From patchwork Wed Jun 14 10:42:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1794909 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=k/hkcDl+; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Qh2BN1Rwzz20QH for ; Wed, 14 Jun 2023 20:45:16 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1q9Nzz-0005Uh-8o; Wed, 14 Jun 2023 10:45:11 +0000 Received: from smtp-relay-canonical-1.internal ([10.131.114.174] helo=smtp-relay-canonical-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1q9Nzx-0005Sr-3x for kernel-team@lists.ubuntu.com; Wed, 14 Jun 2023 10:45:09 +0000 Received: from quatroqueijos.. (unknown [179.93.171.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id EAB753FD9A for ; Wed, 14 Jun 2023 10:45:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1686739503; bh=H18yuwbfKlo1nr4lhEo8T9GYVDSswfM1G3EOwEOS970=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=k/hkcDl+kovSOF9GnzQx5+UjxV9BZQX4DEDlnGWT0LBH3fYBwoljuK9GfDZ2mtFXT s7sGNzAfMxXnbqH743o+pZ/TO6dvrH6H+yrUr5GLsjq4truux9MAH61z9DQDI7q7Lf TxqLYbotziFiq0/QAt2cWl5udQke9fxUsGemWbk0Ze/djVN1deH+MPjsOPEaOuKPSt rYKwYOTgq1h2ncjtwSl/xJLoyB+hB8QQ+GNoJdotyAQsXNkordluHUjc+CTfpWo7jw oLgTwqJMicDhaswwikh7YWGw6RqQGDskApy3Wdle3sxE61ojSb8qu6VM6XvT1nd4Pt onEVmOGbzrGtw== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-6.1 4/4] io_uring/msg_ring: fix missing lock on overflow for IOPOLL Date: Wed, 14 Jun 2023 07:42:36 -0300 Message-Id: <20230614104237.1948590-5-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230614104237.1948590-1-cascardo@canonical.com> References: <20230614104237.1948590-1-cascardo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jens Axboe If the target ring is configured with IOPOLL, then we always need to hold the target ring uring_lock before posting CQEs. We could just grab it unconditionally, but since we don't expect many target rings to be of this type, make grabbing the uring_lock conditional on the ring type. Link: https://lore.kernel.org/io-uring/Y8krlYa52%2F0YGqkg@ip-172-31-85-199.ec2.internal/ Reported-by: Xingyuan Mo Signed-off-by: Jens Axboe (backported from commit e12d7a46f65ae4b7d58a5e0c1cbfa825cf8d830d) [cascardo: no io_msg_tw_complete and io_post_aux_cqe still gets an overflow parameter] CVE-2023-2430 Signed-off-by: Thadeu Lima de Souza Cascardo --- io_uring/msg_ring.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/io_uring/msg_ring.c b/io_uring/msg_ring.c index 59a0e5f9fdf9..e0250cec0133 100644 --- a/io_uring/msg_ring.c +++ b/io_uring/msg_ring.c @@ -57,20 +57,29 @@ void io_msg_ring_cleanup(struct io_kiocb *req) msg->src_file = NULL; } -static int io_msg_ring_data(struct io_kiocb *req) +static int io_msg_ring_data(struct io_kiocb *req, unsigned int issue_flags) { struct io_ring_ctx *target_ctx = req->file->private_data; struct io_msg *msg = io_kiocb_to_cmd(req, struct io_msg); + int ret; if (msg->src_fd || msg->dst_fd || msg->flags) return -EINVAL; if (target_ctx->flags & IORING_SETUP_R_DISABLED) return -EBADFD; - if (io_post_aux_cqe(target_ctx, msg->user_data, msg->len, 0, true)) - return 0; - - return -EOVERFLOW; + ret = -EOVERFLOW; + if (target_ctx->flags & IORING_SETUP_IOPOLL) { + if (unlikely(io_double_lock_ctx(target_ctx, issue_flags))) + return -EAGAIN; + if (io_post_aux_cqe(target_ctx, msg->user_data, msg->len, 0, true)) + ret = 0; + io_double_unlock_ctx(target_ctx); + } else { + if (io_post_aux_cqe(target_ctx, msg->user_data, msg->len, 0, true)) + ret = 0; + } + return ret; } static struct file *io_msg_grab_file(struct io_kiocb *req, unsigned int issue_flags) @@ -179,7 +188,7 @@ int io_msg_ring(struct io_kiocb *req, unsigned int issue_flags) switch (msg->cmd) { case IORING_MSG_DATA: - ret = io_msg_ring_data(req); + ret = io_msg_ring_data(req, issue_flags); break; case IORING_MSG_SEND_FD: ret = io_msg_send_fd(req, issue_flags);