io_uring: avoid null-ptr-deref in io_arm_poll_handler
stable inclusion from stable-v5.10.176 commit 84e2e393bf9fa47d134eddaeb8319c755e646f30 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I87BGI Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=84e2e393bf9fa47d134eddaeb8319c755e646f30 -------------------------------- No upstream commit exists for this commit. The issue was introduced with backporting upstream commit c16bda37 ("io_uring/poll: allow some retries for poll triggering spuriously"). Memory allocation can possibly fail causing invalid pointer be dereferenced just before comparing it to NULL value. Move the pointer check in proper place (upstream has the similar location of the check). In case the request has REQ_F_POLLED flag up, apoll can't be NULL so no need to check there. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Signed-off-by:Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by:
Loading
Please sign in to comment