From fd96d642879706de355acc6b850dd827fbec1985 Mon Sep 17 00:00:00 2001
From: David Disseldorp <ddiss@suse.de>
Date: Tue, 7 Feb 2023 23:46:26 +0100
Subject: [PATCH 1/5] io_uring: update res mask in io_poll_check_events
Patch-mainline: v6.1-rc6
Git-commit: b98186aee22fa593bc8c6b2c5d839c2ee518bc8c
References: bsc#1207511 CVE-2023-0468

When io_poll_check_events() collides with someone attempting to queue a
task work, it'll spin for one more time. However, it'll continue to use
the mask from the first iteration instead of updating it. For example,
if the first wake up was a EPOLLIN and the second EPOLLOUT, the
userspace will not get EPOLLOUT in time.

Clear the mask for all subsequent iterations to force vfs_poll().

Cc: stable@vger.kernel.org
Fixes: aa43477b04025 ("io_uring: poll rework")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/2dac97e8f691231049cb259c4ae57e79e40b537c.1668710222.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Acked-by: David Disseldorp <ddiss@suse.de>
---
 fs/io_uring.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index a94d34d4abb88..f7094c52af66b 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6546,6 +6546,9 @@ static int io_poll_check_events(struct io_kiocb *req, bool *locked)
 		if (ret)
 			return ret;
 
+		/* force the next iteration to vfs_poll() */
+		req->cqe.res = 0;
+
 		/*
 		 * Release all references, retry if someone tried to restart
 		 * task_work while we were executing it.
-- 
2.35.3