kernel BUG: io_uring openat triggers audit reference count underflow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Lunar |
Fix Committed
|
Medium
|
Tim Gardner | ||
Mantic |
Fix Released
|
Medium
|
Tim Gardner |
Bug Description
I first encountered a bug in 6.2.0-1012-azure #12~22.04.1-Ubuntu that occurs during io_uring openat audit processing. I have a kernel patch that was accepted into the upstream kernel as well as the v6.6, v6.5.9, and v6.1.60 releases. The bug was first introduced in the upstream v5.16 kernel.
I do not see the change yet in:
* The Ubuntu-
* The Ubuntu-
Can this upstream commit be cherry picked?
The upstream commit is:
03adc61edad49e1
The upstream patch thread is:
https://<email address hidden>/T/#u
The maintainer pull request thread is:
https:/
The pre-patch discussion thread is:
https:/
The commit log message is:
commit 03adc61edad49e1
Author: Dan Clash <email address hidden>
Date: Thu Oct 12 14:55:18 2023 -0700
audit,io_uring: io_uring openat triggers audit reference count underflow
An io_uring openat operation can update an audit reference count
from multiple threads resulting in the call trace below.
A call to io_uring_submit() with a single openat op with a flag of
IOSQE_ASYNC results in the following reference count updates.
These first part of the system call performs two increments that do not race.
do_syscall_64()
_
The openat op is queued to an io_uring worker thread which starts the
opportunity for a race. The system call exit performs one decrement.
do_syscall_64()
syscall_
The io_uring worker thread performs one increment and two decrements.
These updates can race with the system call decrement.
io_wqe_worker()
io_
The fix is to change the refcnt member of struct audit_names
from int to atomic_t.
kernel BUG at fs/namei.c:262!
Call Trace:
...
? putname+0x68/0x70
audit_
__
io_
? lock_timer_
io_
? __try_to_
io_
io_
Cc: <email address hidden>
Link: https://<email address hidden>/
Fixes: 5bd2182d58e9 ("audit,
Signed-off-by: Dan Clash <email address hidden>
Link: https://<email address hidden>
Reviewed-by: Jens Axboe <email address hidden>
Signed-off-by: Christian Brauner <email address hidden>
affects: | linux (Ubuntu) → linux-azure-6.2 (Ubuntu) |
tags: | added: jammy |
affects: | linux-azure-6.2 (Ubuntu) → linux (Ubuntu) |
Changed in linux (Ubuntu): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Lunar): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
status: | New → In Progress |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Mantic): | |
assignee: | nobody → Tim Gardner (timg-tpi) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux (Ubuntu Mantic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Lunar): | |
status: | In Progress → Fix Committed |
Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https:/ /wiki.ubuntu. com/Bugs/ FindRightPackag e. You might also ask for help in the #ubuntu-bugs irc channel on Libera.chat.
To change the source package that this bug is filed about visit https:/ /bugs.launchpad .net/ubuntu/ +bug/2043841/ +editstatus and add the package name in the text box next to the word Package.
[This is an automated message. I apologize if it reached you inappropriately; please just reply to this message indicating so.]