Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp688186pxj;
        Thu, 27 May 2021 09:23:27 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyAGdaUfiqK3ZTFvHTdm7VeYVv3PX6XJp5iYjoCOdw4qKsu5ZIZdyX3Y9E64Hv8XaC2n4m/
X-Received: by 2002:a50:9549:: with SMTP id v9mr5096346eda.312.1622132607673;
        Thu, 27 May 2021 09:23:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622132607; cv=none;
        d=google.com; s=arc-20160816;
        b=teo6K8dcjwsTCj5c3wmiZ4ASmwQmPgqUVYxAqiS5BR3qDS3T5l1Kiaf24kc1UV4LXW
         7fMSH/ae0LNntpY+SZx9pNpXSCQg1AgzPXIFSMUwDEG0PDLdLnZAvFHHSJrW7+qEomCT
         PI3gIuRnlNvRF+M69LXbQ0lwC856qA93v0E5k0jJa7zCGZKsGZ/do249+eeoWn/02HBI
         sPKBAFRCNhzjklm4z/Yzj9wTaFZTF7SGmJZJdqi0+48F9QFc1epeomtI0D19eklO3zDa
         B4b4Gu3A3SdV3PXgWNSlAES47ZjvhejIldK9IioppFVrfFIFLuxlLSmL/nAcQazAR1a0
         kN0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:from:references
         :cc:to:subject:dkim-signature;
        bh=zZ100OgAiDnND5MKuUNcSvGRwi3n6jrkgirwTZqtvBg=;
        b=iyEVi06nZ6giRCi6Wgf2wm5oZqGQjpNYDGphUPwFsCb+/qk82WyCZE1F9OoF/95rNk
         b+BdsvP6ghcBnzHoeWeG5jqY9ncKeQx0LiciRYHjXGA5u7wUFlefQ7vSR7U0qU8wEE9S
         bFkEy6Xp32VxWp9BGKVdLDhni4fHlk8/K/COD4+eTxtZ9MWecaPk8NAiDZYjtwJ5s2qX
         7su9j4vvifo1zgbYY+5xtzgnHxlQmg9sedTXjwTEtJdhyyEwRrimRZ87wG5mHIKAvFe2
         ROucCPwhIE7Va7yOjVrO5FYW2WagULLsUQZUrk6bbMwz5OQ3EykortU2ZTzLiLUC1Mxx
         zEOQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=gbRqGxkt;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id y13si2671252edp.239.2021.05.27.09.23.03;
        Thu, 27 May 2021 09:23:27 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=gbRqGxkt;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236537AbhE0Nqr (ORCPT <rfc822;luizmacielfranco@gmail.com>
        + 99 others); Thu, 27 May 2021 09:46:47 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38702 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236335AbhE0Nqq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 27 May 2021 09:46:46 -0400
Received: from mail-ot1-x334.google.com (mail-ot1-x334.google.com [IPv6:2607:f8b0:4864:20::334])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE8B6C061574
        for <linux-kernel@vger.kernel.org>; Thu, 27 May 2021 06:45:12 -0700 (PDT)
Received: by mail-ot1-x334.google.com with SMTP id t10-20020a05683022eab0290304ed8bc759so212732otc.12
        for <linux-kernel@vger.kernel.org>; Thu, 27 May 2021 06:45:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20150623.gappssmtp.com; s=20150623;
        h=subject:to:cc:references:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=zZ100OgAiDnND5MKuUNcSvGRwi3n6jrkgirwTZqtvBg=;
        b=gbRqGxktvRNDpJhHKBHPOtxsKvnuredhB0CuEaHskvQPCL4yOMgC/+b8pSgZvHjKcv
         TSvopIpxiSz656gT8XKPsawPiFgQT1pB24j0G2sWXB/+rX2QPFYFfqVX0CHnfRCeOuXS
         zcWEmfkEkbZIF1eCbUOP1YoyJMn2cWmOM7ss947ScWLEV1HhOm5k9ZLjW0YKM3RHe0o4
         tWeE9sdJfy1eRKLaGFK33oqxubYRgT9KO72CfBCumS5aEk/Q9oQBBRDXwiU0hoorXb4V
         XTLPambzK+pC7h+XA3ENBaNgQmX1vYKH4Xn5sunS70WiPx/F0RMZu9SokTyxnLLRLiuW
         /2eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:cc:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=zZ100OgAiDnND5MKuUNcSvGRwi3n6jrkgirwTZqtvBg=;
        b=GARqWvhPGxlweVXuswjBFDH+GOblmYu6qWWawFw8jgRP1DdN5v9bC9vO2tNUZ1nW+p
         Bma24UyNfmL6jtwVVa0xVPpGJ1OzhkTtoG0GrT2iF/7pdGme6+Y6XRsbM6j/4wx153tz
         ZcA82ub2RCVqz6NMXainHguN3SoOl2uQ+sff2RBk4MNeIZCcxPHRbnkHzhJlNStRsuCw
         /9ZBIORrXlhtIlCiLxLeX9m85ztIvVfKfha2EuSRLWuHPwv8krHrdHeNBs7ZQ5F+aFrj
         2JBr+2b9Qm5MaslX6ITjlfuKyLTlyI8iCvF9nJ6cJjLfMuEaiqfuOsHhxYzULQKXb5M8
         t+Lg==
X-Gm-Message-State: AOAM5334Iknz4EEPEfZlAXDnM1Hs/rrqxLKZJvGCkEZXcp1jMhTHLAMU
        RAdfw5viGLEmqyNZ5ESHIdLk7a/wypqdzw==
X-Received: by 2002:a9d:5c08:: with SMTP id o8mr2856752otk.261.1622123111562;
        Thu, 27 May 2021 06:45:11 -0700 (PDT)
Received: from [192.168.1.30] ([207.135.233.147])
        by smtp.gmail.com with ESMTPSA id k18sm515360otj.42.2021.05.27.06.45.10
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 27 May 2021 06:45:11 -0700 (PDT)
Subject: Re: [PATCH] io_uring: fix data race to avoid potential NULL-deref
To:     Marco Elver <elver@google.com>, asml.silence@gmail.com,
        io-uring@vger.kernel.org, linux-kernel@vger.kernel.org
Cc:     kasan-dev@googlegroups.com, dvyukov@google.com,
        syzbot+bf2b3d0435b9b728946c@syzkaller.appspotmail.com
References: <20210527092547.2656514-1-elver@google.com>
From:   Jens Axboe <axboe@kernel.dk>
Message-ID: <893559c1-4510-3f7d-7c7f-82eb2468a5d5@kernel.dk>
Date:   Thu, 27 May 2021 07:45:13 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <20210527092547.2656514-1-elver@google.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 5/27/21 3:25 AM, Marco Elver wrote:
> Commit ba5ef6dc8a82 ("io_uring: fortify tctx/io_wq cleanup") introduced
> setting tctx->io_wq to NULL a bit earlier. This has caused KCSAN to
> detect a data race between accesses to tctx->io_wq:
> 
>   write to 0xffff88811d8df330 of 8 bytes by task 3709 on cpu 1:
>    io_uring_clean_tctx                  fs/io_uring.c:9042 [inline]
>    __io_uring_cancel                    fs/io_uring.c:9136
>    io_uring_files_cancel                include/linux/io_uring.h:16 [inline]
>    do_exit                              kernel/exit.c:781
>    do_group_exit                        kernel/exit.c:923
>    get_signal                           kernel/signal.c:2835
>    arch_do_signal_or_restart            arch/x86/kernel/signal.c:789
>    handle_signal_work                   kernel/entry/common.c:147 [inline]
>    exit_to_user_mode_loop               kernel/entry/common.c:171 [inline]
>    ...
>   read to 0xffff88811d8df330 of 8 bytes by task 6412 on cpu 0:
>    io_uring_try_cancel_iowq             fs/io_uring.c:8911 [inline]
>    io_uring_try_cancel_requests         fs/io_uring.c:8933
>    io_ring_exit_work                    fs/io_uring.c:8736
>    process_one_work                     kernel/workqueue.c:2276
>    ...
> 
> With the config used, KCSAN only reports data races with value changes:
> this implies that in the case here we also know that tctx->io_wq was
> non-NULL. Therefore, depending on interleaving, we may end up with:
> 
>               [CPU 0]                 |        [CPU 1]
>   io_uring_try_cancel_iowq()          | io_uring_clean_tctx()
>     if (!tctx->io_wq) // false        |   ...
>     ...                               |   tctx->io_wq = NULL
>     io_wq_cancel_cb(tctx->io_wq, ...) |   ...
>       -> NULL-deref                   |
> 
> Note: It is likely that thus far we've gotten lucky and the compiler
> optimizes the double-read into a single read into a register -- but this
> is never guaranteed, and can easily change with a different config!
> 
> Fix the data race by restoring the previous behaviour, where both
> setting io_wq to NULL and put of the wq are _serialized_ after
> concurrent io_uring_try_cancel_iowq() via acquisition of the uring_lock
> and removal of the node in io_uring_del_task_file().

Applied, thanks.

-- 
Jens Axboe