail.com
Fixes: cc34d8330e036 ("io_uring/net: don't clear REQ_F_NEED_CLEANUP unconditionally")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/e1306007458b8891c88c4f20c966a17595f766b0.1742643795.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-03-28 22:03:32 +01:00
..
advise.c io_uring/advise: support 64-bit lengths 2024-06-16 14:54:55 -06:00
advise.h
alloc_cache.h io_uring/alloc_cache: switch to array based caching 2024-04-15 08:10:25 -06:00
cancel.c io_uring: fix warnings on shadow variables 2024-04-15 08:10:26 -06:00
cancel.h io_uring: fix cancellation overwriting req->flags 2024-06-13 19:25:28 -06:00
epoll.c
epoll.h
eventfd.c io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period 2025-01-17 13:40:58 +01:00
eventfd.h io_uring/eventfd: move eventfd handling to separate file 2024-06-16 14:54:55 -06:00
fdinfo.c io_uring/rsrc: change ubuf->ubuf_end to length tracking 2024-09-15 09:15:22 -06:00
fdinfo.h
filetable.c io_uring/filetable: don't unnecessarily clear/reset bitmap 2024-05-08 08:27:45 -06:00
filetable.h io_uring: expand main struct io_kiocb flags to 64-bits 2024-02-08 13:27:03 -07:00
fs.c io_uring/fs: consider link->flags when getting path for LINKAT 2023-11-20 09:01:42 -07:00
fs.h
futex.c futex: Pass in task to futex_queue() 2025-03-22 12:54:14 -07:00
futex.h io_uring/alloc_cache: switch to array based caching 2024-04-15 08:10:25 -06:00
io_uring.c io_uring: prevent opcode speculation 2025-02-27 04:30:21 -08:00
io_uring.h io_uring/sqpoll: ensure task state is TASK_RUNNING when running task_work 2024-10-17 08:38:04 -06:00
io-wq.c io-wq: backoff when retrying worker creation 2025-03-22 12:54:19 -07:00
io-wq.h io_uring/io-wq: make io_wq_work flags atomic 2024-06-16 14:54:55 -06:00
kbuf.c io_uring/kbuf: reallocate buf lists on upgrade 2025-02-21 14:01:47 +01:00
kbuf.h io_uring/kbuf: add support for incremental buffer consumption 2024-08-29 08:44:58 -06:00
Makefile io_uring: add GCOV_PROFILE_URING Kconfig option 2024-08-30 10:52:02 -06:00
memmap.c io_uring: check for overflows in io_pin_pages 2024-12-05 14:02:50 +01:00
memmap.h io_uring: move mapping/allocation helpers to a separate file 2024-04-15 08:10:26 -06:00
msg_ring.c io_uring/msg_ring: fix uninitialized use of target_req->flags 2024-07-25 08:41:35 -06:00
msg_ring.h io_uring/msg_ring: add an alloc cache for io_kiocb entries 2024-06-24 08:39:55 -06:00
napi.c io_uring: user registered clockid for wait timeouts 2024-08-25 08:27:01 -06:00
napi.h io_uring/napi: postpone napi timeout adjustment 2024-08-25 08:27:01 -06:00
net.c io_uring/net: fix sendzc double notif flush 2025-03-28 22:03:32 +01:00
net.h io_uring: Introduce IORING_OP_LISTEN 2024-06-19 07:57:21 -06:00
nop.c io_uring: support to inject result for NOP 2024-05-10 06:09:45 -06:00
nop.h
notif.c io_uring/notif: disable LAZY_WAKE for linked notifs 2024-04-30 13:06:27 -06:00
notif.h io_uring/notif: implement notification stacking 2024-04-22 19:31:18 -06:00
opdef.c io_uring: Fix probe of disabled operations 2024-06-19 08:58:00 -06:00
opdef.h io_uring: Fix probe of disabled operations 2024-06-19 08:58:00 -06:00
openclose.c io_uring: enable audit and restrict cred override for IORING_OP_FIXED_FD_INSTALL 2024-01-23 15:25:14 -07:00
openclose.h io_uring/openclose: add support for IORING_OP_FIXED_FD_INSTALL 2023-12-12 07:42:57 -07:00
poll.c io_uring/net: don't retry connect operation on EPOLLERR 2025-02-17 10:05:38 +01:00
poll.h io_uring/poll: shrink alloc cache size to 32 2024-04-15 08:10:25 -06:00
refs.h io_uring: kill dead code in io_req_complete_post 2024-04-15 08:10:26 -06:00
register.c io_uring: clean up a type in io_uring_register_get_file() 2024-09-16 12:04:10 -06:00
register.h io_uring: clean up a type in io_uring_register_get_file() 2024-09-16 12:04:10 -06:00
rsrc.c io_uring/rsrc: require cloned buffers to share accounting contexts 2025-02-01 18:39:40 +01:00
rsrc.h io_uring/rsrc: change ubuf->ubuf_end to length tracking 2024-09-15 09:15:22 -06:00
rw.c io_uring/rw: forbid multishot async reads 2025-02-27 04:30:21 -08:00
rw.h io_uring/alloc_cache: switch to array based caching 2024-04-15 08:10:25 -06:00
slist.h
splice.c splice: return type ssize_t from all helpers 2023-12-12 16:19:59 +01:00
splice.h
sqpoll.c io_uring/sqpoll: zero sqd->thread on tctx errors 2025-01-17 13:40:52 +01:00
sqpoll.h io_uring/sqpoll: statistics of the true utilization of sq threads 2024-03-01 06:28:19 -07:00
statx.c vfs: retire user_path_at_empty and drop empty arg from getname_flags 2024-06-05 17:03:57 +02:00
statx.h
sync.c
sync.h
tctx.c io_uring/tctx: work around xa_store() allocation error issue 2024-12-14 20:04:10 +01:00
tctx.h
timeout.c io_uring/timeout: fix multishot updates 2025-01-17 13:40:51 +01:00
timeout.h
truncate.c io_uring: add support for ftruncate 2024-02-09 09:04:39 -07:00
truncate.h io_uring: add support for ftruncate 2024-02-09 09:04:39 -07:00
uring_cmd.c io_uring/uring_cmd: remove dead req_has_async_data() check 2025-02-21 14:01:20 +01:00
uring_cmd.h io_uring/alloc_cache: switch to array based caching 2024-04-15 08:10:25 -06:00
waitid.c io_uring/waitid: don't abuse io_tw_state 2025-02-21 14:01:20 +01:00
waitid.h io_uring: add IORING_OP_WAITID support 2023-09-21 12:04:45 -06:00
xattr.c vfs: retire user_path_at_empty and drop empty arg from getname_flags 2024-06-05 17:03:57 +02:00
xattr.h