Message ID | 20230614215607.2177733-1-cascardo@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-2430 | expand |
On 6/14/23 14:56, Thadeu Lima de Souza Cascardo wrote: > [Impact] > A race condition when sending a MSG_RING operation to an IOPOLL io_uring > may lead to incorrect behavior. > > [Test case] > A test case was prepared where incorrect behavior was observed, indicating > a race condition. On 6.0, EAGAIN was observed indicating lock contention, > but successful results were also observed. > > [Backport] > Except for the last one, all clean cherry-picks. > > [Potential regression] > io_uring users relying on MSG_RING or IOPOLL would be affected. > > Jens Axboe (2): > io_uring/msg_ring: move double lock/unlock helpers higher up > io_uring/msg_ring: fix missing lock on overflow for IOPOLL > > Pavel Begunkov (2): > io_uring: get rid of double locking > io_uring: extract a io_msg_install_complete helper > > io_uring/msg_ring.c | 135 +++++++++++++++++++++++++++----------------- > io_uring/msg_ring.h | 1 + > io_uring/opdef.c | 1 + > 3 files changed, 84 insertions(+), 53 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On Wed, 2023-06-14 at 18:56 -0300, Thadeu Lima de Souza Cascardo wrote: > [Impact] > A race condition when sending a MSG_RING operation to an IOPOLL > io_uring > may lead to incorrect behavior. > > [Test case] > A test case was prepared where incorrect behavior was observed, > indicating > a race condition. On 6.0, EAGAIN was observed indicating lock > contention, > but successful results were also observed. > > [Backport] > Except for the last one, all clean cherry-picks. > > [Potential regression] > io_uring users relying on MSG_RING or IOPOLL would be affected. > > Jens Axboe (2): > io_uring/msg_ring: move double lock/unlock helpers higher up > io_uring/msg_ring: fix missing lock on overflow for IOPOLL > > Pavel Begunkov (2): > io_uring: get rid of double locking > io_uring: extract a io_msg_install_complete helper Acked-by: Cengiz Can <cengiz.can@canonical.com> > > io_uring/msg_ring.c | 135 +++++++++++++++++++++++++++--------------- > -- > io_uring/msg_ring.h | 1 + > io_uring/opdef.c | 1 + > 3 files changed, 84 insertions(+), 53 deletions(-) > > -- > 2.34.1 > >
Thadeu Lima de Souza Cascardo kirjoitti 15.6.2023 klo 0.56: > [Impact] > A race condition when sending a MSG_RING operation to an IOPOLL io_uring > may lead to incorrect behavior. > > [Test case] > A test case was prepared where incorrect behavior was observed, indicating > a race condition. On 6.0, EAGAIN was observed indicating lock contention, > but successful results were also observed. > > [Backport] > Except for the last one, all clean cherry-picks. > > [Potential regression] > io_uring users relying on MSG_RING or IOPOLL would be affected. > > Jens Axboe (2): > io_uring/msg_ring: move double lock/unlock helpers higher up > io_uring/msg_ring: fix missing lock on overflow for IOPOLL > > Pavel Begunkov (2): > io_uring: get rid of double locking > io_uring: extract a io_msg_install_complete helper > > io_uring/msg_ring.c | 135 +++++++++++++++++++++++++++----------------- > io_uring/msg_ring.h | 1 + > io_uring/opdef.c | 1 + > 3 files changed, 84 insertions(+), 53 deletions(-) > applied to oem-6.0, thanks