| Message ID | 20220721110115.3964104-1-dylany@fb.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | io_uring: fix free of unallocated buffer list | expand |
On 7/21/22 12:01, Dylan Yudaken wrote: > in the error path of io_register_pbuf_ring, only free bl if it was > allocated. Reviewed-by: Pavel Begunkov <asml.silence@gmail.com> > Reported-by: Dipanjan Das <mail.dipanjan.das@gmail.com> > Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers") > Signed-off-by: Dylan Yudaken <dylany@fb.com> > --- > fs/io_uring.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/fs/io_uring.c b/fs/io_uring.c > index a01ea49f3017..2b7bb62c7805 100644 > --- a/fs/io_uring.c > +++ b/fs/io_uring.c > @@ -12931,7 +12931,7 @@ static int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg) > { > struct io_uring_buf_ring *br; > struct io_uring_buf_reg reg; > - struct io_buffer_list *bl; > + struct io_buffer_list *bl, *free_bl = NULL; > struct page **pages; > int nr_pages; > > @@ -12963,7 +12963,7 @@ static int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg) > if (bl->buf_nr_pages || !list_empty(&bl->buf_list)) > return -EEXIST; > } else { > - bl = kzalloc(sizeof(*bl), GFP_KERNEL); > + free_bl = bl = kzalloc(sizeof(*bl), GFP_KERNEL); > if (!bl) > return -ENOMEM; > } > @@ -12972,7 +12972,7 @@ static int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg) > struct_size(br, bufs, reg.ring_entries), > &nr_pages); > if (IS_ERR(pages)) { > - kfree(bl); > + kfree(free_bl); > return PTR_ERR(pages); > } > > > base-commit: ff6992735ade75aae3e35d16b17da1008d753d28
On Thu, 21 Jul 2022 04:01:15 -0700, Dylan Yudaken wrote: > in the error path of io_register_pbuf_ring, only free bl if it was > allocated. > > Applied, thanks! [1/1] io_uring: fix free of unallocated buffer list commit: ec8516f3b7c40ba7050e6b3a32467e9de451ecdf Best regards,
diff --git a/fs/io_uring.c b/fs/io_uring.c index a01ea49f3017..2b7bb62c7805 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -12931,7 +12931,7 @@ static int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg) { struct io_uring_buf_ring *br; struct io_uring_buf_reg reg; - struct io_buffer_list *bl; + struct io_buffer_list *bl, *free_bl = NULL; struct page **pages; int nr_pages; @@ -12963,7 +12963,7 @@ static int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg) if (bl->buf_nr_pages || !list_empty(&bl->buf_list)) return -EEXIST; } else { - bl = kzalloc(sizeof(*bl), GFP_KERNEL); + free_bl = bl = kzalloc(sizeof(*bl), GFP_KERNEL); if (!bl) return -ENOMEM; } @@ -12972,7 +12972,7 @@ static int io_register_pbuf_ring(struct io_ring_ctx *ctx, void __user *arg) struct_size(br, bufs, reg.ring_entries), &nr_pages); if (IS_ERR(pages)) { - kfree(bl); + kfree(free_bl); return PTR_ERR(pages); }
in the error path of io_register_pbuf_ring, only free bl if it was allocated. Reported-by: Dipanjan Das <mail.dipanjan.das@gmail.com> Fixes: c7fb19428d67 ("io_uring: add support for ring mapped supplied buffers") Signed-off-by: Dylan Yudaken <dylany@fb.com> --- fs/io_uring.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) base-commit: ff6992735ade75aae3e35d16b17da1008d753d28