From: Pavel Begunkov <[email protected]>
To: [email protected]
Cc: Jens Axboe <[email protected]>, [email protected]
Subject: [PATCH for-next 1/4] io_uring: fix poll_add error handling
Date: Tue, 21 Jun 2022 10:08:59 +0100 [thread overview]
Message-ID: <f985e22429cbcb207536b7f4818350c2f2e1b8a4.1655802465.git.asml.silence@gmail.com> (raw)
In-Reply-To: <[email protected]>
We should first look at the return value of __io_arm_poll_handler() and
only if zero checking for ipt.error, not the other way around. Currently
we may enqueue a tw for such request and then release it inline causing
UAF.
Fixes: 9c1d09f56425e ("io_uring: handle completions in the core")
Signed-off-by: Pavel Begunkov <[email protected]>
---
io_uring/poll.c | 9 ++-------
1 file changed, 2 insertions(+), 7 deletions(-)
diff --git a/io_uring/poll.c b/io_uring/poll.c
index 8f4fff76d3b4..528418aaf3f6 100644
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -782,16 +782,11 @@ int io_poll_add(struct io_kiocb *req, unsigned int issue_flags)
req->flags &= ~REQ_F_HASH_LOCKED;
ret = __io_arm_poll_handler(req, poll, &ipt, poll->events);
- if (ipt.error) {
- return ipt.error;
- } else if (ret > 0) {
+ if (ret) {
io_req_set_res(req, ret, 0);
return IOU_OK;
- } else if (!ret) {
- return IOU_ISSUE_SKIP_COMPLETE;
}
-
- return ret;
+ return ipt.error ?: IOU_ISSUE_SKIP_COMPLETE;
}
int io_poll_remove(struct io_kiocb *req, unsigned int issue_flags)
--
2.36.1
next prev parent reply other threads:[~2022-06-21 9:10 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-21 9:08 [PATCH for-next 0/4] random 5.20 patches Pavel Begunkov
2022-06-21 9:08 ` Pavel Begunkov [this message]
2022-06-21 9:09 ` [PATCH for-next 2/4] io_uring: improve io_run_task_work() Pavel Begunkov
2022-06-21 9:09 ` [PATCH for-next 3/4] io_uring: move list helpers to a separate file Pavel Begunkov
2022-06-21 9:09 ` [PATCH for-next 4/4] io_uring: dedup io_run_task_work Pavel Begunkov
2022-06-21 15:17 ` [PATCH for-next 0/4] random 5.20 patches Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f985e22429cbcb207536b7f4818350c2f2e1b8a4.1655802465.git.asml.silence@gmail.com \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox