From: Li Lingfeng lilingfeng3@huawei.com
Offering: HULK hulk inclusion category: feature bugzilla: https://gitee.com/src-openeuler/kernel/issues/I6BTWC
-------------------------------
This reverts commit ab45921343c63dc9d461740e23003098697e0333.
We need to apply patch 788d0824269bef (io_uring: import 5.15-stable io_uring) to move io_uring to separate directory and solve the problem of CVE-2023-0240. This patch fix a uaf problem of io_identity, and it can be reverted since io_identity is removed in patch 788d0824269bef.
Signed-off-by: Li Lingfeng lilingfeng3@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Reviewed-by: Wang Weiyang wangweiyang2@huawei.com Signed-off-by: Jialin Zhang zhangjialin11@huawei.com --- fs/io_uring.c | 42 ------------------------------------------ 1 file changed, 42 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c index 4ace89ae4832..2397c2a1d919 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -1364,47 +1364,6 @@ static bool io_identity_cow(struct io_kiocb *req) return true; }
-static void io_drop_identity(struct io_kiocb *req) -{ - struct io_identity *id = req->work.identity; - - if (req->work.flags & IO_WQ_WORK_MM) { - mmdrop(id->mm); - req->work.flags &= ~IO_WQ_WORK_MM; - } -#ifdef CONFIG_BLK_CGROUP - if (req->work.flags & IO_WQ_WORK_BLKCG) { - css_put(id->blkcg_css); - req->work.flags &= ~IO_WQ_WORK_BLKCG; - } -#endif - if (req->work.flags & IO_WQ_WORK_CREDS) { - put_cred(id->creds); - req->work.flags &= ~IO_WQ_WORK_CREDS; - } - if (req->work.flags & IO_WQ_WORK_FILES) { - put_files_struct(req->work.identity->files); - put_nsproxy(req->work.identity->nsproxy); - req->work.flags &= ~IO_WQ_WORK_FILES; - } - if (req->work.flags & IO_WQ_WORK_CANCEL) - req->work.flags &= ~IO_WQ_WORK_CANCEL; - if (req->work.flags & IO_WQ_WORK_FS) { - struct fs_struct *fs = id->fs; - - spin_lock(&id->fs->lock); - if (--fs->users) - fs = NULL; - spin_unlock(&id->fs->lock); - - if (fs) - free_fs_struct(fs); - req->work.flags &= ~IO_WQ_WORK_FS; - } - if (req->work.flags & IO_WQ_WORK_FSIZE) - req->work.flags &= ~IO_WQ_WORK_FSIZE; -} - static bool io_grab_identity(struct io_kiocb *req) { const struct io_op_def *def = &io_op_defs[req->opcode]; @@ -1510,7 +1469,6 @@ static void io_prep_async_work(struct io_kiocb *req) if (io_grab_identity(req)) return;
- io_drop_identity(req); if (!io_identity_cow(req)) return;