On 12/12/24 10:08, chase xd wrote:
Syzkaller hit 'KASAN: use-after-free Read in io_cqring_wait' bug. ================================================================== BUG: KASAN: use-after-free in io_cqring_wait+0x16bc/0x1780 io_uring/io_uring.c:2630 Read of size 4 at addr ffff88807d128008 by task syz-executor994/8389
So kernel reads CQ head/tail and get a UAF. The ring was allocated while resizing rings and was also deleted while resizing rings, but those could be different resize attempts. Jens, considering the lack of locking on the normal waiting path, while swapping rings what prevents waiters from seeing an old ring? I'd assume that's the problem at hand. -- Pavel Begunkov
