From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4EE37C6FD1D for ; Mon, 20 Mar 2023 15:14:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232371AbjCTPO6 (ORCPT ); Mon, 20 Mar 2023 11:14:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47998 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232453AbjCTPO1 (ORCPT ); Mon, 20 Mar 2023 11:14:27 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85891302A7 for ; Mon, 20 Mar 2023 08:09:34 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 1E8F46159E for ; Mon, 20 Mar 2023 15:09:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2D89EC433D2; Mon, 20 Mar 2023 15:09:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1679324972; bh=EW3IUZy7H/oEoRo7wEwIx5XU9yzKL1a/g34Sm7XYNn4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=acytCLOGNccCUFkzzqNmjcVrQ06rcgyxC0L2cDNlc1Huv2VPp666yVGpYknPkzLng 7T9ZvBFG7a5n4TKVPe/rV2rx7LDwYnD0CVveGwGBeXbWQW6HLy/l30nqGJnPrjpvzT Ll+oROpRwZyfqev1BsOwvKplWjF6QqsGnw4MrTMI= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Fedor Pchelkin Subject: [PATCH 5.10 79/99] io_uring: avoid null-ptr-deref in io_arm_poll_handler Date: Mon, 20 Mar 2023 15:54:57 +0100 Message-Id: <20230320145446.714163290@linuxfoundation.org> X-Mailer: git-send-email 2.40.0 In-Reply-To: <20230320145443.333824603@linuxfoundation.org> References: <20230320145443.333824603@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Fedor Pchelkin No upstream commit exists for this commit. The issue was introduced with backporting upstream commit c16bda37594f ("io_uring/poll: allow some retries for poll triggering spuriously"). Memory allocation can possibly fail causing invalid pointer be dereferenced just before comparing it to NULL value. Move the pointer check in proper place (upstream has the similar location of the check). In case the request has REQ_F_POLLED flag up, apoll can't be NULL so no need to check there. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Signed-off-by: Fedor Pchelkin Signed-off-by: Greg Kroah-Hartman --- io_uring/io_uring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -5792,10 +5792,10 @@ static int io_arm_poll_handler(struct io } } else { apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC); + if (unlikely(!apoll)) + return IO_APOLL_ABORTED; apoll->poll.retries = APOLL_MAX_RETRY; } - if (unlikely(!apoll)) - return IO_APOLL_ABORTED; apoll->double_poll = NULL; req->apoll = apoll; req->flags |= REQ_F_POLLED;