Bug 218101

Summary: When performing IORING_OP_READ_MULTISHOT, a null pointer dereference bug occurs in io_req_map_rw.
Product: Linux Reporter: j51569436
Component: KernelAssignee: Virtual assignee for kernel bugs (linux-kernel)
Status: NEW ---    
Severity: low CC: axboe
Priority: P3    
Hardware: All   
OS: Linux   
Kernel Version: 6.6.0 Subsystem:
Regression: No Bisected commit-id:
Attachments: poc.c
crash log

Description j51569436 2023-11-03 14:55:10 UTC 
When issuing IORING_OP_READ_MULTISHOT, the functions are called in the following flow:

io_read_mshot -> __io_read -> io_setup_async_rw -> io_alloc_async_data

```
bool io_alloc_async_data(struct io_kiocb *req)
{
    WARN_ON_ONCE(!io_cold_defs[req->opcode].async_size);
    req->async_data = kmalloc(io_cold_defs[req->opcode].async_size, GFP_KERNEL);
    if (req->async_data) {
        req->flags |= REQ_F_ASYNC_DATA;
        return false;
    }
    return true;
}
```

`io_cold_defs[IORING_OP_READ_MULTISHOT].async_size` is 0. Therefore, kmalloc returns ZERO_SIZE_PTR (0x10), and a subsequent null pointer dereference bug occurs. 


In io_setup_async_rw, before validating `io_cold_defs[IORING_OP_READ_MULTISHOT].prep_async`, the condition is ignored because the force flag is true.
Comment 1 j51569436 2023-11-03 14:55:40 UTC 
Created attachment 305364 [details]
poc.c
Comment 2 j51569436 2023-11-03 14:56:09 UTC 
Created attachment 305365 [details]
crash log
Comment 3 Jens Axboe 2023-11-03 15:03:33 UTC 
Thanks for the report, I'll take a look.
Comment 4 Jens Axboe 2023-11-03 15:14:26 UTC 
This should fix it:

diff --git a/io_uring/rw.c b/io_uring/rw.c
index 3398e1d944c2..61dd28451681 100644
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -542,6 +542,9 @@ static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec,
 {
 	if (!force && !io_cold_defs[req->opcode].prep_async)
 		return 0;
+	/* opcode type doesn't need async data */
+	if (!io_cold_defs[req->opcode].async_size)
+		return 0;
 	if (!req_has_async_data(req)) {
 		struct io_async_rw *iorw;
Comment 5 Jens Axboe 2023-11-03 15:32:05 UTC 
Committed: https://git.kernel.dk/cgit/linux/commit/?h=io_uring-6.7&id=0df96fb71a395b4fc9c80180306420c743f395a8

Also adds a check for provided buffers, as it has to be used with that.
Comment 6 Jens Axboe 2023-11-03 16:50:19 UTC 
Patch posted, will go in before 6.7-rc1. Thanks again for the report!