On 12/12/24 11:21, Pavel Begunkov wrote:
On 12/12/24 10:08, chase xd wrote:
Syzkaller hit 'KASAN: use-after-free Read in io_cqring_wait' bug.
==================================================================
BUG: KASAN: use-after-free in io_cqring_wait+0x16bc/0x1780
io_uring/io_uring.c:2630
Read of size 4 at addr ffff88807d128008 by task syz-executor994/8389
So kernel reads CQ head/tail and get a UAF. The ring was allocated
while resizing rings and was also deleted while resizing rings, but
those could be different resize attempts.
Jens, considering the lack of locking on the normal waiting path,
while swapping rings what prevents waiters from seeing an old ring?
I'd assume that's the problem at hand.
Were users asking for both CQ and SQ? Might be worth to consider
leaving only SQ resizing as CQ for !DEFER_TASKRUN is inherently
harder to sync w/o additional overhead.
--
Pavel Begunkov
