From patchwork Wed Apr 5 00:08:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1765248 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=teToVFP8; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4PrlPd168Vz1yZT for ; Wed, 5 Apr 2023 10:09:57 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pjqih-0007PL-LX; Wed, 05 Apr 2023 00:09:47 +0000 Received: from smtp-relay-canonical-0.internal ([10.131.114.83] helo=smtp-relay-canonical-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pjqib-0007I7-PE for kernel-team@lists.ubuntu.com; Wed, 05 Apr 2023 00:09:41 +0000 Received: from localhost.localdomain (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id C92C43F0EB for ; Wed, 5 Apr 2023 00:09:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1680653379; bh=GCiInh+DJmkajCf0CXrnkwGZa2UwfZCiyebPfWo68Ds=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=teToVFP8dsyo0+WfJPNPCv9UqYhVe8UcdKiJpjmG4KhgSJLmUhc8Al3h5LgG7LZhj wXLETytiZvByB8vQCviXcCW/Ch919+1kjyoSbIEwAioz+pxkFY6r8mHTC6xKcYsgha 9D69LC04GZMgvwaeSwF8mvBul7xoFGJoBDy8A4B0nk6uxDa/TrPZWenDnddRd3FY9L W/4sk0Qluaz+diUh1NVooc5LaSMxMNY5L4TmwAghma7PFWengYzHNSGL9d24LdYipi gWQMVbRqgQi3msdS4RU8MBTR0228ne9vkiWE47BbNEBbCEHsnil6Vlb5CCvFNDyg2Q rFHQ+kim9EYxw== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [UBUNTU OEM-6.0 1/5] io_uring: update res mask in io_poll_check_events Date: Tue, 4 Apr 2023 21:08:23 -0300 Message-Id: <20230405000827.2250965-7-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230405000827.2250965-1-cascardo@canonical.com> References: <20230405000827.2250965-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pavel Begunkov When io_poll_check_events() collides with someone attempting to queue a task work, it'll spin for one more time. However, it'll continue to use the mask from the first iteration instead of updating it. For example, if the first wake up was a EPOLLIN and the second EPOLLOUT, the userspace will not get EPOLLOUT in time. Clear the mask for all subsequent iterations to force vfs_poll(). Cc: stable@vger.kernel.org Fixes: aa43477b04025 ("io_uring: poll rework") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/2dac97e8f691231049cb259c4ae57e79e40b537c.1668710222.git.asml.silence@gmail.com Signed-off-by: Jens Axboe (cherry picked from commit b98186aee22fa593bc8c6b2c5d839c2ee518bc8c) CVE-2023-0468 Signed-off-by: Thadeu Lima de Souza Cascardo --- io_uring/poll.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/io_uring/poll.c b/io_uring/poll.c index 0d9f49c575e0..8c7af09a81d8 100644 --- a/io_uring/poll.c +++ b/io_uring/poll.c @@ -256,6 +256,9 @@ static int io_poll_check_events(struct io_kiocb *req, bool *locked) return ret; } + /* force the next iteration to vfs_poll() */ + req->cqe.res = 0; + /* * Release all references, retry if someone tried to restart * task_work while we were executing it.