This is a note to let you know that I've just added the patch titled io_uring: avoid null-ptr-deref in io_arm_poll_handler to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From pchelkin@xxxxxxxxx Mon Mar 20 14:30:30 2023 From: Fedor Pchelkin <pchelkin@xxxxxxxxx> Date: Thu, 16 Mar 2023 21:56:16 +0300 Subject: io_uring: avoid null-ptr-deref in io_arm_poll_handler To: Jens Axboe <axboe@xxxxxxxxx>, Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>, stable@xxxxxxxxxxxxxxx Cc: Fedor Pchelkin <pchelkin@xxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, Alexey Khoroshilov <khoroshilov@xxxxxxxxx>, lvc-project@xxxxxxxxxxxxxxxx Message-ID: <20230316185616.271024-1-pchelkin@xxxxxxxxx> From: Fedor Pchelkin <pchelkin@xxxxxxxxx> No upstream commit exists for this commit. The issue was introduced with backporting upstream commit c16bda37594f ("io_uring/poll: allow some retries for poll triggering spuriously"). Memory allocation can possibly fail causing invalid pointer be dereferenced just before comparing it to NULL value. Move the pointer check in proper place (upstream has the similar location of the check). In case the request has REQ_F_POLLED flag up, apoll can't be NULL so no need to check there. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Signed-off-by: Fedor Pchelkin <pchelkin@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- io_uring/io_uring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -5937,10 +5937,10 @@ static int io_arm_poll_handler(struct io } } else { apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC); + if (unlikely(!apoll)) + return IO_APOLL_ABORTED; apoll->poll.retries = APOLL_MAX_RETRY; } - if (unlikely(!apoll)) - return IO_APOLL_ABORTED; apoll->double_poll = NULL; req->apoll = apoll; req->flags |= REQ_F_POLLED; Patches currently in stable-queue which might be from pchelkin@xxxxxxxxx are queue-5.15/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch queue-5.15/io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch