BACKPORT: io_uring: always grab file table for deferred statx
Lee reports that there's a use-after-free of the process file table.
There's an assumption that we don't need the file table for some
variants of statx invocation, but that turns out to be false and we
end up with not grabbing a reference for the request even if the
deferred execution uses it.
Get rid of the REQ_F_NO_FILE_TABLE optimization for statx, and always
grab that reference.
This issues doesn't exist upstream since the native workers got
introduced with 5.12.
Bug: 220738351
Link: https://lore.kernel.org/io-uring/YoOJ%2FT4QRKC+fAZE@google.com/
Reported-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 3c48558be5)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: Ife51536d95368bffdc393ad2a5e737a0e6ddf18f
This commit is contained in:
Jens Axboe
committed by
Treehugger Robot
Treehugger Robot
parent
784cc16aed
commit
843d3cb41b
@@ -4252,12 +4252,8 @@ static int io_statx(struct io_kiocb *req, bool force_nonblock)
|
|||||||
struct io_statx *ctx = &req->statx;
|
struct io_statx *ctx = &req->statx;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
if (force_nonblock) {
|
if (force_nonblock)
|
||||||
/* only need file table for an actual valid fd */
|
|
||||||
if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
|
|
||||||
req->flags |= REQ_F_NO_FILE_TABLE;
|
|
||||||
return -EAGAIN;
|
return -EAGAIN;
|
||||||
}
|
|
||||||
|
|
||||||
ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
|
ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
|
||||||
ctx->buffer);
|
ctx->buffer);
|
||||||
|
|||||||
Reference in New Issue
Block a user