[UBUNTU,Kinetic,1/2] io_uring: fix tw losing poll events

Message ID	20230323163530.1122686-2-cascardo@canonical.com
State	New
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [UBUNTU Kinetic 1/2] io_uring: fix tw losing poll events Date: Thu, 23 Mar 2023 13:35:29 -0300 Message-Id: <20230323163530.1122686-2-cascardo@canonical.com> In-Reply-To: <20230323163530.1122686-1-cascardo@canonical.com> References: <20230323163530.1122686-1-cascardo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-0468 \| expand [UBUNTU,Kinetic,0/2] CVE-2023-0468 [UBUNTU,Kinetic,1/2] io_uring: fix tw losing poll events [UBUNTU,Kinetic,2/2] io_uring: make poll refs more robust

Message ID

20230323163530.1122686-2-cascardo@canonical.com

State

New

Headers

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [UBUNTU Kinetic 1/2] io_uring: fix tw losing poll events
Date: Thu, 23 Mar 2023 13:35:29 -0300
Message-Id: <20230323163530.1122686-2-cascardo@canonical.com>
In-Reply-To: <20230323163530.1122686-1-cascardo@canonical.com>
References: <20230323163530.1122686-1-cascardo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-0468 | expand

Commit Message

Thadeu Lima de Souza Cascardo March 23, 2023, 4:35 p.m. UTC

From: Pavel Begunkov <asml.silence@gmail.com>

We may never try to process a poll wake and its mask if there was
multiple wake ups racing for queueing up a tw. Force
io_poll_check_events() to update the mask by vfs_poll().

Cc: stable@vger.kernel.org
Fixes: aa43477b04025 ("io_uring: poll rework")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/00344d60f8b18907171178d7cf598de71d127b0b.1668710222.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
(backported from commit 539bcb57da2f58886d7d5c17134236b0ec9cd15d)
CVE-2023-0468
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 io_uring/io_uring.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 9541353346f8..3a63cddcb2bf 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -6674,6 +6674,14 @@  static int io_poll_check_events(struct io_kiocb *req, bool *locked)
 		if (v & IO_POLL_CANCEL_FLAG)
 			return -ECANCELED;
 
+		/*
+		 * cqe.res contains only events of the first wake up
+		 * and all others are be lost. Redo vfs_poll() to get
+		 * up to date state.
+		 */
+		if ((v & IO_POLL_REF_MASK) != 1)
+			req->cqe.res = 0;
+
 		if (!req->cqe.res) {
 			struct poll_table_struct pt = { ._key = req->apoll_events };
 			req->cqe.res = vfs_poll(req->file, &pt) & req->apoll_events;

[UBUNTU,Kinetic,1/2] io_uring: fix tw losing poll events

Commit Message

Patch