diff options
| author | Matthew Wilcox (Oracle) <willy@infradead.org> | 2021-03-08 15:16:16 +0100 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2021-03-10 15:28:42 +0100 |
| commit | 61cf93700fe6359552848ed5e3becba6cd760efa (patch) | |
| tree | 52623012243a0159fab920d43f37e696fac2cbd4 /fs/io-wq.c | |
| parent | io_uring: clean R_DISABLED startup mess (diff) | |
| download | linux-61cf93700fe6359552848ed5e3becba6cd760efa.tar.xz linux-61cf93700fe6359552848ed5e3becba6cd760efa.zip | |
io_uring: Convert personality_idr to XArray
You can't call idr_remove() from within a idr_for_each() callback,
but you can call xa_erase() from an xa_for_each() loop, so switch the
entire personality_idr from the IDR to the XArray. This manifests as a
use-after-free as idr_for_each() attempts to walk the rest of the node
after removing the last entry from it.
Fixes: 071698e13ac6 ("io_uring: allow registering credentials")
Cc: stable@vger.kernel.org # 5.6+
Reported-by: yangerkun <yangerkun@huawei.com>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
[Pavel: rebased (creds load was moved into io_init_req())]
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/7ccff36e1375f2b0ebf73d957f037b43becc0dde.1615212806.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions