Commit ecfc5177 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe
Browse files

io_uring: fix potential use after free on fallback request free 



After __io_free_req() puts a ctx ref, it should be assumed that the ctx
may already be gone. However, it can be accessed when putting the
fallback req. Free the req first and then put the ctx.

Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 8eb7e2d0

fs/io_uring.c

+5 −2
Original line number Diff line number Diff line
@@ -1526,12 +1526,15 @@ static void io_dismantle_req(struct io_kiocb *req) 


static void __io_free_req(struct io_kiocb *req)

{

	struct io_ring_ctx *ctx;



	io_dismantle_req(req);

	percpu_ref_put(&req->ctx->refs);

	ctx = req->ctx;

	if (likely(!io_is_fallback_req(req)))

		kmem_cache_free(req_cachep, req);

	else

		clear_bit_unlock(0, (unsigned long *) &req->ctx->fallback_req);

		clear_bit_unlock(0, (unsigned long *) &ctx->fallback_req);

	percpu_ref_put(&ctx->refs);

}



static bool io_link_cancel_timeout(struct io_kiocb *req)

CRA Git | Maintained and supported by SUSTech CRA and CCSE