Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in sys_io_cancel
From: Edward Adam Davis
Date: Sun Mar 03 2024 - 05:00:19 EST
please test uaf in sys_io_cancel
#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
diff --git a/fs/aio.c b/fs/aio.c
index 28223f511931..0fed22ed9eb8 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1762,9 +1762,8 @@ static void aio_poll_complete_work(struct work_struct *work)
} /* else, POLLFREE has freed the waitqueue, so we must complete */
list_del_init(&iocb->ki_list);
iocb->ki_res.res = mangle_poll(mask);
- spin_unlock_irq(&ctx->ctx_lock);
-
iocb_put(iocb);
+ spin_unlock_irq(&ctx->ctx_lock);
}
/* assumes we are called with irqs disabled */
@@ -2198,7 +2197,6 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
break;
}
}
- spin_unlock_irq(&ctx->ctx_lock);
/*
* The result argument is no longer used - the io_event is always
@@ -2206,6 +2204,7 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb,
*/
if (ret == 0 && kiocb->rw.ki_flags & IOCB_AIO_RW)
aio_complete_rw(&kiocb->rw, -EINTR);
+ spin_unlock_irq(&ctx->ctx_lock);
percpu_ref_put(&ctx->users);