From: Jens Axboe <axboe@kernel.dk> stable inclusion from stable-v6.6.57 commit f4ce3b5d26ce149e77e6b8e8f2058aa80e5b034e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRF9 CVE: CVE-2024-50060 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit eac2ca2d682f94f46b1973bdf5e77d85d77b8e53 ] In terms of normal application usage, this list will always be empty. And if an application does overflow a bit, it'll have a few entries. However, nothing obviously prevents syzbot from running a test case that generates a ton of overflow entries, and then flushing them can take quite a while. Check for needing to reschedule while flushing, and drop our locks and do so if necessary. There's no state to maintain here as overflows always prune from head-of-list, hence it's fine to drop and reacquire the locks at the end of the loop. Link: https://lore.kernel.org/io-uring/66ed061d.050a0220.29194.0053.GAE@google.com... Reported-by: syzbot+5fca234bd7eb378ff78e@syzkaller.appspotmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Baokun Li <libaokun1@huawei.com> --- io_uring/io_uring.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 31d8565fad28..69f5b73a609e 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -705,6 +705,21 @@ static void __io_cqring_overflow_flush(struct io_ring_ctx *ctx) memcpy(cqe, &ocqe->cqe, cqe_size); list_del(&ocqe->list); kfree(ocqe); + + /* + * For silly syzbot cases that deliberately overflow by huge + * amounts, check if we need to resched and drop and + * reacquire the locks if so. Nothing real would ever hit this. + * Ideally we'd have a non-posting unlock for this, but hard + * to care for a non-real case. + */ + if (need_resched()) { + io_cq_unlock_post(ctx); + mutex_unlock(&ctx->uring_lock); + cond_resched(); + mutex_lock(&ctx->uring_lock); + io_cq_lock(ctx); + } } if (list_empty(&ctx->cq_overflow_list)) { -- 2.46.1