From: Jens Axboe axboe@kernel.dk

stable inclusion from stable-v5.10.185 commit 4716c73b188566865bdd79c3a6709696a224ac04 category: bugfix bugzilla: 188954, https://gitee.com/src-openeuler/kernel/issues/I5X879?from=project-issue CVE: CVE-2022-3238

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

----------------------------------------

Snipped from commit 9ca9fb24d5febccea354089c41f96a8ad0d853f8 upstream.

While reworking the poll hashing in the v6.0 kernel, we ended up grabbing the ctx->uring_lock in poll update/removal. This also fixed a bug with linked timeouts racing with timeout expiry and poll removal.

Bring back just the locking fix for that.

Reported-and-tested-by: Querijn Voet querijnqyn@gmail.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Zhong Jinghua zhongjinghua@huawei.com --- io_uring/io_uring.c | 3 +++ 1 file changed, 3 insertions(+)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 67cb9d6ec4ac..f6af5ceb517e 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -5811,6 +5811,8 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags) struct io_kiocb *preq; int ret2, ret = 0;

+ io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); + spin_lock(&ctx->completion_lock); preq = io_poll_find(ctx, req->poll_update.old_user_data, true); if (!preq || !io_poll_disarm(preq)) { @@ -5842,6 +5844,7 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags) req_set_fail(req); /* complete update request, we're done with it */ io_req_complete(req, ret); + io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); return 0; }