ACK+CMNT: [SRU Focal] io_uring: disable polling pollfree files

Kamal Mostafa kamal at canonical.com
Mon Sep 19 19:51:00 UTC 2022 

Cherry pick from upstream stable, LGTM -- but the "cherry picked from"
line is missing the reference to that.

Applier, please replace the "cherry picked from" line with this:

    (cherry picked from commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659 linux-5.4.y)

Acked-by: Kamal Mostafa <kamal at canonical.com>

 -Kamal

On Mon, Sep 19, 2022 at 02:57:58PM -0300, Thadeu Lima de Souza Cascardo wrote:
> From: Pavel Begunkov <asml.silence at gmail.com>
> 
> Older kernels lack io_uring POLLFREE handling. As only affected files
> are signalfd and android binder the safest option would be to disable
> polling those files via io_uring and hope there are no users.
> 
> Fixes: 221c5eb233823 ("io_uring: add support for IORING_OP_POLL")
> Signed-off-by: Pavel Begunkov <asml.silence at gmail.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> (cherry picked from commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659)
> CVE-2022-3176
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
> ---
>  drivers/android/binder.c | 1 +
>  fs/io_uring.c            | 3 +++
>  fs/signalfd.c            | 1 +
>  include/linux/fs.h       | 1 +
>  4 files changed, 6 insertions(+)
> 
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index eb2734106288..4b371c7caf44 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -6083,6 +6083,7 @@ const struct file_operations binder_fops = {
>  	.open = binder_open,
>  	.flush = binder_flush,
>  	.release = binder_release,
> +	.may_pollfree = true,
>  };
>  
>  static int __init init_binder_device(const char *name)
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index e73969fa96bc..501c7e14c07c 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -1908,6 +1908,9 @@ static int io_poll_add(struct io_kiocb *req, const struct io_uring_sqe *sqe)
>  	__poll_t mask;
>  	u16 events;
>  
> +	if (req->file->f_op->may_pollfree)
> +		return -EOPNOTSUPP;
> +
>  	if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
>  		return -EINVAL;
>  	if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
> diff --git a/fs/signalfd.c b/fs/signalfd.c
> index 3e94d181930f..c3415d969ecf 100644
> --- a/fs/signalfd.c
> +++ b/fs/signalfd.c
> @@ -248,6 +248,7 @@ static const struct file_operations signalfd_fops = {
>  	.poll		= signalfd_poll,
>  	.read		= signalfd_read,
>  	.llseek		= noop_llseek,
> +	.may_pollfree	= true,
>  };
>  
>  static int do_signalfd4(int ufd, sigset_t *mask, int flags)
> diff --git a/include/linux/fs.h b/include/linux/fs.h
> index 2bd06577c02a..84eade09b3aa 100644
> --- a/include/linux/fs.h
> +++ b/include/linux/fs.h
> @@ -1862,6 +1862,7 @@ struct file_operations {
>  				   struct file *file_out, loff_t pos_out,
>  				   loff_t len, unsigned int remap_flags);
>  	int (*fadvise)(struct file *, loff_t, loff_t, int);
> +	bool may_pollfree;
>  } __randomize_layout;
>  
>  struct inode_operations {
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list