From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: Pavel Begunkov <asml.silence@gmail.com>,
linux-fsdevel@vger.kernel.org, io-uring@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH] io_uring: fix a use after free in io_async_task_func()
Date: Wed, 8 Jul 2020 21:47:11 +0300 [thread overview]
Message-ID: <20200708184711.GA31157@mwanda> (raw)
The "apoll" variable is freed and then used on the next line. We need
to move the free down a few lines.
Fixes: 0be0b0e33b0b ("io_uring: simplify io_async_task_func()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
fs/io_uring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 70828e2470e2..f2993070a9e8 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4652,12 +4652,13 @@ static void io_async_task_func(struct callback_head *cb)
/* restore ->work in case we need to retry again */
if (req->flags & REQ_F_WORK_INITIALIZED)
memcpy(&req->work, &apoll->work, sizeof(req->work));
- kfree(apoll);
if (!READ_ONCE(apoll->poll.canceled))
__io_req_task_submit(req);
else
__io_req_task_cancel(req, -ECANCELED);
+
+ kfree(apoll);
}
static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
--
2.27.0
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jens Axboe <axboe@kernel.dk>
Cc: Pavel Begunkov <asml.silence@gmail.com>,
linux-fsdevel@vger.kernel.org, io-uring@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH] io_uring: fix a use after free in io_async_task_func()
Date: Wed, 08 Jul 2020 18:47:11 +0000 [thread overview]
Message-ID: <20200708184711.GA31157@mwanda> (raw)
The "apoll" variable is freed and then used on the next line. We need
to move the free down a few lines.
Fixes: 0be0b0e33b0b ("io_uring: simplify io_async_task_func()")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
fs/io_uring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 70828e2470e2..f2993070a9e8 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4652,12 +4652,13 @@ static void io_async_task_func(struct callback_head *cb)
/* restore ->work in case we need to retry again */
if (req->flags & REQ_F_WORK_INITIALIZED)
memcpy(&req->work, &apoll->work, sizeof(req->work));
- kfree(apoll);
if (!READ_ONCE(apoll->poll.canceled))
__io_req_task_submit(req);
else
__io_req_task_cancel(req, -ECANCELED);
+
+ kfree(apoll);
}
static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
--
2.27.0
next reply other threads:[~2020-07-08 18:49 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-08 18:47 Dan Carpenter [this message]
2020-07-08 18:47 ` [PATCH] io_uring: fix a use after free in io_async_task_func() Dan Carpenter
2020-07-08 19:01 ` Pavel Begunkov
2020-07-08 19:01 ` Pavel Begunkov
2020-07-08 19:14 ` Jens Axboe
2020-07-08 19:14 ` Jens Axboe
2020-07-08 19:15 ` Jens Axboe
2020-07-08 19:15 ` Jens Axboe
2020-07-08 19:28 ` Pavel Begunkov
2020-07-08 19:28 ` Pavel Begunkov
2020-07-08 19:56 ` Matthew Wilcox
2020-07-08 19:56 ` Matthew Wilcox
2020-07-09 9:47 ` Pavel Begunkov
2020-07-09 9:47 ` Pavel Begunkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200708184711.GA31157@mwanda \
--to=dan.carpenter@oracle.com \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.