On 12/26/24 9:49 AM, Pavel Begunkov wrote: > BUG: KASAN: slab-use-after-free in __lock_acquire+0x370b/0x4a10 kernel/locking/lockdep.c:5089 > Call Trace: > <TASK> > ... > _raw_spin_lock_irqsave+0x3d/0x60 kernel/locking/spinlock.c:162 > class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline] > try_to_wake_up+0xb5/0x23c0 kernel/sched/core.c:4205 > io_sq_thread_park+0xac/0xe0 io_uring/sqpoll.c:55 > io_sq_thread_finish+0x6b/0x310 io_uring/sqpoll.c:96 > io_sq_offload_create+0x162/0x11d0 io_uring/sqpoll.c:497 > io_uring_create io_uring/io_uring.c:3724 [inline] > io_uring_setup+0x1728/0x3230 io_uring/io_uring.c:3806 > ... > > Kun Hu reports that the SQPOLL creating error path has UAF, which > happens if io_uring_alloc_task_context() fails and then io_sq_thread() > manages to run and complete before the rest of error handling code, > which means io_sq_thread_finish() is looking at already killed task. Might be worth mentioning that this is only really a fault injection thing. But ouside of that, looks fine to me - thanks! -- Jens Axboe
