diff options
| author | Pavel Begunkov <asml.silence@gmail.com> | 2022-01-14 11:59:10 +0000 | 
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2022-01-14 06:48:35 -0700 | 
| commit | 791f3465c4afde02d7f16cf7424ca87070b69396 (patch) | |
| tree | ff464f14424cf4a8b26d7c01249635fdfc84c487 /lib/mpi/mpi-div.c | |
| parent | c84b8a3fef663933007e885535591b9d30bdc860 (diff) | |
io_uring: fix UAF due to missing POLLFREE handling
Fixes a problem described in 50252e4b5e989
("aio: fix use-after-free due to missing POLLFREE handling")
and copies the approach used there.
In short, we have to forcibly eject a poll entry when we meet POLLFREE.
We can't rely on io_poll_get_ownership() as can't wait for potentially
running tw handlers, so we use the fact that wqs are RCU freed. See
Eric's patch and comments for more details.
Reported-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20211209010455.42744-6-ebiggers@kernel.org
Reported-and-tested-by: syzbot+5426c7ed6868c705ca14@syzkaller.appspotmail.com
Fixes: 221c5eb233823 ("io_uring: add support for IORING_OP_POLL")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/4ed56b6f548f7ea337603a82315750449412748a.1642161259.git.asml.silence@gmail.com
[axboe: drop non-functional change from patch]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'lib/mpi/mpi-div.c')
0 files changed, 0 insertions, 0 deletions
