| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250319112401.22316-1-sidong.yang@furiosa.ai> Date: Wed, 19 Mar 2025 11:24:01 +0000 From: Sidong Yang <sidong.yang@...iosa.ai> To: Josef Bacik <josef@...icpanda.com>, David Sterba <dsterba@...e.com> Cc: Mark Harmstone <maharmstone@...a.com>, linux-btrfs@...r.kernel.org, linux-kernel@...r.kernel.org, Sidong Yang <sidong.yang@...iosa.ai> Subject: [PATCH 1/1] btrfs: ioctl: don't free iov when -EAGAIN in uring encoded read This patch fixes a bug on encoded_read. In btrfs_uring_encoded_read(), btrfs_encoded_read could return -EAGAIN when receiving requests concurrently. And data->iov goes to out_free and it freed and return -EAGAIN. io-uring subsystem would call it again and it doesn't reset data. And data->iov freed and iov_iter reference it. iov_iter would be used in btrfs_uring_read_finished() and could be raise memory bug. Signed-off-by: Sidong Yang <sidong.yang@...iosa.ai> --- fs/btrfs/ioctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index c44e6ce6e5f5..b556db9e7cc4 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -4924,6 +4924,9 @@ static int btrfs_uring_encoded_read(struct io_uring_cmd *cmd, unsigned int issue ret = btrfs_encoded_read(&kiocb, &data->iter, &data->args, &cached_state, &disk_bytenr, &disk_io_size); + + if (ret == -EAGAIN) + goto out_acct; if (ret < 0 && ret != -EIOCBQUEUED) goto out_free; -- 2.43.0
Powered by blists - more mailing lists