On 8/4/20 7:18 AM, Pavel Begunkov wrote: > On 04/08/2020 15:56, Liu Yong wrote: >> In io_send_recvmsg(), there is no check for the req->file. >> User can change the opcode from IORING_OP_NOP to IORING_OP_SENDMSG >> through competition after the io_req_set_file(). > > After sqe->opcode is read and copied in io_init_req(), it only uses > in-kernel req->opcode. Also, io_init_req() should check for req->file > NULL, so shouldn't happen after. > > Do you have a reproducer? What kernel version did you use? Was looking at this too, and I'm guessing this is some 5.4 based kernel. Unfortunately the oops doesn't include that information. -- Jens Axboe
