From c1755c25a7190494b45861284b4a30bd9cd813ff Mon Sep 17 00:00:00 2001 From: Breno Leitao Date: Wed, 18 Jan 2023 07:56:30 -0800 Subject: io_uring: Enable KASAN for request cache Every io_uring request is represented by struct io_kiocb, which is cached locally by io_uring (not SLAB/SLUB) in the list called submit_state.freelist. This patch simply enabled KASAN for this free list. This list is initially created by KMEM_CACHE, but later, managed by io_uring. This patch basically poisons the objects that are not used (i.e., they are the free list), and unpoisons it when the object is allocated/removed from the list. Touching these poisoned objects while in the freelist will cause a KASAN warning. Suggested-by: Jens Axboe Signed-off-by: Breno Leitao Reviewed-by: Pavel Begunkov Signed-off-by: Jens Axboe --- io_uring/io_uring.h | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'io_uring/io_uring.h') diff --git a/io_uring/io_uring.h b/io_uring/io_uring.h index d58cfe062da9..9270156288aa 100644 --- a/io_uring/io_uring.h +++ b/io_uring/io_uring.h @@ -4,6 +4,7 @@ #include #include #include +#include #include #include #include "io-wq.h" @@ -347,12 +348,16 @@ static inline bool io_alloc_req_refill(struct io_ring_ctx *ctx) return true; } +extern struct kmem_cache *req_cachep; + static inline struct io_kiocb *io_alloc_req(struct io_ring_ctx *ctx) { - struct io_wq_work_node *node; + struct io_kiocb *req; - node = wq_stack_extract(&ctx->submit_state.free_list); - return container_of(node, struct io_kiocb, comp_list); + req = container_of(ctx->submit_state.free_list.next, struct io_kiocb, comp_list); + kasan_unpoison_object_data(req_cachep, req); + wq_stack_extract(&ctx->submit_state.free_list); + return req; } static inline bool io_allowed_defer_tw_run(struct io_ring_ctx *ctx) -- cgit v1.2.3