[SRU][N][PATCH 1/1] io_uring: fix io_req_prep_async with provided buffers

[Tim Whisonant]

From: Pavel Begunkov <asml.silence at gmail.com>

io_req_prep_async() can import provided buffers, commit the ring state
by giving up on that before, it'll be reimported later if needed.

Reported-by: Muhammad Ramdhan <ramdhan at starlabs.sg>
Reported-by: Bing-Jhong Billy Jheng <billy at starlabs.sg>
Reported-by: Jacob Soo <jacob.soo at starlabs.sg>
Fixes: c7fb19428d67d ("io_uring: add support for ring mapped supplied buffers")
Signed-off-by: Pavel Begunkov <asml.silence at gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
(cherry picked from commit a94592ec30ff67dc36c424327f1e0a9ceeeb9bd3)
CVE-2025-40364
Signed-off-by: Tim Whisonant <tim.whisonant at canonical.com>
---
 io_uring/io_uring.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 0de090a24f10a..79e32caf0740e 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1802,6 +1802,7 @@ int io_req_prep_async(struct io_kiocb *req)
 {
 	const struct io_cold_def *cdef = &io_cold_defs[req->opcode];
 	const struct io_issue_def *def = &io_issue_defs[req->opcode];
+	int ret;
 
 	/* assign early for deferred execution for non-fixed file */
 	if (def->needs_file && !(req->flags & REQ_F_FIXED_FILE) && !req->file)
@@ -1814,7 +1815,9 @@ int io_req_prep_async(struct io_kiocb *req)
 		if (io_alloc_async_data(req))
 			return -EAGAIN;
 	}
-	return cdef->prep_async(req);
+	ret = cdef->prep_async(req);
+	io_kbuf_recycle(req, 0);
+	return ret;
 }
 
 static u32 io_get_sequence(struct io_kiocb *req)
-- 
2.43.0