On 8/5/20 12:34 PM, Jens Axboe wrote:
> Hi,
>
> Below is a io_uring patch that I'd like to get into 5.4. There's no
> equiv 5.5 commit, because the resulting changes were a lot more invasive
> there to avoid re-reading important sqe fields. But the reporter has
> also tested this one and verifies it fixes his issue. Can we get this
> queued up for 5.4?
And on top of that, this one as well which is also only applicable to
5.4. Thanks!
commit 33757992d5627b986757fd70ff86d73f2bda0dac
Author: Guoyu Huang <hgy5945@xxxxxxxxx>
Date: Tue Aug 4 20:40:42 2020 -0700
io_uring: Fix use-after-free in io_sq_wq_submit_work()
when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req'
without deleting it from 'task_list'. After that, 'req' is
accessed in io_ring_ctx_wait_and_kill() which lead to
a use-after-free.
Signed-off-by: Guoyu Huang <hgy5945@xxxxxxxxx>
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 8bb5e19b7c3c..be3d595a607f 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2232,6 +2232,7 @@ static void io_sq_wq_submit_work(struct work_struct *work)
if (io_req_needs_user(req) && !cur_mm) {
if (!mmget_not_zero(ctx->sqo_mm)) {
ret = -EFAULT;
+ goto end_req;
} else {
cur_mm = ctx->sqo_mm;
use_mm(cur_mm);
--
Jens Axboe
