!6076 Fix CVE-2024-26764 (fecdf43c) · Commits · EulixOS / Software / Kernel

fs/aio.c

+14 −3

Original line number	Diff line number	Diff line
		@@ -565,13 +565,24 @@ static int aio_setup_ring(struct kioctx *ctx, unsigned int nr_events)

		void kiocb_set_cancel_fn(struct kiocb iocb, kiocb_cancel_fn cancel)
		{
		struct aio_kiocb *req = container_of(iocb, struct aio_kiocb, rw);
		struct kioctx *ctx = req->ki_ctx;
		struct aio_kiocb *req;
		struct kioctx *ctx;
		unsigned long flags;

		/*
		* kiocb didn't come from aio or is neither a read nor a write, hence
		* ignore it.
		*/
		if (!(iocb->ki_flags & IOCB_AIO_RW))
		return;

		req = container_of(iocb, struct aio_kiocb, rw);

		if (WARN_ON_ONCE(!list_empty(&req->ki_list)))
		return;

		ctx = req->ki_ctx;

		spin_lock_irqsave(&ctx->ctx_lock, flags);
		list_add_tail(&req->ki_list, &ctx->active_reqs);
		req->ki_cancel = cancel;
		@@ -1454,7 +1465,7 @@ static int aio_prep_rw(struct kiocb req, const struct iocb iocb)
		req->ki_complete = aio_complete_rw;
		req->private = NULL;
		req->ki_pos = iocb->aio_offset;
		req->ki_flags = iocb_flags(req->ki_filp);
		req->ki_flags = iocb_flags(req->ki_filp) \| IOCB_AIO_RW;
		if (iocb->aio_flags & IOCB_FLAG_RESFD)
		req->ki_flags \|= IOCB_EVENTFD;
		req->ki_hint = ki_hint_validate(file_write_hint(req->ki_filp));

+2 −0

Original line number	Diff line number	Diff line
		@@ -328,6 +328,8 @@ enum rw_hint {
		/* iocb->ki_waitq is valid */
		#define IOCB_WAITQ (1 << 19)
		#define IOCB_NOIO (1 << 20)
		/* kiocb is a read or write operation submitted by fs/aio.c. */
		#define IOCB_AIO_RW (1 << 23)

		struct kiocb {
		struct file *ki_filp;