io_uring: fix UAF due to missing POLLFREE handling - kernel/linux.git

diff options

author	Pavel Begunkov <asml.silence@gmail.com>	2022-01-14 14:59:10 +0300
committer	Jens Axboe <axboe@kernel.dk>	2022-01-14 16:48:35 +0300
commit	791f3465c4afde02d7f16cf7424ca87070b69396 (patch)
tree	ff464f14424cf4a8b26d7c01249635fdfc84c487 /tools/perf/scripts/python/stackcollapse.py
parent	c84b8a3fef663933007e885535591b9d30bdc860 (diff)
download	linux-791f3465c4afde02d7f16cf7424ca87070b69396.tar.xz

io_uring: fix UAF due to missing POLLFREE handling

Fixes a problem described in 50252e4b5e989 ("aio: fix use-after-free due to missing POLLFREE handling") and copies the approach used there. In short, we have to forcibly eject a poll entry when we meet POLLFREE. We can't rely on io_poll_get_ownership() as can't wait for potentially running tw handlers, so we use the fact that wqs are RCU freed. See Eric's patch and comments for more details. Reported-by: Eric Biggers <ebiggers@google.com> Link: https://lore.kernel.org/r/20211209010455.42744-6-ebiggers@kernel.org Reported-and-tested-by: syzbot+5426c7ed6868c705ca14@syzkaller.appspotmail.com Fixes: 221c5eb233823 ("io_uring: add support for IORING_OP_POLL") Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/4ed56b6f548f7ea337603a82315750449412748a.1642161259.git.asml.silence@gmail.com [axboe: drop non-functional change from patch] Signed-off-by: Jens Axboe <axboe@kernel.dk>

Diffstat (limited to 'tools/perf/scripts/python/stackcollapse.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: