| Message ID | 20200805034042.GA29805@ubuntu (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | io_uring: Fix use-after-free in io_sq_wq_submit_work() | expand |
On 8/4/20 9:40 PM, Guoyu Huang wrote: > when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req' > without deleting it from 'task_list'. After that, 'req' is > accessed in io_ring_ctx_wait_and_kill() which lead to > a use-after-free. This looks like an old one, that affects 5.4 only. I've massaged it to apply on top of another fix, will ask to get it queued up for stable. Thanks!
diff --git a/fs/io_uring.c b/fs/io_uring.c index e0200406765c..4b5ac381c67f 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2242,6 +2242,7 @@ static void io_sq_wq_submit_work(struct work_struct *work) if (io_sqe_needs_user(sqe) && !cur_mm) { if (!mmget_not_zero(ctx->sqo_mm)) { ret = -EFAULT; + goto end_req; } else { cur_mm = ctx->sqo_mm; use_mm(cur_mm);
when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req' without deleting it from 'task_list'. After that, 'req' is accessed in io_ring_ctx_wait_and_kill() which lead to a use-after-free. Signed-off-by: Guoyu Huang <hgy5945@gmail.com> --- fs/io_uring.c | 1 + 1 file changed, 1 insertion(+) -- 2.25.1