Re: [PATCH] io_uring: Fix NULL pointer dereference in io_sq_wq_submit_work()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 9/1/20 2:01 PM, Jens Axboe wrote:
> On 9/1/20 8:52 AM, Jens Axboe wrote:
>> On 8/31/20 10:59 PM, yinxin_1989 wrote:
>>>
>>>> On 8/31/20 7:54 PM, Xin Yin wrote:
>>>>> the commit <1c4404efcf2c0> ("<io_uring: make sure async workqueue
>>>>> is canceled on exit>") caused a crash in io_sq_wq_submit_work().
>>>>> when io_ring-wq get a req form async_list, which may not have been
>>>>> added to task_list. Then try to delete the req from task_list will caused
>>>>> a "NULL pointer dereference".
>>>>
>>>> Hmm, do you have a reproducer for this?
>>>
>>> I update code to linux5.4.y , and I can reproduce this issue on an arm
>>> board and my x86 pc by fio tools.
>>
>> Right, I figured this was 5.4 stable, as that's the only version that
>> has this patch.
> 
> I took a closer look, and I think your patch can basically be boiled down
> to this single hunk. If you agree, can you resend your patch with the
> description based on that, then I'll get it queued up for 5.4-stable.
> Thanks!

Actually, we don't even need the irqsave, this should be enough:

diff --git a/fs/io_uring.c b/fs/io_uring.c
index fada14ee1cdc..2a539b794f3b 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2378,6 +2378,15 @@ static bool io_add_to_prev_work(struct async_list *list, struct io_kiocb *req)
 		list_del_init(&req->list);
 		ret = false;
 	}
+
+	if (ret) {
+		struct io_ring_ctx *ctx = req->ctx;
+
+		spin_lock_irq(&ctx->task_lock);
+		list_add(&req->task_list, &ctx->task_list);
+		req->work_task = NULL;
+		spin_unlock_irq(&ctx->task_lock);
+	}
 	spin_unlock(&list->lock);
 	return ret;
 }

-- 
Jens Axboe




[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux