From: Jens Axboe axboe@kernel.dk
stable inclusion from stable-v5.10.155 commit 0f544353fec8e717d37724d95b92538e1de79e86 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I69NMA CVE: CVE-2022-47946
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Hunk extracted from commit 70aacfe66136809d7f080f89c492c278298719f4 upstream.
If the sqpoll thread has died, the out condition doesn't remove the waiting task from the waitqueue. The goto and check are not needed, just make it a break condition after setting the error value. That ensures that we always remove ourselves from sqo_sq_wait waitqueue.
Reported-by: Xingyuan Mo hdthky0@gmail.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Zhihao Cheng chengzhihao1@huawei.com Reviewed-by: Zhang Yi yi.zhang@huawei.com Signed-off-by: Jialin Zhang zhangjialin11@huawei.com --- fs/io_uring.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c index 46a896ee2712..3ccd34f4d134 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -9076,7 +9076,7 @@ static int io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
if (unlikely(ctx->sqo_dead)) { ret = -EOWNERDEAD; - goto out; + break; }
if (!io_sqring_full(ctx)) @@ -9086,7 +9086,6 @@ static int io_sqpoll_wait_sq(struct io_ring_ctx *ctx) } while (!signal_pending(current));
finish_wait(&ctx->sqo_sq_wait, &wait); -out: return ret; }