linux-stable

mirror of https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable.git synced 2025-09-13 11:07:46 +10:00

History

Jens Axboe d9f9317282 io_uring/futex: ensure io_futex_wait() cleans up properly on failure commit `508c1314b3` upstream. The io_futex_data is allocated upfront and assigned to the io_kiocb async_data field, but the request isn't marked with REQ_F_ASYNC_DATA at that point. Those two should always go together, as the flag tells io_uring whether the field is valid or not. Additionally, on failure cleanup, the futex handler frees the data but does not clear ->async_data. Clear the data and the flag in the error path as well. Thanks to Trend Micro Zero Day Initiative and particularly ReDress for reporting this. Cc: stable@vger.kernel.org Fixes: `194bb58c60` ("io_uring: add support for futex wake and wait") Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2025-08-28 16:31:05 +02:00
..
advise.c
advise.h
alloc_cache.h
cancel.c
cancel.h
epoll.c
epoll.h
eventfd.c	io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period	2025-01-17 13:40:58 +01:00
eventfd.h
fdinfo.c	io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo()	2025-06-19 15:32:33 +02:00
fdinfo.h
filetable.c
filetable.h
fs.c
fs.h
futex.c	io_uring/futex: ensure io_futex_wait() cleans up properly on failure	2025-08-28 16:31:05 +02:00
futex.h
io_uring.c	io_uring: account drain memory to cgroup	2025-06-27 11:11:13 +01:00
io_uring.h
io-wq.c	io_uring: fix task leak issue in io_wq_create()	2025-06-27 11:11:36 +01:00
io-wq.h
kbuf.c	io_uring/kbuf: flag partial buffer mappings	2025-07-06 11:01:48 +02:00
kbuf.h	io_uring/kbuf: flag partial buffer mappings	2025-07-06 11:01:48 +02:00
Makefile
memmap.c
memmap.h
msg_ring.c	io_uring/msg: initialise msg request opcode	2025-05-29 11:02:03 +02:00
msg_ring.h
napi.c
napi.h
net.c	io_uring/net: commit partial buffers on retry	2025-08-28 16:31:04 +02:00
net.h
nop.c
nop.h
notif.c
notif.h
opdef.c	io_uring: make fallocate be hashed work	2025-07-17 18:37:21 +02:00
opdef.h
openclose.c
openclose.h
poll.c	io_uring/poll: fix POLLERR handling	2025-07-24 08:56:23 +02:00
poll.h
refs.h	io_uring: always do atomic put from iowq	2025-05-02 07:59:21 +02:00
register.c	io_uring: consistently use rcu semantics with sqpoll thread	2025-06-19 15:32:33 +02:00
register.h
rsrc.c	io_uring/rsrc: don't rely on user vaddr alignment	2025-07-06 11:01:47 +02:00
rsrc.h	io_uring/rsrc: don't rely on user vaddr alignment	2025-07-06 11:01:47 +02:00
rw.c	io_uring/rw: cast rw->flags assignment to rwf_t	2025-08-20 18:30:58 +02:00
rw.h
slist.h
splice.c
splice.h
sqpoll.c	io_uring/sqpoll: don't put task_struct on tctx setup failure	2025-06-27 11:11:42 +01:00
sqpoll.h	io_uring: consistently use rcu semantics with sqpoll thread	2025-06-19 15:32:33 +02:00
statx.c
statx.h
sync.c
sync.h
tctx.c	io_uring/tctx: work around xa_store() allocation error issue	2024-12-14 20:04:10 +01:00
tctx.h
timeout.c	io_uring/timeout: fix multishot updates	2025-01-17 13:40:51 +01:00
timeout.h
truncate.c
truncate.h
uring_cmd.c	io_uring/uring_cmd: remove dead req_has_async_data() check	2025-02-21 14:01:20 +01:00
uring_cmd.h
waitid.c	io_uring/waitid: don't abuse io_tw_state	2025-02-21 14:01:20 +01:00
waitid.h
xattr.c
xattr.h