On 12/12/24 4:30 AM, Pavel Begunkov wrote: > On 12/12/24 11:21, Pavel Begunkov wrote: >> On 12/12/24 10:08, chase xd wrote: >>> Syzkaller hit 'KASAN: use-after-free Read in io_cqring_wait' bug. >>> >>> ================================================================== >>> BUG: KASAN: use-after-free in io_cqring_wait+0x16bc/0x1780 >>> io_uring/io_uring.c:2630 >>> Read of size 4 at addr ffff88807d128008 by task syz-executor994/8389 >> >> So kernel reads CQ head/tail and get a UAF. The ring was allocated >> while resizing rings and was also deleted while resizing rings, but >> those could be different resize attempts. >> >> Jens, considering the lack of locking on the normal waiting path, >> while swapping rings what prevents waiters from seeing an old ring? >> I'd assume that's the problem at hand. > > Were users asking for both CQ and SQ? Might be worth to consider > leaving only SQ resizing as CQ for !DEFER_TASKRUN is inherently > harder to sync w/o additional overhead. The CQ resizing is the interesting bit, SQ is just there since it's pretty much the same operation. SQ resizing alone is useless imho. We could always just make DEFER_TASKRUN a requirement for ring resizing for now. That's where we want folks anyway. -- Jens Axboe
