This is a note to let you know that I've just added the patch titled
io_uring/net: ensure compat import handlers clear free_iov
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
io_uring-net-ensure-compat-import-handlers-clear-free_iov.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 990a4de57e44f4f4cfc33c90d2ec5d285b7c8342 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@xxxxxxxxx>
Date: Mon, 19 Dec 2022 07:28:26 -0700
Subject: io_uring/net: ensure compat import handlers clear free_iov
From: Jens Axboe <axboe@xxxxxxxxx>
commit 990a4de57e44f4f4cfc33c90d2ec5d285b7c8342 upstream.
If we're not allocating the vectors because the count is below
UIO_FASTIOV, we still do need to properly clear ->free_iov to prevent
an erronous free of on-stack data.
Reported-by: Jiri Slaby <jirislaby@xxxxxxxxx>
Fixes: 4c17a496a7a0 ("io_uring/net: fix cleanup double free free_iov init")
Cc: stable@xxxxxxxxxxxxxxx
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
io_uring/net.c | 1 +
1 file changed, 1 insertion(+)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -479,6 +479,7 @@ static int __io_compat_recvmsg_copy_hdr(
if (req->flags & REQ_F_BUFFER_SELECT) {
compat_ssize_t clen;
+ iomsg->free_iov = NULL;
if (msg.msg_iovlen == 0) {
sr->len = 0;
} else if (msg.msg_iovlen > 1) {
Patches currently in stable-queue which might be from axboe@xxxxxxxxx are
queue-6.1/dm-make-sure-create-and-remove-dm-device-won-t-race-.patch
queue-6.1/block-factor-out-a-blk_debugfs_remove-helper.patch
queue-6.1/relay-fix-type-mismatch-when-allocating-memory-in-re.patch
queue-6.1/eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch
queue-6.1/loop-fix-the-max_loop-commandline-argument-treatment-when-it-is-set-to-0.patch
queue-6.1/blk-crypto-pass-a-gendisk-to-blk_crypto_sysfs_-un-re.patch
queue-6.1/io_uring-pass-in-epoll_uring_wake-for-eventfd-signaling-and-wakeups.patch
queue-6.1/blk-mq-fix-possible-memleak-when-register-hctx-faile.patch
queue-6.1/io_uring-net-introduce-ioring_send_zc_report_usage-flag.patch
queue-6.1/io_uring-net-fix-cleanup-after-recycle.patch
queue-6.1/io_uring-dont-remove-file-from-msg_ring-reqs.patch
queue-6.1/block-mark-blk_put_queue-as-potentially-blocking.patch
queue-6.1/dm-track-per-add_disk-holder-relations-in-dm.patch
queue-6.1/blk-iolatency-fix-memory-leak-on-add_disk-failures.patch
queue-6.1/io_uring-protect-cq_timeouts-with-timeout_lock.patch
queue-6.1/block-fix-error-unwinding-in-blk_register_queue.patch
queue-6.1/drbd-remove-call-to-memset-before-free-device-resour.patch
queue-6.1/dm-cleanup-close_table_device.patch
queue-6.1/blktrace-fix-output-non-blktrace-event-when-blk_clas.patch
queue-6.1/drbd-use-blk_queue_max_discard_sectors-helper.patch
queue-6.1/block-fix-use-after-free-of-q-q_usage_counter.patch
queue-6.1/blk-mq-move-the-srcu_struct-used-for-quiescing-to-th.patch
queue-6.1/drbd-destroy-workqueue-when-drbd-device-was-freed.patch
queue-6.1/block-bfq-fix-possible-uaf-for-bfqq-bic.patch
queue-6.1/io_uring-add-completion-locking-for-iopoll.patch
queue-6.1/block-untangle-request_queue-refcounting-from-sysfs.patch
queue-6.1/block-clear-slave_dir-when-dropping-the-main-slave_d.patch
queue-6.1/io_uring-net-ensure-compat-import-handlers-clear-free_iov.patch
queue-6.1/bfq-fix-waker_bfqq-inconsistency-crash.patch
queue-6.1/blk-mq-avoid-double-queue_rq-because-of-early-timeou.patch
queue-6.1/dm-cleanup-open_table_device.patch
queue-6.1/io_uring-improve-io_double_lock_ctx-fail-handling.patch
