On Thu, 19 May 2022, Jens Axboe wrote: > Hi, > > Can we get this queued up for 5.10-stable? Thanks! > > From b1da21187de121e2ed2dc2e0c70d5aabce469691 Mon Sep 17 00:00:00 2001 > From: Jens Axboe <axboe@xxxxxxxxx> > Date: Thu, 19 May 2022 06:05:27 -0600 > Subject: [PATCH] io_uring: always grab file table for deferred statx > > Lee reports that there's a use-after-free of the process file table. > There's an assumption that we don't need the file table for some > variants of statx invocation, but that turns out to be false and we > end up with not grabbing a reference for the request even if the > deferred execution uses it. > > Get rid of the REQ_F_NO_FILE_TABLE optimization for statx, and always > grab that reference. > > This issues doesn't exist upstream since the native workers got > introduced with 5.12. > > Link: https://lore.kernel.org/io-uring/YoOJ%2FT4QRKC+fAZE@xxxxxxxxxx/ > Reported-by: Lee Jones <lee.jones@xxxxxxxxxx> > Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Tested-by: Lee Jones <lee.jones@xxxxxxxxxx> > --- > fs/io_uring.c | 6 +----- > 1 file changed, 1 insertion(+), 5 deletions(-) > > diff --git a/fs/io_uring.c b/fs/io_uring.c > index 4330603eae35..3ecf71151fb1 100644 > --- a/fs/io_uring.c > +++ b/fs/io_uring.c > @@ -4252,12 +4252,8 @@ static int io_statx(struct io_kiocb *req, bool force_nonblock) > struct io_statx *ctx = &req->statx; > int ret; > > - if (force_nonblock) { > - /* only need file table for an actual valid fd */ > - if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD) > - req->flags |= REQ_F_NO_FILE_TABLE; > + if (force_nonblock) > return -EAGAIN; > - } > > ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask, > ctx->buffer); -- Lee Jones [李琼斯] Principal Technical Lead - Developer Services Linaro.org │ Open source software for Arm SoCs Follow Linaro: Facebook | Twitter | Blog
