korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-09-22 12:44:11 +08:00
Code Issues Packages Projects Releases Wiki Activity
4c17a496a7
linux/io_uring
History
Pavel Begunkov 4c17a496a7 io_uring/net: fix cleanup double free free_iov init 
Having ->async_data doesn't mean it's initialised and previously we vere
relying on setting F_CLEANUP at the right moment. With zc sendmsg
though, we set F_CLEANUP early in prep when we alloc a notif and so we
may allocate async_data, fail in copy_msg_hdr() leaving
struct io_async_msghdr not initialised correctly but with F_CLEANUP
set, which causes a ->free_iov double free and probably other nastiness.

Always initialise ->free_iov. Also, now it might point to fast_iov when
fails, so avoid freeing it during cleanups.

Reported-by: syzbot+edfd15cd4246a3fc615a@syzkaller.appspotmail.com
Fixes: 493108d95f ("io_uring/net: zerocopy sendmsg")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2022-09-26 08:36:50 -06:00
..
advise.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
advise.h
alloc_cache.h
cancel.c io_uring: add IORING_SETUP_DEFER_TASKRUN 2022-09-21 10:30:42 -06:00
cancel.h
epoll.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
epoll.h
fdinfo.c io_uring/fdinfo: fix sqe dumping for IORING_SETUP_SQE128 2022-09-21 13:15:02 -06:00
fdinfo.h
filetable.c
filetable.h
fs.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
fs.h
io_uring.c io_uring: fix CQE reordering 2022-09-23 15:04:20 -06:00
io_uring.h io_uring: fix CQE reordering 2022-09-23 15:04:20 -06:00
io-wq.c
io-wq.h
kbuf.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
kbuf.h io_uring: allow buffer recycling in READV 2022-09-21 10:30:43 -06:00
Makefile
msg_ring.c io_uring/msg_ring: check file type before putting 2022-09-15 11:44:35 -06:00
msg_ring.h
net.c io_uring/net: fix cleanup double free free_iov init 2022-09-26 08:36:50 -06:00
net.h io_uring/net: zerocopy sendmsg 2022-09-21 13:15:02 -06:00
nop.c
nop.h
notif.c io_uring/notif: Remove the unused function io_notif_complete() 2022-09-05 11:42:39 -06:00
notif.h io_uring/net: simplify zerocopy send user API 2022-09-01 09:13:33 -06:00
opdef.c io_uring/net: zerocopy sendmsg 2022-09-21 13:15:02 -06:00
opdef.h io_uring: add custom opcode hooks on fail 2022-09-21 13:15:02 -06:00
openclose.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
openclose.h
poll.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
poll.h
refs.h
rsrc.c io_uring: add IORING_SETUP_DEFER_TASKRUN 2022-09-21 10:30:42 -06:00
rsrc.h Revert "io_uring: rename IORING_OP_FILES_UPDATE" 2022-09-01 09:13:33 -06:00
rw.c io_uring/rw: don't lose partial IO result on fail 2022-09-21 13:15:02 -06:00
rw.h io_uring/rw: don't lose partial IO result on fail 2022-09-21 13:15:02 -06:00
slist.h
splice.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
splice.h
sqpoll.c
sqpoll.h
statx.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
statx.h
sync.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
sync.h
tctx.c
tctx.h
timeout.c io_uring: remove unused return from io_disarm_next 2022-09-21 13:15:01 -06:00
timeout.h io_uring: remove unused return from io_disarm_next 2022-09-21 13:15:01 -06:00
uring_cmd.c io_uring: add iopoll infrastructure for io_uring_cmd 2022-09-21 10:30:42 -06:00
uring_cmd.h
xattr.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
xattr.h