Commit e8053c68 authored Aug 05, 2020 by Guoyu Huang Committed by Greg Kroah-Hartman Aug 11, 2020

io_uring: Fix use-after-free in io_sq_wq_submit_work()



when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req'
without deleting it from 'task_list'. After that, 'req' is
accessed in io_ring_ctx_wait_and_kill() which lead to
a use-after-free.

Signed-off-by: Guoyu Huang <hgy5945@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent a4d61e66

fs/io_uring.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -2232,6 +2232,7 @@ static void io_sq_wq_submit_work(struct work_struct *work)
		if (io_req_needs_user(req) && !cur_mm) {
		if (!mmget_not_zero(ctx->sqo_mm)) {
		ret = -EFAULT;
		goto end_req;
		} else {
		cur_mm = ctx->sqo_mm;
		use_mm(cur_mm);