io_uring: Fix use-after-free in io_sq_wq_submit_work()
diff mbox series

Message ID 20200805034042.GA29805@ubuntu
State New
Headers show
Series
  • io_uring: Fix use-after-free in io_sq_wq_submit_work()
Related show

Commit Message

Guoyu Huang Aug. 5, 2020, 3:40 a.m. UTC
when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req'
without deleting it from 'task_list'. After that, 'req' is
accessed in io_ring_ctx_wait_and_kill() which lead to
a use-after-free.

Signed-off-by: Guoyu Huang <hgy5945@gmail.com>
---
 fs/io_uring.c | 1 +
 1 file changed, 1 insertion(+)

--
2.25.1

Comments

Jens Axboe Aug. 5, 2020, 7:10 p.m. UTC | #1
On 8/4/20 9:40 PM, Guoyu Huang wrote:
> when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req'
> without deleting it from 'task_list'. After that, 'req' is
> accessed in io_ring_ctx_wait_and_kill() which lead to
> a use-after-free.

This looks like an old one, that affects 5.4 only. I've massaged
it to apply on top of another fix, will ask to get it queued up for
stable. Thanks!

Patch
diff mbox series

diff --git a/fs/io_uring.c b/fs/io_uring.c
index e0200406765c..4b5ac381c67f 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2242,6 +2242,7 @@  static void io_sq_wq_submit_work(struct work_struct *work)
 		if (io_sqe_needs_user(sqe) && !cur_mm) {
 			if (!mmget_not_zero(ctx->sqo_mm)) {
 				ret = -EFAULT;
+				goto end_req;
 			} else {
 				cur_mm = ctx->sqo_mm;
 				use_mm(cur_mm);