From patchwork Mon Jan 22 18:24:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1889323 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TJdsn57MZz23g1 for ; Tue, 23 Jan 2024 05:24:28 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rRyy4-0007LN-Et; Mon, 22 Jan 2024 18:24:20 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rRyy2-0007KF-Be for kernel-team@lists.ubuntu.com; Mon, 22 Jan 2024 18:24:18 +0000 Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id DD28B3F336 for ; Mon, 22 Jan 2024 18:24:17 +0000 (UTC) Received: by mail-io1-f69.google.com with SMTP id ca18e2360f4ac-7bef3fcd7e7so352497139f.1 for ; Mon, 22 Jan 2024 10:24:17 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705947855; x=1706552655; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FVinAiJp9IL27oxpo7SprOPiVQpIKFKW55OAysU9dA4=; b=UgmrDeSoyfvpDazPsu3VUZoijpIfg+5jNc0fmEUHNmKqt88lQ4hEoMm2Ly8w41T0gh htV4DzeDTzTdMeJVKHdsqMAdw/yywj2Ch6engVP0BHR+MOmaqiuXRYJdILrBJjJUDNey ZL0eb8dJye5XXvJTBOaedXfnrL3yWivAHbEM8uaLVeNhIUUadTlqkS/VKr/uA3IKuQOZ /h5uDhhIfBB21xVoSB0BHRjLSPurUFfcIw9/esHgqIzGppL7mfskLnGh28mda6RoSXW0 cukPjkCs1yT/WkEdCUllo/AqkpEk4R3CzGmgwKTs5xWbdWWHDbTcn2aHcSO237BBNZGq Ye3A== X-Gm-Message-State: AOJu0YyABmUgFCkNevCzxjZVVgrkhB7wT1jWZCFN/HJ4i0+C1l12rM8k Ge0Apjvc4uQcBiqQSPjPFiuaGF4k6kYVNkQ648Mt+svAc/fy/EmRQ21zkjxFLffu+J1JohcKudc /FiR2kYo+uGAGTtnkiIA34zhs/n8iqTvWaNsdgOUWhC5bGkHIQcuCOjNDAYBlXCFcV8uXegWRRE q7To3inj9X1w== X-Received: by 2002:a5d:9287:0:b0:7bf:246b:1416 with SMTP id s7-20020a5d9287000000b007bf246b1416mr7095058iom.28.1705947855384; Mon, 22 Jan 2024 10:24:15 -0800 (PST) X-Google-Smtp-Source: AGHT+IEMuJIPAIItAHyWTkMx8UJ9qeIpjzEslhxGYWL/9YLrbUnmOnkCZFoO2U1fbzZ4i2hy+1hD5g== X-Received: by 2002:a5d:9287:0:b0:7bf:246b:1416 with SMTP id s7-20020a5d9287000000b007bf246b1416mr7095051iom.28.1705947855164; Mon, 22 Jan 2024 10:24:15 -0800 (PST) Received: from smtp.gmail.com (104-218-69-19.dynamic.lnk.ne.allofiber.net. [104.218.69.19]) by smtp.gmail.com with ESMTPSA id k23-20020a5e8917000000b007bf47e40f4csm4324817ioj.36.2024.01.22.10.24.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jan 2024 10:24:14 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy][PATCH 1/1] io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid Date: Mon, 22 Jan 2024 13:24:11 -0500 Message-Id: <20240122182411.15417-4-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240122182411.15417-1-bethany.jamison@canonical.com> References: <20240122182411.15417-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jens Axboe We could race with SQ thread exit, and if we do, we'll hit a NULL pointer dereference when the thread is cleared. Grab the SQPOLL data lock before attempting to get the task cpu and pid for fdinfo, this ensures we have a stable view of it. Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=218032 Reviewed-by: Gabriel Krisman Bertazi Signed-off-by: Jens Axboe (manually backported from commit 7644b1a1c9a7ae8ab99175989bfc8676055edb46) [bjamison: io_uring in Jammy is structured very differently than upstream, applied all changes from 764 to relevant section of code] CVE-2023-46862 Signed-off-by: Bethany Jamison --- io_uring/io_uring.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 18f10776cc4df..a1ba99e242e31 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -10436,7 +10436,7 @@ static int io_uring_show_cred(struct seq_file *m, unsigned int id, static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) { - struct io_sq_data *sq = NULL; + int sq_pid = -1, sq_cpu = -1; bool has_lock; int i; @@ -10449,13 +10449,19 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m) has_lock = mutex_trylock(&ctx->uring_lock); if (has_lock && (ctx->flags & IORING_SETUP_SQPOLL)) { - sq = ctx->sq_data; - if (!sq->thread) - sq = NULL; + struct io_sq_data *sq = ctx->sq_data; + + if (mutex_trylock(&sq->lock)) { + if (sq->thread) { + sq_pid = task_pid_nr(sq->thread); + sq_cpu = task_cpu(sq->thread); + } + mutex_unlock(&sq->lock); + } } - seq_printf(m, "SqThread:\t%d\n", sq ? task_pid_nr(sq->thread) : -1); - seq_printf(m, "SqThreadCpu:\t%d\n", sq ? task_cpu(sq->thread) : -1); + seq_printf(m, "SqThread:\t%d\n", sq_pid); + seq_printf(m, "SqThreadCpu:\t%d\n", sq_cpu); seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files); for (i = 0; has_lock && i < ctx->nr_user_files; i++) { struct file *f = io_file_from_index(ctx, i);