• Jens Axboe's avatar
    io_uring: cleanup fixed file data table references · 2faf852d
    Jens Axboe authored
    syzbot reports a use-after-free in io_ring_file_ref_switch() when it
    tries to switch back to percpu mode. When we put the final reference to
    the table by calling percpu_ref_kill_and_confirm(), we don't want the
    zero reference to queue async work for flushing the potentially queued
    up items. We currently do a few flush_work(), but they merely paper
    around the issue, since the work item may not have been queued yet
    depending on the when the percpu-ref callback gets run.
    
    Coming into the file unregister, we know we have the ring quiesced.
    io_ring_file_ref_switch() can check for whether or not the ref is dying
    or not, and not queue anything async at that point. Once the ref has
    been confirmed killed, flush any potential items manually.
    
    Reported-by: syzbot+7caeaea49c2c8a591e3d@syzkaller.appspotmail.com
    Fixes: 05f3fb3c ("io_uring: avoid ring quiesce for fixed file set unregister and update")
    Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
    2faf852d
io_uring.c 166 KB