[lvc-project] Patch "io_uring: avoid null-ptr-deref in io_arm_poll_handler" has been added to the 5.4-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Mon Mar 20 16:38:43 MSK 2023


This is a note to let you know that I've just added the patch titled

    io_uring: avoid null-ptr-deref in io_arm_poll_handler

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From pchelkin at ispras.ru  Mon Mar 20 14:30:30 2023
From: Fedor Pchelkin <pchelkin at ispras.ru>
Date: Thu, 16 Mar 2023 21:56:16 +0300
Subject: io_uring: avoid null-ptr-deref in io_arm_poll_handler
To: Jens Axboe <axboe at kernel.dk>, Greg Kroah-Hartman <gregkh at linuxfoundation.org>, stable at vger.kernel.org
Cc: Fedor Pchelkin <pchelkin at ispras.ru>, linux-kernel at vger.kernel.org, Alexey Khoroshilov <khoroshilov at ispras.ru>, lvc-project at linuxtesting.org
Message-ID: <20230316185616.271024-1-pchelkin at ispras.ru>

From: Fedor Pchelkin <pchelkin at ispras.ru>

No upstream commit exists for this commit.

The issue was introduced with backporting upstream commit c16bda37594f
("io_uring/poll: allow some retries for poll triggering spuriously").

Memory allocation can possibly fail causing invalid pointer be
dereferenced just before comparing it to NULL value.

Move the pointer check in proper place (upstream has the similar location
of the check). In case the request has REQ_F_POLLED flag up, apoll can't
be NULL so no need to check there.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Signed-off-by: Fedor Pchelkin <pchelkin at ispras.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 io_uring/io_uring.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 445afda927f4..fd799567fc23 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -5792,10 +5792,10 @@ static int io_arm_poll_handler(struct io_kiocb *req)
 		}
 	} else {
 		apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
+		if (unlikely(!apoll))
+			return IO_APOLL_ABORTED;
 		apoll->poll.retries = APOLL_MAX_RETRY;
 	}
-	if (unlikely(!apoll))
-		return IO_APOLL_ABORTED;
 	apoll->double_poll = NULL;
 	req->apoll = apoll;
 	req->flags |= REQ_F_POLLED;
-- 
2.34.1



Patches currently in stable-queue which might be from pchelkin at ispras.ru are

queue-5.4/nfc-pn533-initialize-struct-pn533_out_arg-properly.patch
queue-5.4/io_uring-avoid-null-ptr-deref-in-io_arm_poll_handler.patch



More information about the lvc-project mailing list