From: Edward Adam Davis <eadavis@qq.com>
To: syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com
Cc: bcrl@kvack.org, brauner@kernel.org, bvanassche@acm.org,
jack@suse.cz, linux-aio@kvack.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
viro@zeniv.linux.org.uk
Subject: [PATCH] fs/aio: fix uaf in sys_io_cancel
Date: Sun, 3 Mar 2024 20:21:00 +0800 [thread overview]
Message-ID: <tencent_DC4C9767C786D2D2FDC64F099FAEFDEEC106@qq.com> (raw)
In-Reply-To: <0000000000006945730612bc9173@google.com>
The aio poll work aio_poll_complete_work() need to be synchronized with syscall
io_cancel(). Otherwise, when poll work executes first, syscall may access the
released aio_kiocb object.
Fixes: 54cbc058d86b ("fs/aio: Make io_cancel() generate completions again")
Reported-and-tested-by: syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
fs/aio.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/fs/aio.c b/fs/aio.c
index 28223f511931..0fed22ed9eb8 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1762,9 +1762,8 @@ static void aio_poll_complete_work(struct work_struct *work)
} /* else, POLLFREE has freed the waitqueue, so we must complete */
list_del_init(&iocb->ki_list);
iocb->ki_res.res = mangle_poll(mask);
- spin_unlock_irq(&ctx->ctx_lock);
-
iocb_put(iocb);
+ spin_unlock_irq(&ctx->ctx_lock);
}
/* assumes we are called with irqs disabled */
@@ -2198,7 +2197,6 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
break;
}
}
- spin_unlock_irq(&ctx->ctx_lock);
/*
* The result argument is no longer used - the io_event is always
@@ -2206,6 +2204,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
*/
if (ret == 0 && kiocb->rw.ki_flags & IOCB_AIO_RW)
aio_complete_rw(&kiocb->rw, -EINTR);
+ spin_unlock_irq(&ctx->ctx_lock);
percpu_ref_put(&ctx->users);
--
2.43.0
next prev parent reply other threads:[~2024-03-03 12:21 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-03 7:29 [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel syzbot
2024-03-03 9:53 ` Edward Adam Davis
2024-03-03 10:22 ` syzbot
2024-03-03 11:33 ` Edward Adam Davis
2024-03-03 11:50 ` syzbot
2024-03-03 12:21 ` Edward Adam Davis [this message]
2024-03-04 16:15 ` [PATCH] fs/aio: fix uaf " Bart Van Assche
2024-03-04 17:03 ` Benjamin LaHaise
2024-03-04 17:15 ` Bart Van Assche
2024-03-04 17:31 ` Benjamin LaHaise
2024-03-04 17:40 ` Bart Van Assche
2024-03-04 17:47 ` Benjamin LaHaise
2024-03-04 17:58 ` Bart Van Assche
2024-03-04 18:02 ` Benjamin LaHaise
2024-03-04 10:44 ` [syzbot] [fs?] KASAN: slab-use-after-free Read " Hillf Danton
2024-03-04 13:33 ` syzbot
2024-03-04 14:07 ` Hillf Danton
2024-03-04 14:57 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tencent_DC4C9767C786D2D2FDC64F099FAEFDEEC106@qq.com \
--to=eadavis@qq.com \
--cc=bcrl@kvack.org \
--cc=brauner@kernel.org \
--cc=bvanassche@acm.org \
--cc=jack@suse.cz \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+b91eb2ed18f599dd3c31@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.