On 8/5/20 12:34 PM, Jens Axboe wrote:
Hi,
Below is a io_uring patch that I'd like to get into 5.4. There's no equiv 5.5 commit, because the resulting changes were a lot more invasive there to avoid re-reading important sqe fields. But the reporter has also tested this one and verifies it fixes his issue. Can we get this queued up for 5.4?
And on top of that, this one as well which is also only applicable to 5.4. Thanks!
commit 33757992d5627b986757fd70ff86d73f2bda0dac Author: Guoyu Huang hgy5945@gmail.com Date: Tue Aug 4 20:40:42 2020 -0700
io_uring: Fix use-after-free in io_sq_wq_submit_work()
when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req' without deleting it from 'task_list'. After that, 'req' is accessed in io_ring_ctx_wait_and_kill() which lead to a use-after-free.
Signed-off-by: Guoyu Huang hgy5945@gmail.com Signed-off-by: Jens Axboe axboe@kernel.dk
diff --git a/fs/io_uring.c b/fs/io_uring.c index 8bb5e19b7c3c..be3d595a607f 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2232,6 +2232,7 @@ static void io_sq_wq_submit_work(struct work_struct *work) if (io_req_needs_user(req) && !cur_mm) { if (!mmget_not_zero(ctx->sqo_mm)) { ret = -EFAULT; + goto end_req; } else { cur_mm = ctx->sqo_mm; use_mm(cur_mm);