[SRU Kinetic,OEM-6.1 0/4] CVE-2023-2430
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Wed Jun 14 10:42:32 UTC 2023
[Impact]
A race condition when sending a MSG_RING operation to an IOPOLL io_uring
may lead to incorrect behavior.
[Test case]
A test case was prepared where incorrect behavior was observed, indicating
a race condition.
[Backport]
For 6.1, some conflicts because of previous out-of-order backports were dealt with.
For 5.19, lots of file movements and different changes required that the
backport was written anew. It introduces the double_locking (which is not
double anymore), just for the sake of locking the other ctx uring_lock when
sending MSG_RING data.
For 6.0, there were more clean cherry-picks compared to 6.1. However, the
testing shows some other strange behavior and is being currently investigated.
[Potential regression]
io_uring users relying on MSG_RING or IOPOLL would be affected.
Jens Axboe (2):
io_uring/msg_ring: move double lock/unlock helpers higher up
io_uring/msg_ring: fix missing lock on overflow for IOPOLL
Pavel Begunkov (2):
io_uring: get rid of double locking
io_uring: extract a io_msg_install_complete helper
io_uring/msg_ring.c | 143 ++++++++++++++++++++++++++------------------
io_uring/msg_ring.h | 1 +
io_uring/opdef.c | 1 +
3 files changed, 88 insertions(+), 57 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list