| Message ID | 20230614151246.116391-1-cymi20@fudan.edu.cn (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | io_uring/kbuf: fix missing check for return value of io_buffer_get_list() | expand |
On 6/14/23 9:12?AM, Chenyuan Mi wrote: > The io_buffer_get_list() function may return NULL, which may > cause null pointer deference, and other callsites of > io_buffer_get_list() all do Null check. Add Null check for > return value of io_buffer_get_list(). > > Found by our static analysis tool. Ah, was going to ask about a test case, but I guess it doesn't exist. I don't think this can happen, as the legacy buffer groups can only ever get added, and only get removed when the ring goes away.
diff --git a/io_uring/kbuf.c b/io_uring/kbuf.c index 2f0181521c98..d209a0a9e337 100644 --- a/io_uring/kbuf.c +++ b/io_uring/kbuf.c @@ -66,9 +66,11 @@ void io_kbuf_recycle_legacy(struct io_kiocb *req, unsigned issue_flags) buf = req->kbuf; bl = io_buffer_get_list(ctx, buf->bgid); - list_add(&buf->list, &bl->buf_list); - req->flags &= ~REQ_F_BUFFER_SELECTED; - req->buf_index = buf->bgid; + if (likely(bl)) { + list_add(&buf->list, &bl->buf_list); + req->flags &= ~REQ_F_BUFFER_SELECTED; + req->buf_index = buf->bgid; + } io_ring_submit_unlock(ctx, issue_flags); return;
The io_buffer_get_list() function may return NULL, which may cause null pointer deference, and other callsites of io_buffer_get_list() all do Null check. Add Null check for return value of io_buffer_get_list(). Found by our static analysis tool. Signed-off-by: Chenyuan Mi <cymi20@fudan.edu.cn> --- io_uring/kbuf.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)