[SRU,OEM-6.0,0/4] CVE-2023-2430

Message ID	20230614215607.2177733-1-cascardo@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-6.0 0/4] CVE-2023-2430 Date: Wed, 14 Jun 2023 18:56:03 -0300 Message-Id: <20230614215607.2177733-1-cascardo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-2430 \| expand [SRU,OEM-6.0,0/4] CVE-2023-2430 [SRU,OEM-6.0,1/4] io_uring: get rid of double locking [SRU,OEM-6.0,2/4] io_uring: extract a io_msg_install_complete helper [SRU,OEM-6.0,3/4] io_uring/msg_ring: move double lock/unlock helpers higher up [SRU,OEM-6.0,4/4] io_uring/msg_ring: fix missing lock on overflow for IOPOLL

Message ID

20230614215607.2177733-1-cascardo@canonical.com

Headers

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU OEM-6.0 0/4] CVE-2023-2430
Date: Wed, 14 Jun 2023 18:56:03 -0300
Message-Id: <20230614215607.2177733-1-cascardo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-2430 | expand

Message

Thadeu Lima de Souza Cascardo June 14, 2023, 9:56 p.m. UTC

[Impact]
A race condition when sending a MSG_RING operation to an IOPOLL io_uring
may lead to incorrect behavior.

[Test case]
A test case was prepared where incorrect behavior was observed, indicating
a race condition. On 6.0, EAGAIN was observed indicating lock contention,
but successful results were also observed.

[Backport]
Except for the last one, all clean cherry-picks.

[Potential regression]
io_uring users relying on MSG_RING or IOPOLL would be affected.

Jens Axboe (2):
  io_uring/msg_ring: move double lock/unlock helpers higher up
  io_uring/msg_ring: fix missing lock on overflow for IOPOLL

Pavel Begunkov (2):
  io_uring: get rid of double locking
  io_uring: extract a io_msg_install_complete helper

 io_uring/msg_ring.c | 135 +++++++++++++++++++++++++++-----------------
 io_uring/msg_ring.h |   1 +
 io_uring/opdef.c    |   1 +
 3 files changed, 84 insertions(+), 53 deletions(-)

Comments

Tim Gardner June 15, 2023, 2:26 p.m. UTC | #1

On 6/14/23 14:56, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> A race condition when sending a MSG_RING operation to an IOPOLL io_uring
> may lead to incorrect behavior.
> 
> [Test case]
> A test case was prepared where incorrect behavior was observed, indicating
> a race condition. On 6.0, EAGAIN was observed indicating lock contention,
> but successful results were also observed.
> 
> [Backport]
> Except for the last one, all clean cherry-picks.
> 
> [Potential regression]
> io_uring users relying on MSG_RING or IOPOLL would be affected.
> 
> Jens Axboe (2):
>    io_uring/msg_ring: move double lock/unlock helpers higher up
>    io_uring/msg_ring: fix missing lock on overflow for IOPOLL
> 
> Pavel Begunkov (2):
>    io_uring: get rid of double locking
>    io_uring: extract a io_msg_install_complete helper
> 
>   io_uring/msg_ring.c | 135 +++++++++++++++++++++++++++-----------------
>   io_uring/msg_ring.h |   1 +
>   io_uring/opdef.c    |   1 +
>   3 files changed, 84 insertions(+), 53 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>

Cengiz Can June 15, 2023, 7:11 p.m. UTC | #2

On Wed, 2023-06-14 at 18:56 -0300, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> A race condition when sending a MSG_RING operation to an IOPOLL
> io_uring
> may lead to incorrect behavior.
> 
> [Test case]
> A test case was prepared where incorrect behavior was observed,
> indicating
> a race condition. On 6.0, EAGAIN was observed indicating lock
> contention,
> but successful results were also observed.
> 
> [Backport]
> Except for the last one, all clean cherry-picks.
> 
> [Potential regression]
> io_uring users relying on MSG_RING or IOPOLL would be affected.
> 
> Jens Axboe (2):
>   io_uring/msg_ring: move double lock/unlock helpers higher up
>   io_uring/msg_ring: fix missing lock on overflow for IOPOLL
> 
> Pavel Begunkov (2):
>   io_uring: get rid of double locking
>   io_uring: extract a io_msg_install_complete helper

Acked-by: Cengiz Can <cengiz.can@canonical.com>

> 
>  io_uring/msg_ring.c | 135 +++++++++++++++++++++++++++---------------
> --
>  io_uring/msg_ring.h |   1 +
>  io_uring/opdef.c    |   1 +
>  3 files changed, 84 insertions(+), 53 deletions(-)
> 
> -- 
> 2.34.1
> 
>

Timo Aaltonen June 20, 2023, 9:43 a.m. UTC | #3

Thadeu Lima de Souza Cascardo kirjoitti 15.6.2023 klo 0.56:
> [Impact]
> A race condition when sending a MSG_RING operation to an IOPOLL io_uring
> may lead to incorrect behavior.
> 
> [Test case]
> A test case was prepared where incorrect behavior was observed, indicating
> a race condition. On 6.0, EAGAIN was observed indicating lock contention,
> but successful results were also observed.
> 
> [Backport]
> Except for the last one, all clean cherry-picks.
> 
> [Potential regression]
> io_uring users relying on MSG_RING or IOPOLL would be affected.
> 
> Jens Axboe (2):
>    io_uring/msg_ring: move double lock/unlock helpers higher up
>    io_uring/msg_ring: fix missing lock on overflow for IOPOLL
> 
> Pavel Begunkov (2):
>    io_uring: get rid of double locking
>    io_uring: extract a io_msg_install_complete helper
> 
>   io_uring/msg_ring.c | 135 +++++++++++++++++++++++++++-----------------
>   io_uring/msg_ring.h |   1 +
>   io_uring/opdef.c    |   1 +
>   3 files changed, 84 insertions(+), 53 deletions(-)
> 

applied to oem-6.0, thanks