diff options
| author | Lim HyeonJun <shja0831@gmail.com> | 2026-05-24 20:08:53 +0900 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2026-05-24 12:01:15 -0600 |
| commit | a88c02915d9c6160cfc7ab1b26ed64b2993e2b94 (patch) | |
| tree | cfa1aba1314539fa453f33945fdce409d3c50ec3 /include/linux/xarray.h | |
| parent | e97ff8b62d4690c69297f0f6de874f0564cc01a4 (diff) | |
io_uring/tctx: set ->io_uring before publishing the tctx node
io_register_iowq_max_workers() walks ctx->tctx_list under ctx->tctx_lock
and dereferences each node's task->io_uring without a NULL check:
list_for_each_entry(node, &ctx->tctx_list, ctx_node) {
tctx = node->task->io_uring;
if (WARN_ON_ONCE(!tctx->io_wq))
continue;
...
}
__io_uring_add_tctx_node() installs the node into ctx->tctx_list (via
io_tctx_install_node(), which does the list_add() under tctx_lock) and
only assigns current->io_uring = tctx afterwards. A task doing its first
io_uring operation on a shared ring therefore has a window in which its
node is already visible on ctx->tctx_list while node->task->io_uring is
still NULL. A concurrent IORING_REGISTER_IOWQ_MAX_WORKERS on the same
ring reads that NULL and dereferences tctx->io_wq:
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
RIP: io_register_iowq_max_workers io_uring/register.c:423
Publish current->io_uring = tctx before installing the node, so any node
visible on ctx->tctx_list always has a valid task->io_uring.
Fixes: 7880174e1e5e ("io_uring/tctx: clean up __io_uring_add_tctx_node() error handling")
Signed-off-by: Lim HyeonJun <shja0831@gmail.com>
Link: https://patch.msgid.link/20260524110853.115634-1-shja0831@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'include/linux/xarray.h')
0 files changed, 0 insertions, 0 deletions