when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req'
without deleting it from 'task_list'. After that, 'req' is
accessed in io_ring_ctx_wait_and_kill() which lead to
a use-after-free.
Signed-off-by: Guoyu Huang <hgy5945@xxxxxxxxx>
---
fs/io_uring.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index e0200406765c..4b5ac381c67f 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2242,6 +2242,7 @@ static void io_sq_wq_submit_work(struct work_struct *work)
if (io_sqe_needs_user(sqe) && !cur_mm) {
if (!mmget_not_zero(ctx->sqo_mm)) {
ret = -EFAULT;
+ goto end_req;
} else {
cur_mm = ctx->sqo_mm;
use_mm(cur_mm);
--
2.25.1
