From e25cb3f0f70e18fb13128e16a16075fe271ac063 Mon Sep 17 00:00:00 2001

From: Gabriel Krisman Bertazi <krisman@suse.de>

Date: Mon, 1 May 2023 11:49:09 -0400

Subject: [PATCH] io_uring: prevent race on registering fixed files

Patch-mainline: Never, specific to 15SP3

References: bsc#1210414 CVE-2023-1872

in 5.3, io_sqe_files_unregister is called without holding the io_uring ctx lock

when in sqpoll,which means it can race with the io_sqe_files_unregister.  This

was fixed in commit 8a4955ff1cca7d4da480774034a16e7c28bafec8 ("io_uring:

sqthread should grab ctx->uring_lock for submissions"), but this has quite a few

dependencies that we don't want to carry in SP3.

This version, instead, only acquires the lock prior to registering the files in

the sqpoll path and releases right after, which should be safe todo and doesn't

add extra dependencies.

Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>

---

 fs/io_uring.c | 8 ++++++++

 1 file changed, 8 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c

index 2c2803f9d936..66d3a2420aaf 100644

--- a/fs/io_uring.c

+++ b/fs/io_uring.c

@@ -2241,7 +2241,15 @@ static void io_submit_sqe(struct io_ring_ctx *ctx, struct sqe_submit *s,

 		goto err;

 	}

+	/*

+	 * SLE15-SP3: Guard file table insertion from racing with

+	 * io_sqe_files_unregister.  The SQPOLL path can get here unlocked.

+	 */

+	if (s->needs_lock)

+		mutex_lock(&ctx->uring_lock);

 	ret = io_req_set_file(ctx, s, state, req);

+	if (s->needs_lock)

+		mutex_unlock(&ctx->uring_lock);

 	if (unlikely(ret)) {

 err_req:

 		io_free_req(req);

-- 

2.40.0