io_uring/rsrc: fixup io_clone_buffers() error handling

Jann reports he can trigger a UAF if the target ring unregisters
buffers before the clone operation is fully done. And additionally
also an issue related to node allocation failures. Both of those
stemp from the fact that the cleanup logic puts the buffers manually,
rather than just relying on io_rsrc_data_free() doing it. Hence kill
the manual cleanup code and just let io_rsrc_data_free() handle it,
it'll put the nodes appropriately.

Reported-by: Jann Horn <jannh@google.com>
Fixes: 3597f2786b68 ("io_uring/rsrc: unify file and buffer resource tables")
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c
index 077f84684c18a0b3f5e622adb4978b6a00353b2f..69937d0c94f9518a2fd2cde1e5b2e7139078e1d3 100644 (file)
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -997,7 +997,7 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx
                        dst_node = io_rsrc_node_alloc(ctx, IORING_RSRC_BUFFER);
                        if (!dst_node) {
                                ret = -ENOMEM;
-                               goto out_put_free;
+                               goto out_unlock;
                        }
 
                        refcount_inc(&src_node->buf->refs);
@@ -1033,14 +1033,6 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx
        mutex_lock(&src_ctx->uring_lock);
        /* someone raced setting up buffers, dump ours */
        ret = -EBUSY;
-out_put_free:
-       i = data.nr;
-       while (i--) {
-               if (data.nodes[i]) {
-                       io_buffer_unmap(src_ctx, data.nodes[i]);
-                       kfree(data.nodes[i]);
-               }
-       }
 out_unlock:
        io_rsrc_data_free(ctx, &data);
        mutex_unlock(&src_ctx->uring_lock);