NACK: [SRU][N][PATCH 1/1] io_uring: fix io_req_prep_async with provided buffers

[Jacob Martin]

On 5/6/25 6:39 PM, Tim Whisonant wrote:
> From: Pavel Begunkov <asml.silence at gmail.com>
> 
> io_req_prep_async() can import provided buffers, commit the ring state
> by giving up on that before, it'll be reimported later if needed.
> 
> Reported-by: Muhammad Ramdhan <ramdhan at starlabs.sg>
> Reported-by: Bing-Jhong Billy Jheng <billy at starlabs.sg>
> Reported-by: Jacob Soo <jacob.soo at starlabs.sg>
> Fixes: c7fb19428d67d ("io_uring: add support for ring mapped supplied buffers")
> Signed-off-by: Pavel Begunkov <asml.silence at gmail.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> (cherry picked from commit a94592ec30ff67dc36c424327f1e0a9ceeeb9bd3)

The cherry pick source commit ID does not appear in the mainline repo. 
Instead it appears to be in stable branch linux-6.6.y, so it needs this 
branch noted.

Jacob

> CVE-2025-40364
> Signed-off-by: Tim Whisonant <tim.whisonant at canonical.com>
> ---
>   io_uring/io_uring.c | 5 ++++-
>   1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 0de090a24f10a..79e32caf0740e 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -1802,6 +1802,7 @@ int io_req_prep_async(struct io_kiocb *req)
>   {
>   	const struct io_cold_def *cdef = &io_cold_defs[req->opcode];
>   	const struct io_issue_def *def = &io_issue_defs[req->opcode];
> +	int ret;
>   
>   	/* assign early for deferred execution for non-fixed file */
>   	if (def->needs_file && !(req->flags & REQ_F_FIXED_FILE) && !req->file)
> @@ -1814,7 +1815,9 @@ int io_req_prep_async(struct io_kiocb *req)
>   		if (io_alloc_async_data(req))
>   			return -EAGAIN;
>   	}
> -	return cdef->prep_async(req);
> +	ret = cdef->prep_async(req);
> +	io_kbuf_recycle(req, 0);
> +	return ret;
>   }
>   
>   static u32 io_get_sequence(struct io_kiocb *req)