From: Sasha Levin Date: Mon, 23 Mar 2020 17:11:49 +0000 (-0400) Subject: Fixes for 5.5 X-Git-Tag: v4.19.113~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3b7eb544ecaad56ffd1e488ccffeffa57df48f05;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.5 Signed-off-by: Sasha Levin --- diff --git a/queue-5.5/io_uring-null-deref-for-iosqe_-async-drain.patch b/queue-5.5/io_uring-null-deref-for-iosqe_-async-drain.patch new file mode 100644 index 00000000000..bf44868241a --- /dev/null +++ b/queue-5.5/io_uring-null-deref-for-iosqe_-async-drain.patch @@ -0,0 +1,54 @@ +From 1325f2b13129a8ddaff0ba4d000b37e065144dde Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Mar 2020 22:29:14 +0300 +Subject: io_uring: NULL-deref for IOSQE_{ASYNC,DRAIN} + +From: Pavel Begunkov + +[ Upstream commit f1d96a8fcbbbb22d4fbc1d69eaaa678bbb0ff6e2 ] + +Processing links, io_submit_sqe() prepares requests, drops sqes, and +passes them with sqe=NULL to io_queue_sqe(). There IOSQE_DRAIN and/or +IOSQE_ASYNC requests will go through the same prep, which doesn't expect +sqe=NULL and fail with NULL pointer deference. + +Always do full prepare including io_alloc_async_ctx() for linked +requests, and then it can skip the second preparation. + +Cc: stable@vger.kernel.org # 5.5 +Signed-off-by: Pavel Begunkov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/io_uring.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 44ae2641b4b06..faa0198c99ffd 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -3098,6 +3098,9 @@ static int io_req_defer_prep(struct io_kiocb *req, + { + ssize_t ret = 0; + ++ if (!sqe) ++ return 0; ++ + switch (req->opcode) { + case IORING_OP_NOP: + break; +@@ -3681,6 +3684,11 @@ static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe, + req->flags |= REQ_F_HARDLINK; + + INIT_LIST_HEAD(&req->link_list); ++ ++ if (io_alloc_async_ctx(req)) { ++ ret = -EAGAIN; ++ goto err_req; ++ } + ret = io_req_defer_prep(req, sqe); + if (ret) + req->flags |= REQ_F_FAIL_LINK; +-- +2.20.1 + diff --git a/queue-5.5/series b/queue-5.5/series index ca1fb4874e9..ef154bc34c6 100644 --- a/queue-5.5/series +++ b/queue-5.5/series @@ -100,3 +100,4 @@ mm-slub-be-more-careful-about-the-double-cmpxchg-of-freelist.patch mm-slub-prevent-kmalloc_node-crashes-and-memory-leaks.patch page-flags-fix-a-crash-at-setpageerror-thp_swap.patch x86-mm-split-vmalloc_sync_all.patch +io_uring-null-deref-for-iosqe_-async-drain.patch