* [PATCH 5.10/5.15] io_uring: avoid null-ptr-deref in io_arm_poll_handler
@ 2023-03-16 18:56 Fedor Pchelkin
2023-03-16 18:58 ` Jens Axboe
2023-03-16 19:04 ` Greg Kroah-Hartman
0 siblings, 2 replies; 5+ messages in thread
From: Fedor Pchelkin @ 2023-03-16 18:56 UTC (permalink / raw)
To: Jens Axboe, Greg Kroah-Hartman, stable
Cc: Fedor Pchelkin, linux-kernel, Alexey Khoroshilov, lvc-project
No upstream commit exists for this commit.
The issue was introduced with backporting upstream commit c16bda37594f
("io_uring/poll: allow some retries for poll triggering spuriously").
Memory allocation can possibly fail causing invalid pointer be
dereferenced just before comparing it to NULL value.
Move the pointer check in proper place (upstream has the similar location
of the check). In case the request has REQ_F_POLLED flag up, apoll can't
be NULL so no need to check there.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
io_uring/io_uring.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 445afda927f4..fd799567fc23 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -5792,10 +5792,10 @@ static int io_arm_poll_handler(struct io_kiocb *req)
}
} else {
apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
+ if (unlikely(!apoll))
+ return IO_APOLL_ABORTED;
apoll->poll.retries = APOLL_MAX_RETRY;
}
- if (unlikely(!apoll))
- return IO_APOLL_ABORTED;
apoll->double_poll = NULL;
req->apoll = apoll;
req->flags |= REQ_F_POLLED;
--
2.34.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 5.10/5.15] io_uring: avoid null-ptr-deref in io_arm_poll_handler
2023-03-16 18:56 [PATCH 5.10/5.15] io_uring: avoid null-ptr-deref in io_arm_poll_handler Fedor Pchelkin
@ 2023-03-16 18:58 ` Jens Axboe
2023-03-16 19:04 ` Greg Kroah-Hartman
1 sibling, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2023-03-16 18:58 UTC (permalink / raw)
To: Fedor Pchelkin, Greg Kroah-Hartman, stable
Cc: linux-kernel, Alexey Khoroshilov, lvc-project
On 3/16/23 12:56 PM, Fedor Pchelkin wrote:
> No upstream commit exists for this commit.
>
> The issue was introduced with backporting upstream commit c16bda37594f
> ("io_uring/poll: allow some retries for poll triggering spuriously").
>
> Memory allocation can possibly fail causing invalid pointer be
> dereferenced just before comparing it to NULL value.
>
> Move the pointer check in proper place (upstream has the similar location
> of the check). In case the request has REQ_F_POLLED flag up, apoll can't
> be NULL so no need to check there.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Ah thanks, yes that's a mistake. Looks good to me!
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 5.10/5.15] io_uring: avoid null-ptr-deref in io_arm_poll_handler
2023-03-16 18:56 [PATCH 5.10/5.15] io_uring: avoid null-ptr-deref in io_arm_poll_handler Fedor Pchelkin
2023-03-16 18:58 ` Jens Axboe
@ 2023-03-16 19:04 ` Greg Kroah-Hartman
2023-03-16 19:22 ` Fedor Pchelkin
1 sibling, 1 reply; 5+ messages in thread
From: Greg Kroah-Hartman @ 2023-03-16 19:04 UTC (permalink / raw)
To: Fedor Pchelkin
Cc: Jens Axboe, stable, linux-kernel, Alexey Khoroshilov, lvc-project
On Thu, Mar 16, 2023 at 09:56:16PM +0300, Fedor Pchelkin wrote:
> No upstream commit exists for this commit.
>
> The issue was introduced with backporting upstream commit c16bda37594f
> ("io_uring/poll: allow some retries for poll triggering spuriously").
>
> Memory allocation can possibly fail causing invalid pointer be
> dereferenced just before comparing it to NULL value.
>
> Move the pointer check in proper place (upstream has the similar location
> of the check). In case the request has REQ_F_POLLED flag up, apoll can't
> be NULL so no need to check there.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
> ---
> io_uring/io_uring.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 445afda927f4..fd799567fc23 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -5792,10 +5792,10 @@ static int io_arm_poll_handler(struct io_kiocb *req)
> }
> } else {
> apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
> + if (unlikely(!apoll))
> + return IO_APOLL_ABORTED;
How can you trigger a GFP_ATOMIC memory failure? If you do, worse
things are about to happen to your system, right?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 5.10/5.15] io_uring: avoid null-ptr-deref in io_arm_poll_handler
2023-03-16 19:04 ` Greg Kroah-Hartman
@ 2023-03-16 19:22 ` Fedor Pchelkin
2023-03-16 19:25 ` Jens Axboe
0 siblings, 1 reply; 5+ messages in thread
From: Fedor Pchelkin @ 2023-03-16 19:22 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Jens Axboe, stable, linux-kernel, Alexey Khoroshilov, lvc-project
On Thu, Mar 16, 2023 at 08:04:24PM +0100, Greg Kroah-Hartman wrote:
>
> How can you trigger a GFP_ATOMIC memory failure? If you do, worse
> things are about to happen to your system, right?
>
> thanks,
>
> greg k-h
Well, Syzkaller triggers them with fail slab, and that is more for
debugging purposes to detect improper handling of error paths.
I agree that if GFP_ATOMIC memory allocation fails then the system is in
more trouble. Do you mean this is the point not to backport it? Now I'm
actually not quite sure about this... It's not clear to me whether such
things should be backported: on one hand, it is a bug which can actually
occur (yes, in very bad situation), on the other - the whole system is not
good anyway.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 5.10/5.15] io_uring: avoid null-ptr-deref in io_arm_poll_handler
2023-03-16 19:22 ` Fedor Pchelkin
@ 2023-03-16 19:25 ` Jens Axboe
0 siblings, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2023-03-16 19:25 UTC (permalink / raw)
To: Fedor Pchelkin, Greg Kroah-Hartman
Cc: stable, linux-kernel, Alexey Khoroshilov, lvc-project
On 3/16/23 1:22 PM, Fedor Pchelkin wrote:
> On Thu, Mar 16, 2023 at 08:04:24PM +0100, Greg Kroah-Hartman wrote:
>>
>> How can you trigger a GFP_ATOMIC memory failure? If you do, worse
>> things are about to happen to your system, right?
>>
>> thanks,
>>
>> greg k-h
>
> Well, Syzkaller triggers them with fail slab, and that is more for
> debugging purposes to detect improper handling of error paths.
>
> I agree that if GFP_ATOMIC memory allocation fails then the system is in
> more trouble. Do you mean this is the point not to backport it? Now I'm
> actually not quite sure about this... It's not clear to me whether such
> things should be backported: on one hand, it is a bug which can actually
> occur (yes, in very bad situation), on the other - the whole system is not
> good anyway.
I agree with both of you - the likelihood of this happening outside of
synthetic error injection is very small, and if it does, the system has
probably gone to shit anyway.
On the other hand, this does bring the code in line with what upstream
is doing, and I think it's worth adding for that reason alone.
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-03-16 19:25 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-16 18:56 [PATCH 5.10/5.15] io_uring: avoid null-ptr-deref in io_arm_poll_handler Fedor Pchelkin
2023-03-16 18:58 ` Jens Axboe
2023-03-16 19:04 ` Greg Kroah-Hartman
2023-03-16 19:22 ` Fedor Pchelkin
2023-03-16 19:25 ` Jens Axboe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.