On Wed, Aug 05, 2020 at 12:34:09PM -0600, Jens Axboe wrote:
Hi,
Below is a io_uring patch that I'd like to get into 5.4. There's no equiv 5.5 commit, because the resulting changes were a lot more invasive there to avoid re-reading important sqe fields. But the reporter has also tested this one and verifies it fixes his issue. Can we get this queued up for 5.4?
commit 8cfecb9a5d7b2aff34547652adc5bb00a8da5fac Author: Jens Axboe axboe@kernel.dk Date: Wed Aug 5 12:30:36 2020 -0600
io_uring: prevent re-read of sqe->opcodeLiu reports that he can trigger a NULL pointer dereference with IORING_OP_SENDMSG, by changing the sqe->opcode after we've validated that the previous opcode didn't need a file and didn't assign one. Ensure we validate and read the opcode only once. Reported-by: Liu Yong pkfxxxing@gmail.com Tested-by: Liu Yong pkfxxxing@gmail.com Signed-off-by: Jens Axboe axboe@kernel.dk
Now queued up, thanks!
greg k-h