io_uring: fix using under-expanded iters

stable inclusion from stable-v5.10.119 commit 8adb751d294ed3b668f1c7e41bd7ebe49002a744 category: bugfix bugzilla: 186671,https://gitee.com/src-openeuler/kernel/issues/I56MH6 CVE: CVE-2022-1508 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8adb751d294ed3b668f1c7e41bd7ebe49002a744 -------------------------------- [ upstream commit cd658695 ] The issue was first described and addressed in 89c2b3b7 ("io_uring: reexpand under-reexpanded iters"), but shortly after reimplemented as. cd658695 ("io_uring: use iov_iter state save/restore helpers"). Here we follow the approach from the second patch but without in-callback resubmissions, fixups for not yet supported in 5.10 short read retries and replacing iov_iter_state with iter copies to not pull even more dependencies, and because it's just much simpler. Signed-off-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Guo Xuenan <guoxuenan@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

io_uring: fix using under-expanded iters
stable inclusion from stable-v5.10.119 commit 8adb751d294ed3b668f1c7e41bd7ebe49002a744 category: bugfix bugzilla: 186671,https://gitee.com/src-openeuler/kernel/issues/I56MH6 CVE: CVE-2022-1508 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=8adb751d294ed3b668f1c7e41bd7ebe49002a744 -------------------------------- [ upstream commit cd658695 ] The issue was first described and addressed in 89c2b3b7 ("io_uring: reexpand under-reexpanded iters"), but shortly after reimplemented as. cd658695 ("io_uring: use iov_iter state save/restore helpers"). Here we follow the approach from the second patch but without in-callback resubmissions, fixups for not yet supported in 5.10 short read retries and replacing iov_iter_state with iter copies to not pull even more dependencies, and because it's just much simpler. Signed-off-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Guo Xuenan <guoxuenan@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
2abdc832 · Pavel Begunkov · Zheng Zengkai · db63f1d4 · 2abdc832
隐藏空白更改
内联并排

Showing with 6 addition and 2 deletion

fs/io_uring.c fs/io_uring.c +6 -2

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -3383,6 +3383,7 @@ static int io_read(struct io_kiocb *req, bool force_nonblock,
 	struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
 	struct kiocb *kiocb = &req->rw.kiocb;
 	struct iov_iter __iter, *iter = &__iter;
+	struct iov_iter iter_cp;
 	struct io_async_rw *rw = req->async_data;
 	ssize_t io_size, ret, ret2;
 	bool no_async;
@@ -3393,6 +3394,7 @@ static int io_read(struct io_kiocb *req, bool force_nonblock,
 	ret = io_import_iovec(READ, req, &iovec, iter, !force_nonblock);
 	if (ret < 0)
 		return ret;
+	iter_cp = *iter;
 	io_size = iov_iter_count(iter);
 	req->result = io_size;
 	ret = 0;
@@ -3428,7 +3430,7 @@ static int io_read(struct io_kiocb *req, bool force_nonblock,
 		if (req->file->f_flags & O_NONBLOCK)
 			goto done;
 		/* some cases will consume bytes even on error returns */
-		iov_iter_revert(iter, io_size - iov_iter_count(iter));
+		*iter = iter_cp;
 		ret = 0;
 		goto copy_iov;
 	} else if (ret < 0) {
@@ -3511,6 +3513,7 @@ static int io_write(struct io_kiocb *req, bool force_nonblock,
 	struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
 	struct kiocb *kiocb = &req->rw.kiocb;
 	struct iov_iter __iter, *iter = &__iter;
+	struct iov_iter iter_cp;
 	struct io_async_rw *rw = req->async_data;
 	ssize_t ret, ret2, io_size;
@@ -3520,6 +3523,7 @@ static int io_write(struct io_kiocb *req, bool force_nonblock,
 	ret = io_import_iovec(WRITE, req, &iovec, iter, !force_nonblock);
 	if (ret < 0)
 		return ret;
+	iter_cp = *iter;
 	io_size = iov_iter_count(iter);
 	req->result = io_size;
@@ -3581,7 +3585,7 @@ static int io_write(struct io_kiocb *req, bool force_nonblock,
 	} else {
 copy_iov:
 		/* some cases will consume bytes even on error returns */
-		iov_iter_revert(iter, io_size - iov_iter_count(iter));
+		*iter = iter_cp;
 		ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
 		if (!ret)
 			return -EAGAIN;