diff options
| author | Pavel Begunkov <asml.silence@gmail.com> | 2020-06-29 13:13:03 +0300 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2020-06-30 08:39:59 -0600 |
| commit | ecfc51777487da4da530710e0b13de4c8cb4a6d2 (patch) | |
| tree | 60ebb91b5fb2e09fb274d9e0d8db2c47128029a6 | |
| parent | 8eb7e2d00763367f345ef0b2a2eb4f8001ae40ce (diff) | |
| download | lwn-ecfc51777487da4da530710e0b13de4c8cb4a6d2.tar.gz lwn-ecfc51777487da4da530710e0b13de4c8cb4a6d2.zip | |
io_uring: fix potential use after free on fallback request free
After __io_free_req() puts a ctx ref, it should be assumed that the ctx
may already be gone. However, it can be accessed when putting the
fallback req. Free the req first and then put the ctx.
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
| -rw-r--r-- | fs/io_uring.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c index 8495c17b53d6..b54e358e6b31 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -1526,12 +1526,15 @@ static void io_dismantle_req(struct io_kiocb *req) static void __io_free_req(struct io_kiocb *req) { + struct io_ring_ctx *ctx; + io_dismantle_req(req); - percpu_ref_put(&req->ctx->refs); + ctx = req->ctx; if (likely(!io_is_fallback_req(req))) kmem_cache_free(req_cachep, req); else - clear_bit_unlock(0, (unsigned long *) &req->ctx->fallback_req); + clear_bit_unlock(0, (unsigned long *) &ctx->fallback_req); + percpu_ref_put(&ctx->refs); } static bool io_link_cancel_timeout(struct io_kiocb *req) |