On Wed, Aug 05, 2020 at 12:34:09PM -0600, Jens Axboe wrote: > Hi, > > Below is a io_uring patch that I'd like to get into 5.4. There's no > equiv 5.5 commit, because the resulting changes were a lot more invasive > there to avoid re-reading important sqe fields. But the reporter has > also tested this one and verifies it fixes his issue. Can we get this > queued up for 5.4? > > > commit 8cfecb9a5d7b2aff34547652adc5bb00a8da5fac > Author: Jens Axboe <axboe@xxxxxxxxx> > Date: Wed Aug 5 12:30:36 2020 -0600 > > io_uring: prevent re-read of sqe->opcode > > Liu reports that he can trigger a NULL pointer dereference with > IORING_OP_SENDMSG, by changing the sqe->opcode after we've validated > that the previous opcode didn't need a file and didn't assign one. > > Ensure we validate and read the opcode only once. > > Reported-by: Liu Yong <pkfxxxing@xxxxxxxxx> > Tested-by: Liu Yong <pkfxxxing@xxxxxxxxx> > Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Now queued up, thanks! greg k-h
