Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/kbuf: check if target buffer list is still legacy on recycle There's a gap between when the buffer was grabbed and when it potentially gets recycled, where if the list is empty, someone could've upgraded it to a ring provided type. This can happen if the request is forced via io-wq. The legacy recycling is missing checking if the buffer_list still exists, and if it's of the correct type. Add those checks.
Product status
c7fb19428d67dd0a2a78a4f237af01d39c78dc5a (git) before a7b33671e418fca507feebd1d56e7f4952a4b25c
c7fb19428d67dd0a2a78a4f237af01d39c78dc5a (git) before 439a6728ec4641ffad1ca796622c19bc525e570f
c7fb19428d67dd0a2a78a4f237af01d39c78dc5a (git) before f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa
c7fb19428d67dd0a2a78a4f237af01d39c78dc5a (git) before 50ad880db3013c6fee0ef13781762a39e2e7ef83
c7fb19428d67dd0a2a78a4f237af01d39c78dc5a (git) before 97b57f69fee1b61b41acbf37e7720cac9d389fa4
c7fb19428d67dd0a2a78a4f237af01d39c78dc5a (git) before c2c185be5c85d37215397c8e8781abf0a69bec1f
5.19
Any version before 5.19
6.1.167 (semver)
6.6.130 (semver)
6.12.78 (semver)
6.18.19 (semver)
6.19.9 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/a7b33671e418fca507feebd1d56e7f4952a4b25c
git.kernel.org/...c/439a6728ec4641ffad1ca796622c19bc525e570f
git.kernel.org/...c/f3fb54e7a8b4aadcc2836ee463eec8c88709b8aa
git.kernel.org/...c/50ad880db3013c6fee0ef13781762a39e2e7ef83
git.kernel.org/...c/97b57f69fee1b61b41acbf37e7720cac9d389fa4
git.kernel.org/...c/c2c185be5c85d37215397c8e8781abf0a69bec1f