From: Jens Axboe <axboe@kernel.dk>
To: Xin Yin <yinxin_1989@aliyun.com>, viro@zeniv.linux.org.uk
Cc: linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] io_uring: Fix NULL pointer dereference in io_sq_wq_submit_work()
Date: Tue, 1 Sep 2020 20:12:31 -0600 [thread overview]
Message-ID: <1c1ae234-0084-bddd-990f-5fd92c4e6430@kernel.dk> (raw)
In-Reply-To: <20200902015948.109580-1-yinxin_1989@aliyun.com>
On 9/1/20 7:59 PM, Xin Yin wrote:
> the commit <1c4404efcf2c0> ("<io_uring: make sure async workqueue
> is canceled on exit>") caused a crash in io_sq_wq_submit_work().
> when io_ring-wq get a req form async_list, which not have been
> added to task_list. Then try to delete the req from task_list will caused
> a "NULL pointer dereference".
>
> Ensure add req to async_list and task_list at the sametime.
>
> The crash log looks like this:
> [95995.973638] Unable to handle kernel NULL pointer dereference at virtual address 00000000
> [95995.979123] pgd = c20c8964
> [95995.981803] [00000000] *pgd=1c72d831, *pte=00000000, *ppte=00000000
> [95995.988043] Internal error: Oops: 817 [#1] SMP ARM
> [95995.992814] Modules linked in: bpfilter(-)
> [95995.996898] CPU: 1 PID: 15661 Comm: kworker/u8:5 Not tainted 5.4.56 #2
> [95996.003406] Hardware name: Amlogic Meson platform
> [95996.008108] Workqueue: io_ring-wq io_sq_wq_submit_work
> [95996.013224] PC is at io_sq_wq_submit_work+0x1f4/0x5c4
> [95996.018261] LR is at walk_stackframe+0x24/0x40
> [95996.022685] pc : [<c059b898>] lr : [<c030da7c>] psr: 600f0093
> [95996.028936] sp : dc6f7e88 ip : dc6f7df0 fp : dc6f7ef4
> [95996.034148] r10: deff9800 r9 : dc1d1694 r8 : dda58b80
> [95996.039358] r7 : dc6f6000 r6 : dc6f7ebc r5 : dc1d1600 r4 : deff99c0
> [95996.045871] r3 : 0000cb5d r2 : 00000000 r1 : ef6b9b80 r0 : c059b88c
> [95996.052385] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
> [95996.059593] Control: 10c5387d Table: 22be804a DAC: 00000055
> [95996.065325] Process kworker/u8:5 (pid: 15661, stack limit = 0x78013c69)
> [95996.071923] Stack: (0xdc6f7e88 to 0xdc6f8000)
> [95996.076268] 7e80: dc6f7ecc dc6f7e98 00000000 c1f06c08 de9dc800 deff9a04
> [95996.084431] 7ea0: 00000000 dc6f7f7c 00000000 c1f65808 0000080c dc677a00 c1ee9bd0 dc6f7ebc
> [95996.092594] 7ec0: dc6f7ebc d085c8f6 c0445a90 dc1d1e00 e008f300 c0288400 e4ef7100 00000000
> [95996.100757] 7ee0: c20d45b0 e4ef7115 dc6f7f34 dc6f7ef8 c03725f0 c059b6b0 c0288400 c0288400
> [95996.108921] 7f00: c0288400 00000001 c0288418 e008f300 c0288400 e008f314 00000088 c0288418
> [95996.117083] 7f20: c1f03d00 dc6f6038 dc6f7f7c dc6f7f38 c0372df8 c037246c dc6f7f5c 00000000
> [95996.125245] 7f40: c1f03d00 c1f03d00 c20d3cbe c0288400 dc6f7f7c e1c43880 e4fa7980 00000000
> [95996.133409] 7f60: e008f300 c0372d9c e48bbe74 e1c4389c dc6f7fac dc6f7f80 c0379244 c0372da8
> [95996.141570] 7f80: 600f0093 e4fa7980 c0379108 00000000 00000000 00000000 00000000 00000000
> [95996.149734] 7fa0: 00000000 dc6f7fb0 c03010ac c0379114 00000000 00000000 00000000 00000000
> [95996.157897] 7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> [95996.166060] 7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
> [95996.174217] Backtrace:
> [95996.176662] [<c059b6a4>] (io_sq_wq_submit_work) from [<c03725f0>] (process_one_work+0x190/0x4c0)
> [95996.185425] r10:e4ef7115 r9:c20d45b0 r8:00000000 r7:e4ef7100 r6:c0288400 r5:e008f300
> [95996.193237] r4:dc1d1e00
> [95996.195760] [<c0372460>] (process_one_work) from [<c0372df8>] (worker_thread+0x5c/0x5bc)
> [95996.203836] r10:dc6f6038 r9:c1f03d00 r8:c0288418 r7:00000088 r6:e008f314 r5:c0288400
> [95996.211647] r4:e008f300
> [95996.214173] [<c0372d9c>] (worker_thread) from [<c0379244>] (kthread+0x13c/0x168)
> [95996.221554] r10:e1c4389c r9:e48bbe74 r8:c0372d9c r7:e008f300 r6:00000000 r5:e4fa7980
> [95996.229363] r4:e1c43880
> [95996.231888] [<c0379108>] (kthread) from [<c03010ac>] (ret_from_fork+0x14/0x28)
> [95996.239088] Exception stack(0xdc6f7fb0 to 0xdc6f7ff8)
> [95996.244127] 7fa0: 00000000 00000000 00000000 00000000
> [95996.252291] 7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> [95996.260453] 7fe0: 00000000 00000000 00000000 00000000 00000013 00000000
> [95996.267054] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c0379108
> [95996.274866] r4:e4fa7980 r3:600f0093
> [95996.278430] Code: eb3a59e1 e5952098 e5951094 e5812004 (e5821000)
Thanks for catching this, I'll get it queued for stable.
--
Jens Axboe
next parent reply other threads:[~2020-09-02 2:12 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200902015948.109580-1-yinxin_1989@aliyun.com>
2020-09-02 2:12 ` Jens Axboe [this message]
[not found] <20200901015442.44831-1-yinxin_1989@aliyun.com>
2020-09-01 3:38 ` [PATCH] io_uring: Fix NULL pointer dereference in io_sq_wq_submit_work() Jens Axboe
[not found] ` <67f27d17-81fa-43a8-baa9-429b1ccd65d0.yinxin_1989@aliyun.com>
2020-09-01 14:52 ` Jens Axboe
2020-09-01 20:01 ` Jens Axboe
2020-09-01 20:12 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1c1ae234-0084-bddd-990f-5fd92c4e6430@kernel.dk \
--to=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yinxin_1989@aliyun.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).