io_uring: Fix use-after-free in io_sq_wq_submit_work()

when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req'
without deleting it from 'task_list'. After that, 'req' is
accessed in io_ring_ctx_wait_and_kill() which lead to
a use-after-free.

Signed-off-by: Guoyu Huang <hgy5945@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 8bb5e19b7c3c665cd85d2aafeeb3fb8ea5e81061..be3d595a607f4102a6f12defa741896c2bd92f8b 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2232,6 +2232,7 @@ restart:
                if (io_req_needs_user(req) && !cur_mm) {
                        if (!mmget_not_zero(ctx->sqo_mm)) {
                                ret = -EFAULT;
+                               goto end_req;
                        } else {
                                cur_mm = ctx->sqo_mm;
                                use_mm(cur_mm);