From: Jens Axboe axboe@kernel.dk

stable inclusion from stable-v5.10.125 commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5IM3T CVE: CVE-2022-2327

--------------------------------

Any read/write should grab current->nsproxy, denoted by IO_WQ_WORK_FILES as it refers to current->files as well, and connect and recv/recvmsg, send/sendmsg should grab current->fs which is denoted by IO_WQ_WORK_FS.

No upstream commit exists for this issue.

Reported-by: Bing-Jhong Billy Jheng billy@starlabs.sg Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

Conflicts: 1. read/write already grab current->nsproxy, thus don't modified read/write related ops. 2. 'work_flags' doesn't exist, io_op_def is using field 'needs_fs' to decide if 'current->fs' should be grabbed. Signed-off-by: Yu Kuai yukuai3@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Reviewed-by: Xiu Jianfeng xiujianfeng@huawei.com Signed-off-by: Yongqiang Liu liuyongqiang13@huawei.com --- fs/io_uring.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c index 8a96b7df4112..d4e430b51098 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -816,6 +816,7 @@ static const struct io_op_def io_op_defs[] = { .async_ctx = 1, .needs_mm = 1, .needs_file = 1, + .needs_fs = 1, .unbound_nonreg_file = 1, .pollout = 1, }, @@ -864,12 +865,14 @@ static const struct io_op_def io_op_defs[] = { [IORING_OP_SEND] = { .needs_mm = 1, .needs_file = 1, + .needs_fs = 1, .unbound_nonreg_file = 1, .pollout = 1, }, [IORING_OP_RECV] = { .needs_mm = 1, .needs_file = 1, + .needs_fs = 1, .unbound_nonreg_file = 1, .pollin = 1, .buffer_select = 1,