Hey Linus,
/* Summary */
An openat() call from io_uring triggering an audit call can apparently
cause the refcount of struct filename to be incremented from multiple
threads concurrently during async execution, triggering a refcount
underflow and hitting a BUG_ON(). That bug has been lurking around since
at least v5.16 apparently.
Switch to an atomic counter to fix that. The underflow check is
downgraded from a BUG_ON() to a WARN_ON_ONCE() but we could easily
remove that check altogether tbh and not waste an additional atomic. So
if you feel that extra check isn't needed you could just remove in case
you're pulling.
/* Testing */
clang: Ubuntu clang version 15.0.7
gcc: (Ubuntu 12.2.0-3ubuntu1) 12.2.0
All patches are based on v6.6-rc6 and have been sitting in linux-next.
No build failures or warnings were observed.
/* Conflicts */
At the time of creating this PR no merge conflicts were reported from
linux-next and no merge conflicts showed up doing a test-merge with
current mainline.
The following changes since commit 94f6f0550c625fab1f373bb86a6669b45e9748b3:
Linux 6.6-rc5 (2023-10-08 13:49:43 -0700)
are available in the Git repository at:
git@xxxxxxxxxxxxxxxxxxx:pub/scm/linux/kernel/git/vfs/vfs tags/v6.6-rc7.vfs.fixes
for you to fetch changes up to 03adc61edad49e1bbecfb53f7ea5d78f398fe368:
audit,io_uring: io_uring openat triggers audit reference count underflow (2023-10-13 18:34:46 +0200)
Please consider pulling these changes from the signed v6.6-rc7.vfs.fixes tag.
Thanks!
Christian
----------------------------------------------------------------
v6.6-rc7.vfs.fixes
----------------------------------------------------------------
Dan Clash (1):
audit,io_uring: io_uring openat triggers audit reference count underflow
fs/namei.c | 9 +++++----
include/linux/fs.h | 2 +-
kernel/auditsc.c | 8 ++++----
3 files changed, 10 insertions(+), 9 deletions(-)
