lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <tencent_734A1B432559BAF7BBA333429E581B034B08@qq.com>
Date: Mon, 24 Nov 2025 16:53:04 +0800
From: Edward Adam Davis <eadavis@...com>
To: syzbot+a2b9a4ed0d61b1efb3f5@...kaller.appspotmail.com
Cc: brauner@...nel.org,
	djwong@...nel.org,
	linux-fsdevel@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	linux-xfs@...r.kernel.org,
	syzkaller-bugs@...glegroups.com
Subject: [PATCH Next] iomap: Add sanity check for dio done workqueue

The s_dio_done_wq was not allocated memory, leading to the null-ptr-deref
reported by syzbot in [1].

As shown in [1], we are currently in a soft interrupt context, and we cannot
use sb_init_dio_done_wq() to allocate memory for wq because it requires a
mutex lock.

Added a check to the workqueue; if it is empty, it switches to using a
synchronous method to end the dio.

[1]
KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]
CPU: 1 UID: 0 PID: 23 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT(full)
Call Trace:
 iomap_dio_bio_end_io+0xf4/0x1c0 fs/iomap/direct-io.c:222
 blk_update_request+0x57e/0xe60 block/blk-mq.c:1006
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1168
 blk_complete_reqs block/blk-mq.c:1243 [inline]
 blk_done_softirq+0x10a/0x160 block/blk-mq.c:1248
 handle_softirqs+0x27d/0x880 kernel/softirq.c:626
 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1067
 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160

Reported-by: syzbot+a2b9a4ed0d61b1efb3f5@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a2b9a4ed0d61b1efb3f5
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
 fs/iomap/direct-io.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c
index d4e2e328d893..6b0ef7e0f05b 100644
--- a/fs/iomap/direct-io.c
+++ b/fs/iomap/direct-io.c
@@ -202,10 +202,14 @@ static void iomap_dio_done(struct iomap_dio *dio)
 		 * filesystem metadata changes or guarantee data integrity.
 		 */
 		INIT_WORK(&dio->aio.work, iomap_dio_complete_work);
+		if (!inode->i_sb->s_dio_done_wq)
+			goto done;
+
 		queue_work(inode->i_sb->s_dio_done_wq, &dio->aio.work);
 		return;
 	}
 
+done:
 	WRITE_ONCE(iocb->private, NULL);
 	iomap_dio_complete_work(&dio->aio.work);
 }
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ