* [PATCH] io_uring: fix queueing half-created requests
@ 2021-08-31 9:37 Pavel Begunkov
0 siblings, 0 replies; only message in thread
From: Pavel Begunkov @ 2021-08-31 9:37 UTC (permalink / raw
To: Jens Axboe, io-uring; +Cc: syzbot+f9704d1878e290eddf73
[ 27.259845] general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
[ 27.261043] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
[ 27.263730] RIP: 0010:sock_from_file+0x20/0x90
[ 27.272444] Call Trace:
[ 27.272736] io_sendmsg+0x98/0x600
[ 27.279216] io_issue_sqe+0x498/0x68d0
[ 27.281142] __io_queue_sqe+0xab/0xb50
[ 27.285830] io_req_task_submit+0xbf/0x1b0
[ 27.286306] tctx_task_work+0x178/0xad0
[ 27.288211] task_work_run+0xe2/0x190
[ 27.288571] exit_to_user_mode_prepare+0x1a1/0x1b0
[ 27.289041] syscall_exit_to_user_mode+0x19/0x50
[ 27.289521] do_syscall_64+0x48/0x90
[ 27.289871] entry_SYSCALL_64_after_hwframe+0x44/0xae
io_req_complete_failed() -> io_req_complete_post() ->
io_req_task_queue() still would try to enqueue hard linked request,
which can be half prepared (e.g. failed init), so we can't allow
that to happen.
Fixes: a8295b982c46d ("io_uring: fix failed linkchain code logic")
Reported-by: syzbot+f9704d1878e290eddf73@syzkaller.appspotmail.com
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
fs/io_uring.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 473a977c7979..a531c7324ea8 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6717,6 +6717,8 @@ static inline void io_queue_sqe(struct io_kiocb *req)
if (likely(!(req->flags & (REQ_F_FORCE_ASYNC | REQ_F_FAIL)))) {
__io_queue_sqe(req);
} else if (req->flags & REQ_F_FAIL) {
+ /* fail all, we don't submit */
+ req->flags &= ~REQ_F_HARDLINK;
io_req_complete_failed(req, req->result);
} else {
int ret = io_req_prep_async(req);
--
2.33.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-31 9:38 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-31 9:37 [PATCH] io_uring: fix queueing half-created requests Pavel Begunkov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.