Message ID | 20230323163530.1122686-2-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | CVE-2023-0468 | expand |
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 9541353346f8..3a63cddcb2bf 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -6674,6 +6674,14 @@ static int io_poll_check_events(struct io_kiocb *req, bool *locked) if (v & IO_POLL_CANCEL_FLAG) return -ECANCELED; + /* + * cqe.res contains only events of the first wake up + * and all others are be lost. Redo vfs_poll() to get + * up to date state. + */ + if ((v & IO_POLL_REF_MASK) != 1) + req->cqe.res = 0; + if (!req->cqe.res) { struct poll_table_struct pt = { ._key = req->apoll_events }; req->cqe.res = vfs_poll(req->file, &pt) & req->apoll_events;