| Message ID | 1fcaa6f3-6dc7-0685-1cb3-3b1179409609@kernel.dk (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] io_uring/net: ensure compat import handlers clear free_iov | expand |
On 19. 12. 22, 15:36, Jens Axboe wrote: > If we're not allocating the vectors because the count is below > UIO_FASTIOV, we still do need to properly clear ->free_iov to prevent > an erronous free of on-stack data. > > Reported-by: Jiri Slaby <jirislaby@gmail.com> > Fixes: 4c17a496a7a0 ("io_uring/net: fix cleanup double free free_iov init") > Cc: stable@vger.kernel.org > Signed-off-by: Jens Axboe <axboe@kernel.dk> Tested-by: Jiri Slaby <jirislaby@kernel.org> > --- > > v2: let's play it a bit safer and just always clear at the top rather > in the individual cases. > > diff --git a/io_uring/net.c b/io_uring/net.c > index 5229976cb582..f76b688f476e 100644 > --- a/io_uring/net.c > +++ b/io_uring/net.c > @@ -494,6 +494,7 @@ static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req, > if (req->flags & REQ_F_BUFFER_SELECT) { > compat_ssize_t clen; > > + iomsg->free_iov = NULL; > if (msg.msg_iovlen == 0) { > sr->len = 0; > } else if (msg.msg_iovlen > 1) { > thanks,
On 12/19/22 11:45 PM, Jiri Slaby wrote: > On 19. 12. 22, 15:36, Jens Axboe wrote: >> If we're not allocating the vectors because the count is below >> UIO_FASTIOV, we still do need to properly clear ->free_iov to prevent >> an erronous free of on-stack data. >> >> Reported-by: Jiri Slaby <jirislaby@gmail.com> >> Fixes: 4c17a496a7a0 ("io_uring/net: fix cleanup double free free_iov init") >> Cc: stable@vger.kernel.org >> Signed-off-by: Jens Axboe <axboe@kernel.dk> > > Tested-by: Jiri Slaby <jirislaby@kernel.org> Thanks for testing (and reporting).
diff --git a/io_uring/net.c b/io_uring/net.c index 5229976cb582..f76b688f476e 100644 --- a/io_uring/net.c +++ b/io_uring/net.c @@ -494,6 +494,7 @@ static int __io_compat_recvmsg_copy_hdr(struct io_kiocb *req, if (req->flags & REQ_F_BUFFER_SELECT) { compat_ssize_t clen; + iomsg->free_iov = NULL; if (msg.msg_iovlen == 0) { sr->len = 0; } else if (msg.msg_iovlen > 1) {
If we're not allocating the vectors because the count is below UIO_FASTIOV, we still do need to properly clear ->free_iov to prevent an erronous free of on-stack data. Reported-by: Jiri Slaby <jirislaby@gmail.com> Fixes: 4c17a496a7a0 ("io_uring/net: fix cleanup double free free_iov init") Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe <axboe@kernel.dk> --- v2: let's play it a bit safer and just always clear at the top rather in the individual cases.