io_uring: fix fs->users overflow
There is a bunch of cases where we can grab req->fs but not put it, this
can be used to cause a controllable overflow with further implications.
Release req->fs in the request free path and make sure we zero the field
to be sure we don't do it twice.
Fixes: cac68d12c531 ("io_uring: grab ->fs as part of async offload")
Reported-by: Bing-Jhong Billy Jheng <firstname.lastname@example.org>
Signed-off-by: Pavel Begunkov <email@example.com>
Signed-off-by: Greg Kroah-Hartman <firstname.lastname@example.org>
(cherry picked from commit 1a623d361ffe5cecd4244a02f449528416360038)
Signed-off-by: Robert Kolchmeyer <email@example.com>
RELEASE_NOTE=Fixed CVE-2022-1116 in the Linux kernel.
Reviewed-by: Roy Yang <firstname.lastname@example.org>
Reviewed-by: Oleksandr Tymoshenko <email@example.com>
Tested-by: Cusky Presubmit Bot <firstname.lastname@example.org>
1 file changed