diff --git a/patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch b/patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch new file mode 100644 index 0000000..37908da --- /dev/null +++ b/patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch @@ -0,0 +1,45 @@ +From e25cb3f0f70e18fb13128e16a16075fe271ac063 Mon Sep 17 00:00:00 2001 +From: Gabriel Krisman Bertazi +Date: Mon, 1 May 2023 11:49:09 -0400 +Subject: [PATCH] io_uring: prevent race on registering fixed files +Patch-mainline: Never, specific to 15SP3 +References: 1210414 CVE-2023-1872 + +in 5.3, io_sqe_files_unregister is called without holding the io_uring ctx lock +when in sqpoll,which means it can race with the io_sqe_files_unregister. This +was fixed in commit 8a4955ff1cca7d4da480774034a16e7c28bafec8 ("io_uring: +sqthread should grab ctx->uring_lock for submissions"), but this has quite a few +dependencies that we don't want to carry in SP3. + +This version, instead, only acquires the lock prior to registering the files in +the sqpoll path and releases right after, which should be safe todo and doesn't +add extra dependencies. + +Signed-off-by: Gabriel Krisman Bertazi +--- + fs/io_uring.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/io_uring.c b/fs/io_uring.c +index 2c2803f9d936..66d3a2420aaf 100644 +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -2241,7 +2241,15 @@ static void io_submit_sqe(struct io_ring_ctx *ctx, struct sqe_submit *s, + goto err; + } + ++ /* ++ * SLE15-SP3: Guard file table insertion from racing with ++ * io_sqe_files_unregister. The SQPOLL path can get here unlocked. ++ */ ++ if (s->needs_lock) ++ mutex_lock(&ctx->uring_lock); + ret = io_req_set_file(ctx, s, state, req); ++ if (s->needs_lock) ++ mutex_unlock(&ctx->uring_lock); + if (unlikely(ret)) { + err_req: + io_free_req(req); +-- +2.40.0 + diff --git a/series.conf b/series.conf index d4544ed..3c77685 100644 --- a/series.conf +++ b/series.conf @@ -23300,6 +23300,7 @@ patches.suse/io_uring-ensure-req-submit-is-copied-when-req-is-def.patch patches.suse/io_uring-Fix-current-fs-handling-in-io_sq_wq_submit_.patch patches.suse/io_uring-disable-polling-signalfd-pollfree-files.patch + patches.suse/io_uring-prevent-race-on-registering-fixed-files.patch ######################################################## # Block layer