!12906 io_uring: fix CVE-2024-50060 (62b6fca2) · Commits · EulixOS / Software / Kernel

io_uring/io_uring.c

+23 −5

Original line number	Diff line number	Diff line
		@@ -667,6 +667,8 @@ static void io_cqring_overflow_kill(struct io_ring_ctx *ctx)
		struct io_overflow_cqe *ocqe;
		LIST_HEAD(list);

		lockdep_assert_held(&ctx->uring_lock);

		spin_lock(&ctx->completion_lock);
		list_splice_init(&ctx->cq_overflow_list, &list);
		clear_bit(IO_CHECK_CQ_OVERFLOW_BIT, &ctx->check_cq);
		@@ -683,6 +685,8 @@ static void __io_cqring_overflow_flush(struct io_ring_ctx *ctx)
		{
		size_t cqe_size = sizeof(struct io_uring_cqe);

		lockdep_assert_held(&ctx->uring_lock);

		if (__io_cqring_events(ctx) == ctx->cq_entries)
		return;

		@@ -701,6 +705,21 @@ static void __io_cqring_overflow_flush(struct io_ring_ctx *ctx)
		memcpy(cqe, &ocqe->cqe, cqe_size);
		list_del(&ocqe->list);
		kfree(ocqe);

		/*
		* For silly syzbot cases that deliberately overflow by huge
		* amounts, check if we need to resched and drop and
		* reacquire the locks if so. Nothing real would ever hit this.
		* Ideally we'd have a non-posting unlock for this, but hard
		* to care for a non-real case.
		*/
		if (need_resched()) {
		io_cq_unlock_post(ctx);
		mutex_unlock(&ctx->uring_lock);
		cond_resched();
		mutex_lock(&ctx->uring_lock);
		io_cq_lock(ctx);
		}
		}

		if (list_empty(&ctx->cq_overflow_list)) {
		@@ -712,11 +731,8 @@ static void __io_cqring_overflow_flush(struct io_ring_ctx *ctx)

		static void io_cqring_do_overflow_flush(struct io_ring_ctx *ctx)
		{
		/* iopoll syncs against uring_lock, not completion_lock */
		if (ctx->flags & IORING_SETUP_IOPOLL)
		mutex_lock(&ctx->uring_lock);
		__io_cqring_overflow_flush(ctx);
		if (ctx->flags & IORING_SETUP_IOPOLL)
		mutex_unlock(&ctx->uring_lock);
		}

		@@ -1596,6 +1612,8 @@ static int io_iopoll_check(struct io_ring_ctx *ctx, long min)
		unsigned int nr_events = 0;
		unsigned long check_cq;

		lockdep_assert_held(&ctx->uring_lock);

		if (!io_allowed_run_tw(ctx))
		return -EEXIST;