Commit 43a7aef4 authored by Jens Axboe's avatar Jens Axboe Committed by Zhong Jinghua
Browse files

io_uring: hold uring mutex around poll removal 

stable inclusion
from stable-v5.10.185
commit 4716c73b188566865bdd79c3a6709696a224ac04
category: bugfix
bugzilla: 188954, https://gitee.com/src-openeuler/kernel/issues/I7GVI5?from=project-issue
CVE: CVE-2023-3389

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4716c73b188566865bdd79c3a6709696a224ac04



----------------------------------------

Snipped from commit 9ca9fb24 upstream.

While reworking the poll hashing in the v6.0 kernel, we ended up
grabbing the ctx->uring_lock in poll update/removal. This also fixed
a bug with linked timeouts racing with timeout expiry and poll
removal.

Bring back just the locking fix for that.

Reported-and-tested-by: default avatarQuerijn Voet <querijnqyn@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarZhong Jinghua <zhongjinghua@huawei.com>
parent ece86c7b

io_uring/io_uring.c

+3 −0
Original line number Diff line number Diff line
@@ -5811,6 +5811,8 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags) 
	struct io_kiocb *preq;

	int ret2, ret = 0;



	io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));



	spin_lock(&ctx->completion_lock);

	preq = io_poll_find(ctx, req->poll_update.old_user_data, true);

	if (!preq || !io_poll_disarm(preq)) {
@@ -5842,6 +5844,7 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags) 
		req_set_fail(req);

	/* complete update request, we're done with it */

	io_req_complete(req, ret);

	io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));

	return 0;

}