| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b5cff8b6-bd9c-9cbe-4f5f-52552d19ca48@gmail.com>
Date: Wed, 26 May 2021 17:29:44 +0100
From: Pavel Begunkov <asml.silence@...il.com>
To: Marco Elver <elver@...gle.com>, axboe@...nel.dk
Cc: syzbot <syzbot+73554e2258b7b8bf0bbf@...kaller.appspotmail.com>,
io-uring@...r.kernel.org, linux-kernel@...r.kernel.org,
syzkaller-bugs@...glegroups.com, dvyukov@...gle.com
Subject: Re: [syzbot] KCSAN: data-race in __io_uring_cancel /
io_uring_try_cancel_requests
On 5/26/21 4:52 PM, Marco Elver wrote:
> Due to some moving around of code, the patch lost the actual fix (using
> atomically read io_wq) -- so here it is again ... hopefully as intended.
> :-)
"fortify" damn it... It was synchronised with &ctx->uring_lock
before, see io_uring_try_cancel_iowq() and io_uring_del_tctx_node(),
so should not clear before *del_tctx_node()
The fix should just move it after this sync point. Will you send
it out as a patch?
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 7db6aaf31080..b76ba26b4c6c 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -9075,11 +9075,12 @@ static void io_uring_clean_tctx(struct io_uring_task *tctx)
struct io_tctx_node *node;
unsigned long index;
- tctx->io_wq = NULL;
xa_for_each(&tctx->xa, index, node)
io_uring_del_tctx_node(index);
- if (wq)
+ if (wq) {
+ tctx->io_wq = NULL;
io_wq_put_and_exit(wq);
+ }
}
static s64 tctx_inflight(struct io_uring_task *tctx, bool tracked)
--
Pavel Begunkov
Powered by blists - more mailing lists