io_uring: fix openat/statx's filename leak (0bdbdd08) · Commits · 戴 / test

fs/io_uring.c

+6 −0

Original line number	Original line	Diff line number	Diff line
	@@ -2560,6 +2560,8 @@ static int io_openat_prep(struct io_kiocb req, const struct io_uring_sqe sqe)
	return -EINVAL;		return -EINVAL;
	if (sqe->flags & IOSQE_FIXED_FILE)		if (sqe->flags & IOSQE_FIXED_FILE)
	return -EBADF;		return -EBADF;
			if (req->flags & REQ_F_NEED_CLEANUP)
			return 0;

	req->open.dfd = READ_ONCE(sqe->fd);		req->open.dfd = READ_ONCE(sqe->fd);
	req->open.how.mode = READ_ONCE(sqe->len);		req->open.how.mode = READ_ONCE(sqe->len);
	@@ -2588,6 +2590,8 @@ static int io_openat2_prep(struct io_kiocb req, const struct io_uring_sqe sqe)
	return -EINVAL;		return -EINVAL;
	if (sqe->flags & IOSQE_FIXED_FILE)		if (sqe->flags & IOSQE_FIXED_FILE)
	return -EBADF;		return -EBADF;
			if (req->flags & REQ_F_NEED_CLEANUP)
			return 0;

	req->open.dfd = READ_ONCE(sqe->fd);		req->open.dfd = READ_ONCE(sqe->fd);
	fname = u64_to_user_ptr(READ_ONCE(sqe->addr));		fname = u64_to_user_ptr(READ_ONCE(sqe->addr));
	@@ -2787,6 +2791,8 @@ static int io_statx_prep(struct io_kiocb req, const struct io_uring_sqe sqe)
	return -EINVAL;		return -EINVAL;
	if (sqe->flags & IOSQE_FIXED_FILE)		if (sqe->flags & IOSQE_FIXED_FILE)
	return -EBADF;		return -EBADF;
			if (req->flags & REQ_F_NEED_CLEANUP)
			return 0;

	req->open.dfd = READ_ONCE(sqe->fd);		req->open.dfd = READ_ONCE(sqe->fd);
	req->open.mask = READ_ONCE(sqe->len);		req->open.mask = READ_ONCE(sqe->len);