shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-07 19:30:30 +09:00
Code Issues Packages Projects Releases Wiki Activity

io_uring: Fix use-after-free in io_sq_wq_submit_work()

Browse Source 
when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req'
without deleting it from 'task_list'. After that, 'req' is
accessed in io_ring_ctx_wait_and_kill() which lead to
a use-after-free.

Signed-off-by: Guoyu Huang <hgy5945@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Guoyu Huang
2020-08-05 13:10:25 -06:00
committed by Greg Kroah-Hartman
parent a4d61e66ee
commit e8053c6833
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
fs/io_uring.c
View File

@@ -2232,6 +2232,7 @@ restart:
if (io_req_needs_user(req) && !cur_mm) {
if (!mmget_not_zero(ctx->sqo_mm)) {
ret = -EFAULT;
goto end_req;
} else {
cur_mm = ctx->sqo_mm;
use_mm(cur_mm);