io_uring/net: ensure vectored buffer node import is tied to notification

commit f6041803a831266a2a5a5b5af66f7de0845bcbf3 upstream.

When support for vectored registered buffers was added, the import
itself is using 'req' rather than the notification io_kiocb, sr->notif.
For non-vectored imports, sr->notif is correctly used. This is important
as the lifetime of the two may be different. Use the correct io_kiocb
for the vectored buffer import.

Cc: stable@vger.kernel.org
Fixes: 23371eac7d9a ("io_uring/net: implement vectored reg bufs for zctx")
Reported-by: Google Big Sleep <big-sleep-vuln-reports+bigsleep-463332873@google.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/io_uring/net.c b/io_uring/net.c
index d69f2afa4f7af51489316be5a7c77843cb957748..1f35f01661e77f297e8545b3c565ad54d96b2040 100644 (file)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -1542,8 +1542,10 @@ int io_sendmsg_zc(struct io_kiocb *req, unsigned int issue_flags)
                unsigned uvec_segs = kmsg->msg.msg_iter.nr_segs;
                int ret;
 
-               ret = io_import_reg_vec(ITER_SOURCE, &kmsg->msg.msg_iter, req,
-                                       &kmsg->vec, uvec_segs, issue_flags);
+               sr->notif->buf_index = req->buf_index;
+               ret = io_import_reg_vec(ITER_SOURCE, &kmsg->msg.msg_iter,
+                                       sr->notif, &kmsg->vec, uvec_segs,
+                                       issue_flags);
                if (unlikely(ret))
                        return ret;
                req->flags &= ~REQ_F_IMPORT_BUFFER;