This is a note to let you know that I've just added the patch titled io_uring/net: ensure compat import handlers clear free_iov to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: io_uring-net-ensure-compat-import-handlers-clear-free_iov.patch and it can be found in the queue-6.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 990a4de57e44f4f4cfc33c90d2ec5d285b7c8342 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe@xxxxxxxxx> Date: Mon, 19 Dec 2022 07:28:26 -0700 Subject: io_uring/net: ensure compat import handlers clear free_iov From: Jens Axboe <axboe@xxxxxxxxx> commit 990a4de57e44f4f4cfc33c90d2ec5d285b7c8342 upstream. If we're not allocating the vectors because the count is below UIO_FASTIOV, we still do need to properly clear ->free_iov to prevent an erronous free of on-stack data. Reported-by: Jiri Slaby <jirislaby@xxxxxxxxx> Fixes: 4c17a496a7a0 ("io_uring/net: fix cleanup double free free_iov init") Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- io_uring/net.c | 1 + 1 file changed, 1 insertion(+) --- a/io_uring/net.c +++ b/io_uring/net.c @@ -479,6 +479,7 @@ static int __io_compat_recvmsg_copy_hdr( if (req->flags & REQ_F_BUFFER_SELECT) { compat_ssize_t clen; + iomsg->free_iov = NULL; if (msg.msg_iovlen == 0) { sr->len = 0; } else if (msg.msg_iovlen > 1) { Patches currently in stable-queue which might be from axboe@xxxxxxxxx are queue-6.1/dm-make-sure-create-and-remove-dm-device-won-t-race-.patch queue-6.1/block-factor-out-a-blk_debugfs_remove-helper.patch queue-6.1/relay-fix-type-mismatch-when-allocating-memory-in-re.patch queue-6.1/eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch queue-6.1/loop-fix-the-max_loop-commandline-argument-treatment-when-it-is-set-to-0.patch queue-6.1/blk-crypto-pass-a-gendisk-to-blk_crypto_sysfs_-un-re.patch queue-6.1/io_uring-pass-in-epoll_uring_wake-for-eventfd-signaling-and-wakeups.patch queue-6.1/blk-mq-fix-possible-memleak-when-register-hctx-faile.patch queue-6.1/io_uring-net-introduce-ioring_send_zc_report_usage-flag.patch queue-6.1/io_uring-net-fix-cleanup-after-recycle.patch queue-6.1/io_uring-dont-remove-file-from-msg_ring-reqs.patch queue-6.1/block-mark-blk_put_queue-as-potentially-blocking.patch queue-6.1/dm-track-per-add_disk-holder-relations-in-dm.patch queue-6.1/blk-iolatency-fix-memory-leak-on-add_disk-failures.patch queue-6.1/io_uring-protect-cq_timeouts-with-timeout_lock.patch queue-6.1/block-fix-error-unwinding-in-blk_register_queue.patch queue-6.1/drbd-remove-call-to-memset-before-free-device-resour.patch queue-6.1/dm-cleanup-close_table_device.patch queue-6.1/blktrace-fix-output-non-blktrace-event-when-blk_clas.patch queue-6.1/drbd-use-blk_queue_max_discard_sectors-helper.patch queue-6.1/block-fix-use-after-free-of-q-q_usage_counter.patch queue-6.1/blk-mq-move-the-srcu_struct-used-for-quiescing-to-th.patch queue-6.1/drbd-destroy-workqueue-when-drbd-device-was-freed.patch queue-6.1/block-bfq-fix-possible-uaf-for-bfqq-bic.patch queue-6.1/io_uring-add-completion-locking-for-iopoll.patch queue-6.1/block-untangle-request_queue-refcounting-from-sysfs.patch queue-6.1/block-clear-slave_dir-when-dropping-the-main-slave_d.patch queue-6.1/io_uring-net-ensure-compat-import-handlers-clear-free_iov.patch queue-6.1/bfq-fix-waker_bfqq-inconsistency-crash.patch queue-6.1/blk-mq-avoid-double-queue_rq-because-of-early-timeou.patch queue-6.1/dm-cleanup-open_table_device.patch queue-6.1/io_uring-improve-io_double_lock_ctx-fail-handling.patch