This is a note to let you know that I've just added the patch titled
io_uring: set table->files[i] to NULL when io_sqe_file_register failed
to the 5.8-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
io_uring-set-table-files-to-null-when-io_sqe_file_register-failed.patch
and it can be found in the queue-5.8 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 95d1c8e5f801e959a89181a2548a3efa60a1a6ce Mon Sep 17 00:00:00 2001
From: Jiufei Xue <jiufei.xue@xxxxxxxxxxxxxxxxx>
Date: Wed, 2 Sep 2020 17:59:39 +0800
Subject: io_uring: set table->files[i] to NULL when io_sqe_file_register failed
From: Jiufei Xue <jiufei.xue@xxxxxxxxxxxxxxxxx>
commit 95d1c8e5f801e959a89181a2548a3efa60a1a6ce upstream.
While io_sqe_file_register() failed in __io_sqe_files_update(),
table->files[i] still point to the original file which may freed
soon, and that will trigger use-after-free problems.
Cc: stable@xxxxxxxxxxxxxxx
Fixes: f3bd9dae3708 ("io_uring: fix memleak in __io_sqe_files_update()")
Signed-off-by: Jiufei Xue <jiufei.xue@xxxxxxxxxxxxxxxxx>
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/io_uring.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6957,6 +6957,7 @@ static int __io_sqe_files_update(struct
table->files[index] = file;
err = io_sqe_file_register(ctx, file, i);
if (err) {
+ table->files[index] = NULL;
fput(file);
break;
}
Patches currently in stable-queue which might be from jiufei.xue@xxxxxxxxxxxxxxxxx are
queue-5.8/io_uring-fix-removing-the-wrong-file-in-__io_sqe_files_update.patch
queue-5.8/io_uring-set-table-files-to-null-when-io_sqe_file_register-failed.patch
