Reading codes finds a possible use after free issue to sqd:
thread1 | thread2
==> io_attach_sq_data() |
===> sqd = ctx_attach->sq_data;|
| ==> io_put_sq_data()
| ===> refcount_dec_and_test(&sqd->refs)
| If sqd->refs is zero, will free sqd.
|
===> refcount_inc(&sqd->refs); |
|
| ====> kfree(sqd);
===> now use after free to sqd |
Use refcount_inc_not_zero() to fix this issue.
Signed-off-by: Xiaoguang Wang <xiaoguang.wang@xxxxxxxxxxxxxxxxx>
---
fs/io_uring.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 33b5cf18bb51..48e230feb704 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6868,7 +6868,11 @@ static struct io_sq_data *io_attach_sq_data(struct io_uring_params *p)
return ERR_PTR(-EINVAL);
}
- refcount_inc(&sqd->refs);
+ if (!refcount_inc_not_zero(&sqd->refs)) {
+ fdput(f);
+ return ERR_PTR(-EINVAL);
+ }
+
fdput(f);
return sqd;
}
--
2.17.2
