Kernel/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-12-29 01:05:29 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
dbd2ca9367
linux-stable/include
History
Jann Horn 12d908116f io_uring: Fix registered ring file refcount leak 
Currently, io_uring_unreg_ringfd() (which cleans up registered rings) is
only called on exit, but __io_uring_free (which frees the tctx in which the
registered ring pointers are stored) is also called on execve (via
begin_new_exec -> io_uring_task_cancel -> __io_uring_cancel ->
io_uring_cancel_generic -> __io_uring_free).

This means: A process going through execve while having registered rings
will leak references to the rings' `struct file`.

Fix it by zapping registered rings on execve(). This is implemented by
moving the io_uring_unreg_ringfd() from io_uring_files_cancel() into its
callee __io_uring_cancel(), which is called from io_uring_task_cancel() on
execve.

This could probably be exploited *on 32-bit kernels* by leaking 2^32
references to the same ring, because the file refcount is stored in a
pointer-sized field and get_file() doesn't have protection against
refcount overflow, just a WARN_ONCE(); but on 64-bit it should have no
impact beyond a memory leak.

Cc: stable@vger.kernel.org
Fixes: e7a6c00dc7 ("io_uring: add support for registering ring file descriptors")
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/r/20241218-uring-reg-ring-cleanup-v1-1-8f63e999045b@google.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-12-18 18:19:33 -07:00
..
acpi common: switch back from remove_new() to remove() callback 2024-11-25 17:31:39 -08:00
asm-generic - Fix a case where posix timers with a thread-group-wide target would miss 2024-12-01 12:41:21 -08:00
clocksource
crypto This update includes the following changes: 2024-11-19 10:28:41 -08:00
cxl
drm drm for 6.13-rc1 2024-11-21 14:56:17 -08:00
dt-bindings Char/Misc/IIO/Whatever driver subsystem updates for 6.13-rc1 2024-11-29 11:58:27 -08:00
keys
kunit module: Convert symbol namespace to string literal 2024-12-02 11:34:44 -08:00
kvm KVM: arm64: vgic: Kill VGIC_MAX_PRIVATE definition 2024-11-20 17:21:08 -08:00
linux io_uring: Fix registered ring file refcount leak 2024-12-18 18:19:33 -07:00
math-emu
media
memory
misc
net Kbuild updates for v6.13 2024-11-30 13:41:50 -08:00
pcmcia
ras
rdma
rv
scsi Random number generator updates for Linux 6.13-rc1. 2024-11-19 10:43:44 -08:00
soc The core framework gained a clk provider helper, a clk consumer helper, and 2024-11-22 17:02:25 -08:00
sound ALSA: hda/tas2781: Add speaker id check for ASUS projects 2024-11-26 08:54:08 +01:00
target
trace NFS client updates for Linux 6.13 2024-11-30 10:17:53 -08:00
uapi io_uring-6.13-20242901 2024-11-30 15:43:02 -08:00
ufs
vdso
video - Improved handling of LCD power states and interactions with the fbdev subsystem. 2024-11-22 16:29:57 -08:00
xen