1. Patchew
  2. linux
  3. View series

[PATCH Next] iomap: Add sanity check for dio done workqueue

Edward Adam Davis posted 1 patch 1 week ago 
fs/iomap/direct-io.c | 4 ++++
1 file changed, 4 insertions(+)
[PATCH Next] iomap: Add sanity check for dio done workqueue
Posted by Edward Adam Davis 1 week ago 
The s_dio_done_wq was not allocated memory, leading to the null-ptr-deref
reported by syzbot in [1].

As shown in [1], we are currently in a soft interrupt context, and we cannot
use sb_init_dio_done_wq() to allocate memory for wq because it requires a
mutex lock.

Added a check to the workqueue; if it is empty, it switches to using a
synchronous method to end the dio.

[1]
KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]
CPU: 1 UID: 0 PID: 23 Comm: ksoftirqd/1 Not tainted syzkaller #0 PREEMPT(full)
Call Trace:
 iomap_dio_bio_end_io+0xf4/0x1c0 fs/iomap/direct-io.c:222
 blk_update_request+0x57e/0xe60 block/blk-mq.c:1006
 blk_mq_end_request+0x3e/0x70 block/blk-mq.c:1168
 blk_complete_reqs block/blk-mq.c:1243 [inline]
 blk_done_softirq+0x10a/0x160 block/blk-mq.c:1248
 handle_softirqs+0x27d/0x880 kernel/softirq.c:626
 run_ksoftirqd+0x9b/0x100 kernel/softirq.c:1067
 smpboot_thread_fn+0x542/0xa60 kernel/smpboot.c:160

Reported-by: syzbot+a2b9a4ed0d61b1efb3f5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a2b9a4ed0d61b1efb3f5
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 fs/iomap/direct-io.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/iomap/direct-io.c b/fs/iomap/direct-io.c
index d4e2e328d893..6b0ef7e0f05b 100644
--- a/fs/iomap/direct-io.c
+++ b/fs/iomap/direct-io.c
@@ -202,10 +202,14 @@ static void iomap_dio_done(struct iomap_dio *dio)
 		 * filesystem metadata changes or guarantee data integrity.
 		 */
 		INIT_WORK(&dio->aio.work, iomap_dio_complete_work);
+		if (!inode->i_sb->s_dio_done_wq)
+			goto done;
+
 		queue_work(inode->i_sb->s_dio_done_wq, &dio->aio.work);
 		return;
 	}
 
+done:
 	WRITE_ONCE(iocb->private, NULL);
 	iomap_dio_complete_work(&dio->aio.work);
 }
-- 
2.43.0
Re: [PATCH Next] iomap: Add sanity check for dio done workqueue
Posted by Christoph Hellwig 1 week ago 
On Mon, Nov 24, 2025 at 04:53:04PM +0800, Edward Adam Davis wrote:
> The s_dio_done_wq was not allocated memory, leading to the null-ptr-deref
> reported by syzbot in [1].
> 
> As shown in [1], we are currently in a soft interrupt context, and we cannot
> use sb_init_dio_done_wq() to allocate memory for wq because it requires a
> mutex lock.
> 
> Added a check to the workqueue; if it is empty, it switches to using a
> synchronous method to end the dio.

Err no.  That sanity check doesn't do anything useful.  Whatever caused
it to be not allocated and allow I/O needs to be fixed.  And I suspect
it's my fault and I already have an idea how to fix, so don't rush it.

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.