io_uring: Fix use-after-free in io_sq_wq_submit_work()

when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req' without deleting it from 'task_list'. After that, 'req' is accessed in io_ring_ctx_wait_and_kill() which lead to a use-after-free. Signed-off-by: Guoyu Huang <hgy5945@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
xanmod · Aug 11, 2020 · e8053c6 · e8053c6
1 parent a4d61e6
commit e8053c6
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/fs/io_uring.c b/fs/io_uring.c
@@ -2232,6 +2232,7 @@ static void io_sq_wq_submit_work(struct work_struct *work)
 		if (io_req_needs_user(req) && !cur_mm) {
 			if (!mmget_not_zero(ctx->sqo_mm)) {
 				ret = -EFAULT;
+				goto end_req;
 			} else {
 				cur_mm = ctx->sqo_mm;
 				use_mm(cur_mm);