stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Patch for 5.10-stable
@ 2022-05-19 12:09 Jens Axboe
  2022-05-19 12:36 ` Greg Kroah-Hartman
  2022-05-19 14:41 ` Lee Jones
  0 siblings, 2 replies; 4+ messages in thread
From: Jens Axboe @ 2022-05-19 12:09 UTC (permalink / raw)
  To: stable, Greg Kroah-Hartman; +Cc: Lee Jones

[-- Attachment #1: Type: text/plain, Size: 72 bytes --]

Hi,

Can we get this queued up for 5.10-stable? Thanks!

-- 
Jens Axboe

[-- Attachment #2: 0001-io_uring-always-grab-file-table-for-deferred-statx.patch --]
[-- Type: text/x-patch, Size: 1499 bytes --]

From b1da21187de121e2ed2dc2e0c70d5aabce469691 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@kernel.dk>
Date: Thu, 19 May 2022 06:05:27 -0600
Subject: [PATCH] io_uring: always grab file table for deferred statx

Lee reports that there's a use-after-free of the process file table.
There's an assumption that we don't need the file table for some
variants of statx invocation, but that turns out to be false and we
end up with not grabbing a reference for the request even if the
deferred execution uses it.

Get rid of the REQ_F_NO_FILE_TABLE optimization for statx, and always
grab that reference.

This issues doesn't exist upstream since the native workers got
introduced with 5.12.

Link: https://lore.kernel.org/io-uring/YoOJ%2FT4QRKC+fAZE@google.com/
Reported-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
 fs/io_uring.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 4330603eae35..3ecf71151fb1 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4252,12 +4252,8 @@ static int io_statx(struct io_kiocb *req, bool force_nonblock)
 	struct io_statx *ctx = &req->statx;
 	int ret;
 
-	if (force_nonblock) {
-		/* only need file table for an actual valid fd */
-		if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
-			req->flags |= REQ_F_NO_FILE_TABLE;
+	if (force_nonblock)
 		return -EAGAIN;
-	}
 
 	ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
 		       ctx->buffer);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: Patch for 5.10-stable
  2022-05-19 12:09 Patch for 5.10-stable Jens Axboe
@ 2022-05-19 12:36 ` Greg Kroah-Hartman
  2022-05-19 12:37   ` Jens Axboe
  2022-05-19 14:41 ` Lee Jones
  1 sibling, 1 reply; 4+ messages in thread
From: Greg Kroah-Hartman @ 2022-05-19 12:36 UTC (permalink / raw)
  To: Jens Axboe; +Cc: stable, Lee Jones

On Thu, May 19, 2022 at 06:09:39AM -0600, Jens Axboe wrote:
> Hi,
> 
> Can we get this queued up for 5.10-stable? Thanks!

Now queued up, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Patch for 5.10-stable
  2022-05-19 12:36 ` Greg Kroah-Hartman
@ 2022-05-19 12:37   ` Jens Axboe
  0 siblings, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2022-05-19 12:37 UTC (permalink / raw)
  To: Greg Kroah-Hartman; +Cc: stable, Lee Jones

On 5/19/22 6:36 AM, Greg Kroah-Hartman wrote:
> On Thu, May 19, 2022 at 06:09:39AM -0600, Jens Axboe wrote:
>> Hi,
>>
>> Can we get this queued up for 5.10-stable? Thanks!
> 
> Now queued up, thanks.

Thanks Greg!

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: Patch for 5.10-stable
  2022-05-19 12:09 Patch for 5.10-stable Jens Axboe
  2022-05-19 12:36 ` Greg Kroah-Hartman
@ 2022-05-19 14:41 ` Lee Jones
  1 sibling, 0 replies; 4+ messages in thread
From: Lee Jones @ 2022-05-19 14:41 UTC (permalink / raw)
  To: Jens Axboe; +Cc: stable, Greg Kroah-Hartman

On Thu, 19 May 2022, Jens Axboe wrote:

> Hi,
> 
> Can we get this queued up for 5.10-stable? Thanks!
> 

> From b1da21187de121e2ed2dc2e0c70d5aabce469691 Mon Sep 17 00:00:00 2001
> From: Jens Axboe <axboe@kernel.dk>
> Date: Thu, 19 May 2022 06:05:27 -0600
> Subject: [PATCH] io_uring: always grab file table for deferred statx
> 
> Lee reports that there's a use-after-free of the process file table.
> There's an assumption that we don't need the file table for some
> variants of statx invocation, but that turns out to be false and we
> end up with not grabbing a reference for the request even if the
> deferred execution uses it.
> 
> Get rid of the REQ_F_NO_FILE_TABLE optimization for statx, and always
> grab that reference.
> 
> This issues doesn't exist upstream since the native workers got
> introduced with 5.12.
> 
> Link: https://lore.kernel.org/io-uring/YoOJ%2FT4QRKC+fAZE@google.com/
> Reported-by: Lee Jones <lee.jones@linaro.org>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>

Tested-by: Lee Jones <lee.jones@linaro.org>

> ---
>  fs/io_uring.c | 6 +-----
>  1 file changed, 1 insertion(+), 5 deletions(-)
> 
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 4330603eae35..3ecf71151fb1 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -4252,12 +4252,8 @@ static int io_statx(struct io_kiocb *req, bool force_nonblock)
>  	struct io_statx *ctx = &req->statx;
>  	int ret;
>  
> -	if (force_nonblock) {
> -		/* only need file table for an actual valid fd */
> -		if (ctx->dfd == -1 || ctx->dfd == AT_FDCWD)
> -			req->flags |= REQ_F_NO_FILE_TABLE;
> +	if (force_nonblock)
>  		return -EAGAIN;
> -	}
>  
>  	ret = do_statx(ctx->dfd, ctx->filename, ctx->flags, ctx->mask,
>  		       ctx->buffer);


-- 
Lee Jones [李琼斯]
Principal Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-05-19 14:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-19 12:09 Patch for 5.10-stable Jens Axboe
2022-05-19 12:36 ` Greg Kroah-Hartman
2022-05-19 12:37   ` Jens Axboe
2022-05-19 14:41 ` Lee Jones

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).