From c1c03ee7957ec178756cae09c39d77194e8cddb7 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Tue, 14 Jan 2025 09:44:21 -0700 Subject: [PATCH] io_uring/rsrc: fixup io_clone_buffers() error handling Jann reports he can trigger a UAF if the target ring unregisters buffers before the clone operation is fully done. And additionally also an issue related to node allocation failures. Both of those stemp from the fact that the cleanup logic puts the buffers manually, rather than just relying on io_rsrc_data_free() doing it. Hence kill the manual cleanup code and just let io_rsrc_data_free() handle it, it'll put the nodes appropriately. Reported-by: Jann Horn Fixes: 3597f2786b68 ("io_uring/rsrc: unify file and buffer resource tables") Signed-off-by: Jens Axboe --- io_uring/rsrc.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/io_uring/rsrc.c b/io_uring/rsrc.c index 077f84684c18a..69937d0c94f95 100644 --- a/io_uring/rsrc.c +++ b/io_uring/rsrc.c @@ -997,7 +997,7 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx dst_node = io_rsrc_node_alloc(ctx, IORING_RSRC_BUFFER); if (!dst_node) { ret = -ENOMEM; - goto out_put_free; + goto out_unlock; } refcount_inc(&src_node->buf->refs); @@ -1033,14 +1033,6 @@ static int io_clone_buffers(struct io_ring_ctx *ctx, struct io_ring_ctx *src_ctx mutex_lock(&src_ctx->uring_lock); /* someone raced setting up buffers, dump ours */ ret = -EBUSY; -out_put_free: - i = data.nr; - while (i--) { - if (data.nodes[i]) { - io_buffer_unmap(src_ctx, data.nodes[i]); - kfree(data.nodes[i]); - } - } out_unlock: io_rsrc_data_free(ctx, &data); mutex_unlock(&src_ctx->uring_lock); -- 2.39.5