diff options
| author | Jens Axboe <axboe@kernel.dk> | 2025-09-18 13:59:15 -0600 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-09-25 11:16:53 +0200 |
| commit | 5ba113d0b04986a6fcb873fb5ee1b0e9b60382fa (patch) | |
| tree | 15db72696fec24a3b2c8bcb9c7eec0788b5efdb8 /include/net/aligned_data.h | |
| parent | 045ee26aa3920a47ec46d7fcb302420bf01fd753 (diff) | |
io_uring/msg_ring: kill alloc_cache for io_kiocb allocations
[ Upstream commit df8922afc37aa2111ca79a216653a629146763ad ]
A recent commit:
fc582cd26e88 ("io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU")
fixed an issue with not deferring freeing of io_kiocb structs that
msg_ring allocates to after the current RCU grace period. But this only
covers requests that don't end up in the allocation cache. If a request
goes into the alloc cache, it can get reused before it is sane to do so.
A recent syzbot report would seem to indicate that there's something
there, however it may very well just be because of the KASAN poisoning
that the alloc_cache handles manually.
Rather than attempt to make the alloc_cache sane for that use case, just
drop the usage of the alloc_cache for msg_ring request payload data.
Fixes: 50cf5f3842af ("io_uring/msg_ring: add an alloc cache for io_kiocb entries")
Link: https://lore.kernel.org/io-uring/68cc2687.050a0220.139b6.0005.GAE@google.com/
Reported-by: syzbot+baa2e0f4e02df602583e@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'include/net/aligned_data.h')
0 files changed, 0 insertions, 0 deletions