!12908 io_uring: fix CVE-2024-50060 (a4ff1d69) · Commits · EulixOS / Software / Kernel

io_uring/io_uring.c

+21 −5

Original line number	Diff line number	Diff line
		@@ -1663,6 +1663,8 @@ static bool __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
		{
		bool all_flushed, posted;

		lockdep_assert_held(&ctx->uring_lock);

		if (!force && __io_cqring_events(ctx) == ctx->cq_entries)
		return false;

		@@ -1684,6 +1686,23 @@ static bool __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
		posted = true;
		list_del(&ocqe->list);
		kfree(ocqe);

		/*
		* For silly syzbot cases that deliberately overflow by huge
		* amounts, check if we need to resched and drop and
		* reacquire the locks if so. Nothing real would ever hit this.
		* Ideally we'd have a non-posting unlock for this, but hard
		* to care for a non-real case.
		*/
		if (need_resched()) {
		io_commit_cqring(ctx);
		spin_unlock(&ctx->completion_lock);
		io_cqring_ev_posted(ctx);
		mutex_unlock(&ctx->uring_lock);
		cond_resched();
		mutex_lock(&ctx->uring_lock);
		spin_lock(&ctx->completion_lock);
		}
		}

		all_flushed = list_empty(&ctx->cq_overflow_list);
		@@ -1706,11 +1725,8 @@ static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx)
		bool ret = true;

		if (test_bit(0, &ctx->check_cq_overflow)) {
		/* iopoll syncs against uring_lock, not completion_lock */
		if (ctx->flags & IORING_SETUP_IOPOLL)
		mutex_lock(&ctx->uring_lock);
		ret = __io_cqring_overflow_flush(ctx, false);
		if (ctx->flags & IORING_SETUP_IOPOLL)
		mutex_unlock(&ctx->uring_lock);
		}