Commit eb75cbd7 authored Apr 26, 2023 by Jens Axboe Committed by Jialin Zhang Apr 26, 2023

io_uring: ensure that io_init_req() passes in the right issue_flags

stable inclusion
from stable-v5.10.172
commit da24142b1ef9fd5d36b76e36bab328a5b27523e8
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6V7V1
CVE: CVE-2023-1872

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=da24142b1ef9fd5d36b76e36bab328a5b27523e8



--------------------------------

We can't use 0 here, as io_init_req() is always invoked with the
ctx uring_lock held. Newer kernels have IO_URING_F_UNLOCKED for this,
but previously we used IO_URING_F_NONBLOCK to indicate this as well.

Fixes: 08681391b84d ("io_uring: add missing lock in io_get_file_fixed")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>

parent d5f06f27

io_uring/io_uring.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -7005,7 +7005,8 @@ static int io_init_req(struct io_ring_ctx ctx, struct io_kiocb req,

		if (io_op_defs[req->opcode].needs_file) {
		req->file = io_file_get(ctx, req, READ_ONCE(sqe->fd),
		(sqe_flags & IOSQE_FIXED_FILE), 0);
		(sqe_flags & IOSQE_FIXED_FILE),
		IO_URING_F_NONBLOCK);
		if (unlikely(!req->file))
		ret = -EBADF;
		}