On 1/22/23 8:43 AM, Alviro Iskandar Setiawan wrote:
On Sun, Jan 22, 2023 at 9:44 PM gregkh@linuxfoundation.org wrote:
The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
That uninitialized reading is living in 5.10.y branch now https://github.com/gregkh/linux/blob/v5.10.162/io_uring/io_uring.c#L4989-L50...
If this:
ret = import_single_range(RE AD, buf, sr->len, &iov, &msg.msg_iter);
fails, this one (flags & MSG_WAITALL) may read an uninitialized variable because @flags is uninitialized.
Fortunately, if import_single_range() fails, (ret < min_ret) is always true, so this:
ret < min_ret || ((flags & MSG_WAITALL)will always short circuit. But no one tells the compiler if @ret is always less than @min_ret in that case. So it can't prove that @flags is never actually read. That still falls to undefined behavior anyway, the compiler may emit "ud2" or similar trap for that or behave randomly. IDK...
Now handled for both trees.