io_uring: always grab file table for deferred statx
Lee reports that there's a use-after-free of the process file table. There's an assumption that we don't need the file table for some variants of statx invocation, but that turns out to be false and we end up with not grabbing a reference for the request even if the deferred execution uses it. Get rid of the REQ_F_NO_FILE_TABLE optimization for statx, and always grab that reference. This issues doesn't exist upstream since the native workers got introduced with 5.12. Link: https://lore.kernel.org/io-uring/YoOJ%2FT4QRKC+fAZE@google.com/ Reported-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Jens Axboe
committed by
Greg Kroah-Hartman
Greg Kroah-Hartman
parent
a1a2c957da
commit
3c48558be5
@@ -4252,12 +4252,8 @@ static int io_statx(struct io_kiocb *req, bool force_nonblock)
|
|||||||
struct io_statx *ctx = &req->statx;
|
struct io_statx *ctx = &req->statx;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
if (force_nonblock) {
|
if (force_nonblock)
|
||||||
/* only need file table for an actual valid fd */
|
|
||||||
if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
|
|
||||||
req->flags |= REQ_F_NO_FILE_TABLE;
|
|
||||||
return -EAGAIN;
|
return -EAGAIN;
|
||||||
}
|
|
||||||
|
|
||||||
ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
|
ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
|
||||||
ctx->buffer);
|
ctx->buffer);
|
||||||
|
|||||||
Reference in New Issue
Block a user