Re: [PATCH] io_uring: Fix use-after-free in io_sq_wq_submit_work()

On 8/4/20 9:40 PM, Guoyu Huang wrote: > when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req' > without deleting it from 'task_list'. After that, 'req' is > accessed in io_ring_ctx_wait_and_kill() which lead to > a use-after-free. This looks like an old one, that affects 5.4 only. I've

[PATCH] io_uring: Fix use-after-free in io_sq_wq_submit_work()

when ctx->sqo_mm is zero, io_sq_wq_submit_work() frees 'req' without deleting it from 'task_list'. After that, 'req' is accessed in io_ring_ctx_wait_and_kill() which lead to a use-after-free. Signed-off-by: Guoyu Huang --- fs/io_uring.c | 1 + 1 file changed, 1 insertion(+) diff --git