-
由 Matthew Wilcox (Oracle) 提交于
mainline inclusion from mainline-v5.12-rc3 commit 61cf9370 category: bugfix bugzilla: 50492 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=61cf93700fe6359552848ed5e3becba6cd760efa --------------------------- You can't call idr_remove() from within a idr_for_each() callback, but you can call xa_erase() from an xa_for_each() loop, so switch the entire personality_idr from the IDR to the XArray. This manifests as a use-after-free as idr_for_each() attempts to walk the rest of the node after removing the last entry from it. Fixes: 071698e1 ("io_uring: allow registering credentials") Cc: stable@vger.kernel.org # 5.6+ Reported-by: Nyangerkun <yangerkun@huawei.com> Signed-off-by: NMatthew Wilcox (Oracle) <willy@infradead.org> [Pavel: rebased (creds load was moved into io_init_req())] Signed-off-by: NPavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/7ccff36e1375f2b0ebf73d957f037b43becc0dde.1615212806.git.asml.silence@gmail.comSigned-off-by: NJens Axboe <axboe@kernel.dk> Conflicts: fs/io_uring.c Signed-off-by: Nyangerkun <yangerkun@huawei.com> Reviewed-by: Nzhangyi (F) <yi.zhang@huawei.com> Signed-off-by: NChen Jun <chenjun102@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
a22906e5