io_uring: always grab file table for deferred statx

stable inclusion from stable-v5.10.118 commit 3c48558be571e01f67e65edcf03193484eeb2b79 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5L686 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3c48558be571e01f67e65edcf03193484eeb2b79 -------------------------------- Lee reports that there's a use-after-free of the process file table. There's an assumption that we don't need the file table for some variants of statx invocation, but that turns out to be false and we end up with not grabbing a reference for the request even if the deferred execution uses it. Get rid of the REQ_F_NO_FILE_TABLE optimization for statx, and always grab that reference. This issues doesn't exist upstream since the native workers got introduced with 5.12. Link: https://lore.kernel.org/io-uring/YoOJ%2FT4QRKC+fAZE@google.com/Reported-by: N Lee Jones <lee.jones@linaro.org> Signed-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>

io_uring: always grab file table for deferred statx
stable inclusion from stable-v5.10.118 commit 3c48558be571e01f67e65edcf03193484eeb2b79 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I5L686 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=3c48558be571e01f67e65edcf03193484eeb2b79 -------------------------------- Lee reports that there's a use-after-free of the process file table. There's an assumption that we don't need the file table for some variants of statx invocation, but that turns out to be false and we end up with not grabbing a reference for the request even if the deferred execution uses it. Get rid of the REQ_F_NO_FILE_TABLE optimization for statx, and always grab that reference. This issues doesn't exist upstream since the native workers got introduced with 5.12. Link: https://lore.kernel.org/io-uring/YoOJ%2FT4QRKC+fAZE@google.com/Reported-by: N Lee Jones <lee.jones@linaro.org> Signed-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com> Acked-by: N Xie XiuQi <xiexiuqi@huawei.com>
129bf746 · Jens Axboe · Zheng Zengkai · af6d8046 · 129bf746
显示空白变更内容
内联并排

Showing with 1 addition and 5 deletion

fs/io_uring.c fs/io_uring.c +1 -5

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4263,12 +4263,8 @@ static int io_statx(struct io_kiocb *req, bool force_nonblock)
 	struct io_statx *ctx = &req->statx;
 	int ret;
-	if (force_nonblock) {
+	if (force_nonblock)
-		/* only need file table for an actual valid fd */
-		if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
-			req->flags |= REQ_F_NO_FILE_TABLE;
 		return -EAGAIN;
-	}
 	ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
 		       ctx->buffer);