Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp2860117lqz; Wed, 3 Apr 2024 10:29:54 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUcdXFF8fg4rSWnZ2Lch0nHdnM7NB5LU017rXJBNU5gQWDwxjygYDdQEAOf809/Y0qrYKgoK4QbENq6vhp0K8JY8F0lT5eNe+2E9WCz+Q== X-Google-Smtp-Source: AGHT+IGNBhn0m6GEGfyIQUn5CIeBH716lLjZ+/wVuTzx0BCTOHWJzYqLTdVrJfQ2hnSrfqFt/m2L X-Received: by 2002:a05:6a20:4328:b0:1a5:6cc3:8fc9 with SMTP id h40-20020a056a20432800b001a56cc38fc9mr409120pzk.43.1712165393665; Wed, 03 Apr 2024 10:29:53 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712165393; cv=pass; d=google.com; s=arc-20160816; b=YNXL0Qcaw1l5k62rcfjf49AvygPFaoYsLs9K1XDg0WzOCfRip+3uOdaSC4Mzf52Bki rfV384OrG0XKZ2Tj06zjtbCqIftPVwIe4S65jA6xsT3C+EOQLhava6ZrEp8tT7yXl49z S+6bEvJzqMHPh1+l4cequaj/i2bKesCcYKdcseZfZ8N6/LtCK0JpICb1P7zIECQJwzAK g+W2PQjKNJzW6RmQYW/ZLqEC1Kx9vdp9MFhf6CQNnsF6DwKQad2c9QWaEzFagw3FxiTP dT2HWulCCx+j6ZK4W2/jsMmbifetW53K4PHcP/1GUfeYmFYv8H2KIirHYhuZIfvUFgPd Jquw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=251iyTArNPiqzuaLT8X/G1DPcmNpfwGuG+ppYN6BGyc=; fh=7eLfjoUTOc13iAyiNW3HPNLtlVIQ1D47iOHWMLAWepU=; b=UcO/Q87P8uNzfAa8M6CeAl3m4dBJaQ4dbget91hAaLeuHt211UkqJfeGaNqo+YoTJ/ R1WsGVvxU0Ny69GfG8eRobcLlB/u4kTqC4T1CVmvayLQ4cVuK+LK+YVbcwCwl37n5+r9 c0rJA7B+gEHUya4LqTgiIUOogcPevyl7Cs73Yw5WVk+3FvwSa3ZKFki90mB/2qJDCNxa Pg/ECIt9RCCX64h9shi4dv6HMSHgCDY+CwO9MtJ4zMOnId9x/8mwrP65Rd64MbpB1jYc s9gCTZWh8o8r73RRwu4C9v7DTsJKSEKJzmsVG97gcOXdfFaLJELMHkehldkXh7CfYabj XlwA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=M1nTITZi; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-130296-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-130296-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id a17-20020a170902ecd100b001de256e5d6esi13695212plh.534.2024.04.03.10.29.53 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Apr 2024 10:29:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-130296-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=M1nTITZi; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-130296-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-130296-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id CD2DA28FD3D for ; Wed, 3 Apr 2024 17:26:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 4BBD0158212; Wed, 3 Apr 2024 17:17:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="M1nTITZi" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6F0601581F4; Wed, 3 Apr 2024 17:17:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712164663; cv=none; b=k4Qi6u2JbMzcOTfYWbj7UPH11+9sGQbBYvpvKUp/tqpp3+CPIzvK2QaAlUaLypcmz/bfG0D9TJMUKifEa6h5C1mvSIs0w1r14mx/k6dMYKfTu0WVq/xF4VDL8B64pmQCNWmzMj/lzcVSsjtRbHcGYJm6hP7ktDeTwtgfPs0IJLM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712164663; c=relaxed/simple; bh=jUMQM1qumpMph/aJKqbsMFR8Ws+mcLBqgJ36G8BzKyY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=SfkXLTQMHoR0X/ToSr1Cs6PgW9Qns9WI2WhqzDEcck5+ah4HHIXriabtd9Lz1DB9fsxCuLy4e000S/u+J3eDBK08x07mAVok27E9ou3jcqR1OrFkmFPwzBJIDkXnDMcGee8yU2NP1KzdjrDHn1+7dOY5WkPPK1icy05iDU5UuLU= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=M1nTITZi; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 38039C433F1; Wed, 3 Apr 2024 17:17:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1712164662; bh=jUMQM1qumpMph/aJKqbsMFR8Ws+mcLBqgJ36G8BzKyY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=M1nTITZiVWNxawWGeDyLXPKK+bCr8zvxzLYdELM9OgqK5I66bGSeZuuLkWbmyqyU+ tck3iNwTDgox5qZsJkETh8IfgtFdaTd75pj0WhVfTizXMOmc2S+erQ1ktqdUbutdm9 NF9hESOAAVjAxlxEkrqS75Epmo0N+LGE82ghA0Ie3d0uCfHuiP89PW3sLJOgmVAh5K +/NgwLna6+NOiyYcqBKs44W03lmS+nJ+Tgju2s2BHeuwu1SCyfqk6r48Z4n0i58FBv jn454VaEV19xPsoUKCaxUaYDISRbcidTfG1JjZSmwwgmVPZvOmM94ZmZ+RoqQSgr77 zB+Kvb8Nfi3Dg== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Jens Axboe , syzbot+f8e9a371388aa62ecab4@syzkaller.appspotmail.com, Sasha Levin , io-uring@vger.kernel.org Subject: [PATCH AUTOSEL 6.8 22/28] io_uring: clear opcode specific data for an early failure Date: Wed, 3 Apr 2024 13:16:24 -0400 Message-ID: <20240403171656.335224-22-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240403171656.335224-1-sashal@kernel.org> References: <20240403171656.335224-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.8.3 Content-Transfer-Encoding: 8bit From: Jens Axboe [ Upstream commit e21e1c45e1fe2e31732f40256b49c04e76a17cee ] If failure happens before the opcode prep handler is called, ensure that we clear the opcode specific area of the request, which holds data specific to that request type. This prevents errors where opcode handlers either don't get to clear per-request private data since prep isn't even called. Reported-and-tested-by: syzbot+f8e9a371388aa62ecab4@syzkaller.appspotmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- io_uring/io_uring.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index cd9a137ad6cef..42e27ad5fd828 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -2159,6 +2159,13 @@ static void io_init_req_drain(struct io_kiocb *req) } } +static __cold int io_init_fail_req(struct io_kiocb *req, int err) +{ + /* ensure per-opcode data is cleared if we fail before prep */ + memset(&req->cmd.data, 0, sizeof(req->cmd.data)); + return err; +} + static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, const struct io_uring_sqe *sqe) __must_hold(&ctx->uring_lock) @@ -2179,29 +2186,29 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, if (unlikely(opcode >= IORING_OP_LAST)) { req->opcode = 0; - return -EINVAL; + return io_init_fail_req(req, -EINVAL); } def = &io_issue_defs[opcode]; if (unlikely(sqe_flags & ~SQE_COMMON_FLAGS)) { /* enforce forwards compatibility on users */ if (sqe_flags & ~SQE_VALID_FLAGS) - return -EINVAL; + return io_init_fail_req(req, -EINVAL); if (sqe_flags & IOSQE_BUFFER_SELECT) { if (!def->buffer_select) - return -EOPNOTSUPP; + return io_init_fail_req(req, -EOPNOTSUPP); req->buf_index = READ_ONCE(sqe->buf_group); } if (sqe_flags & IOSQE_CQE_SKIP_SUCCESS) ctx->drain_disabled = true; if (sqe_flags & IOSQE_IO_DRAIN) { if (ctx->drain_disabled) - return -EOPNOTSUPP; + return io_init_fail_req(req, -EOPNOTSUPP); io_init_req_drain(req); } } if (unlikely(ctx->restricted || ctx->drain_active || ctx->drain_next)) { if (ctx->restricted && !io_check_restriction(ctx, req, sqe_flags)) - return -EACCES; + return io_init_fail_req(req, -EACCES); /* knock it to the slow queue path, will be drained there */ if (ctx->drain_active) req->flags |= REQ_F_FORCE_ASYNC; @@ -2214,9 +2221,9 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, } if (!def->ioprio && sqe->ioprio) - return -EINVAL; + return io_init_fail_req(req, -EINVAL); if (!def->iopoll && (ctx->flags & IORING_SETUP_IOPOLL)) - return -EINVAL; + return io_init_fail_req(req, -EINVAL); if (def->needs_file) { struct io_submit_state *state = &ctx->submit_state; @@ -2240,12 +2247,12 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, req->creds = xa_load(&ctx->personalities, personality); if (!req->creds) - return -EINVAL; + return io_init_fail_req(req, -EINVAL); get_cred(req->creds); ret = security_uring_override_creds(req->creds); if (ret) { put_cred(req->creds); - return ret; + return io_init_fail_req(req, ret); } req->flags |= REQ_F_CREDS; } -- 2.43.0