io_uring: don't re-import iovecs from callbacks

stable inclusion from stable-v5.10.119 commit 57d01bcae7041cfb86553091718d12bf36c082aa category: bugfix bugzilla: 186671, https://gitee.com/src-openeuler/kernel/issues/I56MH6 CVE: CVE-2022-1508 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=57d01bcae7041cfb86553091718d12bf36c082aa -------------------------------- We can't re-import or modify iterators from iocb callbacks, it's not safe as it might be reverted and/or reexpanded while unwinding stack. It's also not safe to resubmit as io-wq thread will race with stack undwinding for the iterator and other data. Disallow resubmission from callbacks, it can fail some cases that were handled before, but the possibility of such a failure was a part of the API from the beginning and so it should be fine. Signed-off-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Guo Xuenan <guoxuenan@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

io_uring: don't re-import iovecs from callbacks
stable inclusion from stable-v5.10.119 commit 57d01bcae7041cfb86553091718d12bf36c082aa category: bugfix bugzilla: 186671, https://gitee.com/src-openeuler/kernel/issues/I56MH6 CVE: CVE-2022-1508 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=57d01bcae7041cfb86553091718d12bf36c082aa -------------------------------- We can't re-import or modify iterators from iocb callbacks, it's not safe as it might be reverted and/or reexpanded while unwinding stack. It's also not safe to resubmit as io-wq thread will race with stack undwinding for the iterator and other data. Disallow resubmission from callbacks, it can fail some cases that were handled before, but the possibility of such a failure was a part of the API from the beginning and so it should be fine. Signed-off-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Guo Xuenan <guoxuenan@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Reviewed-by: N Zhang Yi <yi.zhang@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
fecdd5ba · Pavel Begunkov · Zheng Zengkai · 36976cc7 · fecdd5ba
隐藏空白更改
内联并排

Showing with 0 addition and 39 deletion

fs/io_uring.c fs/io_uring.c +0 -39

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2582,45 +2582,6 @@ static void io_complete_rw_common(struct kiocb *kiocb, long res,
 #ifdef CONFIG_BLOCK
 static bool io_resubmit_prep(struct io_kiocb *req, int error)
 {
-	struct iovec inline_vecs[UIO_FASTIOV], *iovec = inline_vecs;
-	ssize_t ret = -ECANCELED;
-	struct iov_iter iter;
-	int rw;
-	if (error) {
-		ret = error;
-		goto end_req;
-	}
-	switch (req->opcode) {
-	case IORING_OP_READV:
-	case IORING_OP_READ_FIXED:
-	case IORING_OP_READ:
-		rw = READ;
-		break;
-	case IORING_OP_WRITEV:
-	case IORING_OP_WRITE_FIXED:
-	case IORING_OP_WRITE:
-		rw = WRITE;
-		break;
-	default:
-		printk_once(KERN_WARNING "io_uring: bad opcode in resubmit %d\n",
-				req->opcode);
-		goto end_req;
-	}
-	if (!req->async_data) {
-		ret = io_import_iovec(rw, req, &iovec, &iter, false);
-		if (ret < 0)
-			goto end_req;
-		ret = io_setup_async_rw(req, iovec, inline_vecs, &iter, false);
-		if (!ret)
-			return true;
-		kfree(iovec);
-	} else {
-		return true;
-	}
-end_req:
 	req_set_fail_links(req);
 	return false;
 }