io_uring: fix use-after-free of shadow_req

There is a potential dangling pointer problem. we never clean shadow_req, if there are multiple link lists in this series of sqes, then the shadow_req will not reallocate, and continue to use the last one. but in the previous, his memory has been released, thus forming a dangling pointer. let's clean up him and make sure that every new link list can reapply for a new shadow_req. Fixes: 4fe2c96 ("io_uring: add support for link with drain") Signed-off-by: Jackie Liu <[email protected]> Signed-off-by: Jens Axboe <[email protected]>
amarioguy · Sep 18, 2019 · 5f5ad9c · 5f5ad9c
1 parent 954dab1
commit 5f5ad9c
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/fs/io_uring.c b/fs/io_uring.c
@@ -2357,6 +2357,7 @@ static int io_submit_sqes(struct io_ring_ctx *ctx, struct sqe_submit *sqes,
 			io_queue_link_head(ctx, link, &link->submit, shadow_req,
 						true);
 			link = NULL;
+			shadow_req = NULL;
 		}
 		prev_was_link = (sqes[i].sqe->flags & IOSQE_IO_LINK) != 0;
 
@@ -2543,6 +2544,7 @@ static int io_ring_submit(struct io_ring_ctx *ctx, unsigned int to_submit,
 			io_queue_link_head(ctx, link, &link->submit, shadow_req,
 						force_nonblock);
 			link = NULL;
+			shadow_req = NULL;
 		}
 		prev_was_link = (s.sqe->flags & IOSQE_IO_LINK) != 0;