Commit 1a38ffc9 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe

io_uring: NULL files dereference by SQPOLL

SQPOLL task may find sqo_task->files == NULL and
__io_sq_thread_acquire_files() would leave it unset, so following
fget_many() and others try to dereference NULL and fault. Propagate
an error files are missing.

[  118.962785] BUG: kernel NULL pointer dereference, address:
	0000000000000020
[  118.963812] #PF: supervisor read access in kernel mode
[  118.964534] #PF: error_code(0x0000) - not-present page
[  118.969029] RIP: 0010:__fget_files+0xb/0x80
[  119.005409] Call Trace:
[  119.005651]  fget_many+0x2b/0x30
[  119.005964]  io_file_get+0xcf/0x180
[  119.006315]  io_submit_sqes+0x3a4/0x950
[  119.007481]  io_sq_thread+0x1de/0x6a0
[  119.007828]  kthread+0x114/0x150
[  119.008963]  ret_from_fork+0x22/0x30
Reported-by: default avatarJosef Grieb <josef.grieb@gmail.com>
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent c73ebb68
......@@ -1061,7 +1061,7 @@ static void io_sq_thread_drop_mm_files(void)
}
}
static void __io_sq_thread_acquire_files(struct io_ring_ctx *ctx)
static int __io_sq_thread_acquire_files(struct io_ring_ctx *ctx)
{
if (!current->files) {
struct files_struct *files;
......@@ -1071,7 +1071,7 @@ static void __io_sq_thread_acquire_files(struct io_ring_ctx *ctx)
files = ctx->sqo_task->files;
if (!files) {
task_unlock(ctx->sqo_task);
return;
return -EOWNERDEAD;
}
atomic_inc(&files->count);
get_nsproxy(ctx->sqo_task->nsproxy);
......@@ -1083,6 +1083,7 @@ static void __io_sq_thread_acquire_files(struct io_ring_ctx *ctx)
current->nsproxy = nsproxy;
task_unlock(current);
}
return 0;
}
static int __io_sq_thread_acquire_mm(struct io_ring_ctx *ctx)
......@@ -1114,15 +1115,19 @@ static int io_sq_thread_acquire_mm_files(struct io_ring_ctx *ctx,
struct io_kiocb *req)
{
const struct io_op_def *def = &io_op_defs[req->opcode];
int ret;
if (def->work_flags & IO_WQ_WORK_MM) {
int ret = __io_sq_thread_acquire_mm(ctx);
ret = __io_sq_thread_acquire_mm(ctx);
if (unlikely(ret))
return ret;
}
if (def->needs_file || (def->work_flags & IO_WQ_WORK_FILES))
__io_sq_thread_acquire_files(ctx);
if (def->needs_file || (def->work_flags & IO_WQ_WORK_FILES)) {
ret = __io_sq_thread_acquire_files(ctx);
if (unlikely(ret))
return ret;
}
return 0;
}
......@@ -2130,8 +2135,8 @@ static void __io_req_task_submit(struct io_kiocb *req)
{
struct io_ring_ctx *ctx = req->ctx;
if (!__io_sq_thread_acquire_mm(ctx)) {
__io_sq_thread_acquire_files(ctx);
if (!__io_sq_thread_acquire_mm(ctx) &&
!__io_sq_thread_acquire_files(ctx)) {
mutex_lock(&ctx->uring_lock);
__io_queue_sqe(req, NULL);
mutex_unlock(&ctx->uring_lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment