On 4/17/21 8:56 AM, Palash Oswal wrote:
> Hello,
>
> I have been trying to decipher a bug that my local syzkaller instance
> discovered in the v5.11.12 stable tree. I have more details in [1].
> Could someone please review.
Can be, what is the hash of last commit you used? stable 5.11 is different
now, I'd guess it was fixed by
commit 0298ef969a110ca03654f0cea9b50e3f3b331acc
Author: Pavel Begunkov <asml.silence@xxxxxxxxx>
Date: Mon Mar 8 13:20:57 2021 +0000
io_uring: clean R_DISABLED startup mess
>
> [1] https://oswalpalash.com/exploring-null-ptr-deref-io-uring-submit/
> Signed-off-by: Palash Oswal <hello@xxxxxxxxxxxxxxx>
> ---
> fs/io_uring.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 8b4213de9e08..00b35079b91a 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -8995,7 +8995,7 @@ static void io_disable_sqo_submit(struct io_ring_ctx *ctx)
> {
> mutex_lock(&ctx->uring_lock);
> ctx->sqo_dead = 1;
> - if (ctx->flags & IORING_SETUP_R_DISABLED)
> + if (ctx->flags & IORING_SETUP_R_DISABLED && ctx->sq_data)
> io_sq_offload_start(ctx);
> mutex_unlock(&ctx->uring_lock);
>
--
Pavel Begunkov
