On 8/4/20 11:02 AM, xiao lin wrote: > 在 2020年8月4日星期二,Jens Axboe <axboe@xxxxxxxxx <mailto:axboe@xxxxxxxxx>> 写道: > > On 8/4/20 7:18 AM, Pavel Begunkov wrote: > > On 04/08/2020 15:56, Liu Yong wrote: > >> In io_send_recvmsg(), there is no check for the req->file. > >> User can change the opcode from IORING_OP_NOP to IORING_OP_SENDMSG > >> through competition after the io_req_set_file(). > > > > After sqe->opcode is read and copied in io_init_req(), it only uses > > in-kernel req->opcode. Also, io_init_req() should check for req->file > > NULL, so shouldn't happen after. > > > > Do you have a reproducer? What kernel version did you use? > > Was looking at this too, and I'm guessing this is some 5.4 based kernel. > Unfortunately the oops doesn't include that information. > Sorry, I forgot to mention that the kernel version I am using is 5.4.55. I think there are two options here: 1) Backport the series that ensured we only read those important bits once 2) Make s->sqe a full sqe, and memcpy it in -- Jens Axboe
