diff mbox series

[UBUNTU,OEM-5.17,1/5] io_uring: update res mask in io_poll_check_events

Message ID 20230405000827.2250965-2-cascardo@canonical.com
State New
Headers show
Series CVE-2023-0468 | expand

Commit Message

Thadeu Lima de Souza Cascardo April 5, 2023, 12:08 a.m. UTC 
From: Pavel Begunkov <asml.silence@gmail.com>

[ upstream commit b98186aee22fa593bc8c6b2c5d839c2ee518bc8c ]

When io_poll_check_events() collides with someone attempting to queue a
task work, it'll spin for one more time. However, it'll continue to use
the mask from the first iteration instead of updating it. For example,
if the first wake up was a EPOLLIN and the second EPOLLOUT, the
userspace will not get EPOLLOUT in time.

Clear the mask for all subsequent iterations to force vfs_poll().

Cc: stable@vger.kernel.org
Fixes: aa43477b04025 ("io_uring: poll rework")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/2dac97e8f691231049cb259c4ae57e79e40b537c.1668710222.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 62321dc7b08103259b19a82089fc49f66f1e4ce6 linux-5.15.y)
CVE-2023-0468
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 fs/io_uring.c | 3 +++
 1 file changed, 3 insertions(+)
diff mbox series

Patch

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 5d533c94b593..6cb2d435decf 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5553,6 +5553,9 @@  static int io_poll_check_events(struct io_kiocb *req, bool locked)
 			return 0;
 		}
 
+		/* force the next iteration to vfs_poll() */
+		req->result = 0;
+
 		/*
 		 * Release all references, retry if someone tried to restart
 		 * task_work while we were executing it.