From 129bf7465657defdf521b8c44f2361d4aa91665a Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Wed, 17 Aug 2022 10:58:06 +0800 Subject: [PATCH] io_uring: always grab file table for deferred statx stable inclusion from stable-v5.10.118 commit 3c48558be571e01f67e65edcf03193484eeb2b79 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5L686 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3c48558be571e01f67e65edcf03193484eeb2b79 -------------------------------- Lee reports that there's a use-after-free of the process file table. There's an assumption that we don't need the file table for some variants of statx invocation, but that turns out to be false and we end up with not grabbing a reference for the request even if the deferred execution uses it. Get rid of the REQ_F_NO_FILE_TABLE optimization for statx, and always grab that reference. This issues doesn't exist upstream since the native workers got introduced with 5.12. Link: https://lore.kernel.org/io-uring/YoOJ%2FT4QRKC+fAZE@google.com/ Reported-by: Lee Jones Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Signed-off-by: Zheng Zengkai Acked-by: Xie XiuQi --- fs/io_uring.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 040d1aafc968..5a88260a8dd8 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4263,12 +4263,8 @@ static int io_statx(struct io_kiocb *req, bool force_nonblock) struct io_statx *ctx = &req->statx; int ret; - if (force_nonblock) { - /* only need file table for an actual valid fd */ - if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD) - req->flags |= REQ_F_NO_FILE_TABLE; + if (force_nonblock) return -EAGAIN; - } ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask, ctx->buffer); -- GitLab