From: Dan Carpenter <dan.carpenter@oracle.com>
Date: Wed, 8 Jul 2020 18:47:11 +0000 (+0300)
Subject: io_uring: fix a use after free in io_async_task_func()
X-Git-Tag: v5.9-rc1~212^2~52
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=aa340845ae6f019e0a12321a1741c14679bb0664;p=thirdparty%2Flinux.git

io_uring: fix a use after free in io_async_task_func()

The "apoll" variable is freed and then used on the next line.  We need
to move the free down a few lines.

Fixes: 0be0b0e33b0b ("io_uring: simplify io_async_task_func()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 4c9a494c9f9fa..14168fbc7d797 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4655,12 +4655,13 @@ static void io_async_task_func(struct callback_head *cb)
 	/* restore ->work in case we need to retry again */
 	if (req->flags & REQ_F_WORK_INITIALIZED)
 		memcpy(&req->work, &apoll->work, sizeof(req->work));
-	kfree(apoll);
 
 	if (!READ_ONCE(apoll->poll.canceled))
 		__io_req_task_submit(req);
 	else
 		__io_req_task_cancel(req, -ECANCELED);
+
+	kfree(apoll);
 }
 
 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,