From: Jens Axboe <axboe@kernel.dk>
Date: Fri, 31 Jan 2020 19:06:52 +0000 (-0700)
Subject: io_uring: don't map read/write iovec potentially twice
X-Git-Tag: v5.5.3~146
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f9ce114dfbc4d70d09742b5039487e07402cbd8d;p=users%2Fdwmw2%2Flinux.git

io_uring: don't map read/write iovec potentially twice

commit 5d204bcfa09330972ad3428a8f81c23f371d3e6d upstream.

If we have a read/write that is deferred, we already setup the async IO
context for that request, and mapped it. When we later try and execute
the request and we get -EAGAIN, we don't want to attempt to re-map it.
If we do, we end up with garbage in the iovec, which typically leads
to an -EFAULT or -EINVAL completion.

Cc: stable@vger.kernel.org # 5.5
Reported-by: Dan Melnic <dmm@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index e54556b0fcc69..c96d0c361ff0d 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1789,10 +1789,12 @@ static int io_setup_async_rw(struct io_kiocb *req, ssize_t io_size,
 	if (req->opcode == IORING_OP_READ_FIXED ||
 	    req->opcode == IORING_OP_WRITE_FIXED)
 		return 0;
-	if (!req->io && io_alloc_async_ctx(req))
-		return -ENOMEM;
+	if (!req->io) {
+		if (io_alloc_async_ctx(req))
+			return -ENOMEM;
 
-	io_req_map_rw(req, io_size, iovec, fast_iov, iter);
+		io_req_map_rw(req, io_size, iovec, fast_iov, iter);
+	}
 	req->work.func = io_rw_async;
 	return 0;
 }