From: Jiufei Xue <[email protected]> commit 95d1c8e5f801e959a89181a2548a3efa60a1a6ce upstream.
While io_sqe_file_register() failed in __io_sqe_files_update(), table->files[i] still point to the original file which may freed soon, and that will trigger use-after-free problems. Cc: [email protected] Fixes: f3bd9dae3708 ("io_uring: fix memleak in __io_sqe_files_update()") Signed-off-by: Jiufei Xue <[email protected]> Signed-off-by: Jens Axboe <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> --- fs/io_uring.c | 1 + 1 file changed, 1 insertion(+) --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -6957,6 +6957,7 @@ static int __io_sqe_files_update(struct table->files[index] = file; err = io_sqe_file_register(ctx, file, i); if (err) { + table->files[index] = NULL; fput(file); break; }
