io_uring: fix fs->users overflow
There is a bunch of cases where we can grab req->fs but not put it, this can be used to cause a controllable overflow with further implications. Release req->fs in the request free path and make sure we zero the field to be sure we don't do it twice. Fixes: cac68d12 ("io_uring: grab ->fs as part of async offload") Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
parent
33fcb359
Please register or sign in to comment