[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <851bd25a-ff64-3d3a-f1f5-f9e4f83c2dab@kernel.dk>
Date: Mon, 30 Nov 2020 10:43:46 -0700
From: Jens Axboe <axboe@...nel.dk>
To: Matthew Wilcox <willy@...radead.org>,
Hillf Danton <hdanton@...a.com>
Cc: syzbot <syzbot+12056a09a0311d758e60@...kaller.appspotmail.com>,
io-uring@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com
Subject: Re: KASAN: use-after-free Read in idr_for_each (2)
On 11/29/20 5:26 AM, Matthew Wilcox wrote:
> On Sun, Nov 29, 2020 at 07:34:29PM +0800, Hillf Danton wrote:
>>> radix_tree_next_slot include/linux/radix-tree.h:422 [inline]
>>> idr_for_each+0x206/0x220 lib/idr.c:202
>>> io_destroy_buffers fs/io_uring.c:8275 [inline]
>>
>> Matthew, can you shed any light on the link between the use of idr
>> routines and the UAF reported?
>
> I presume it's some misuse of IDR by io_uring. I'd rather io_uring
> didn't use the IDR at all. This compiles; I promise no more than that.
Looks reasonable to me. Care to send as an actual patch?
This would just leave the personality idr as the last idr use case in
io_uring, hint hint :-)
Would be nice to fully understand why this issue exists with idr, I
don't immediately see anything wrong. But as I cannot even reproduce, I
can't verify that the xa version is sane wrt fixing it either...
--
Jens Axboe
Powered by blists - more mailing lists