io_uring: set table->files[i] to NULL when io_sqe_file_register failed

Jiufei Xue · axboe · commit 95d1c8e5f801 · 2020-09-02T09:11:59.000-06:00
While io_sqe_file_register() failed in __io_sqe_files_update(), table->files[i] still point to the original file which may freed soon, and that will trigger use-after-free problems. Cc: stable@vger.kernel.org Fixes: f3bd9da ("io_uring: fix memleak in __io_sqe_files_update()") Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
diff --git a/fs/io_uring.c b/fs/io_uring.c
@@ -7353,6 +7353,7 @@ static int __io_sqe_files_update(struct io_ring_ctx *ctx,
 			table->files[index] = file;
 			err = io_sqe_file_register(ctx, file, i);
 			if (err) {
+				table->files[index] = NULL;
 				fput(file);
 				break;
 			}

Original file line number	Diff line number	Diff line change
`@@ -7353,6 +7353,7 @@ static int __io_sqe_files_update(struct io_ring_ctx *ctx,`
`7353`	`7353`	`table->files[index] = file;`
`7354`	`7354`	`err = io_sqe_file_register(ctx, file, i);`
`7355`	`7355`	`if (err) {`
	`7356`	`+ table->files[index] = NULL;`
`7356`	`7357`	`fput(file);`
`7357`	`7358`	`break;`
`7358`	`7359`	`}`