All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 5.15] Backport the fix for CVE-2023-25012 to kernel v5.15
@ 2023-11-13 19:32 He Gao
  2023-11-13 19:32 ` [PATCH 5.15] io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid He Gao
  2023-11-24 16:01 ` [PATCH 5.15] Backport the fix for CVE-2023-25012 to kernel v5.15 Greg KH
  0 siblings, 2 replies; 3+ messages in thread
From: He Gao @ 2023-11-13 19:32 UTC (permalink / raw)
  To: stable; +Cc: He Gao

This is the fix of CVE-2023-25012 for kernel v5.15.

Upstream commit:  https://github.com/torvalds/linux/commit/7644b1a1c9a7ae8ab99175989bfc8676055edb46

The affected code is in io_uring/io_uring.c instead of io_uring/fdinfo.c for v5.15. So the patch applies the same change to io_uring/io_uring.c.

Thanks!
He

Jens Axboe (1):
  io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid

 io_uring/io_uring.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

-- 
2.42.0.869.gea05f2083d-goog


^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH 5.15] io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid
  2023-11-13 19:32 [PATCH 5.15] Backport the fix for CVE-2023-25012 to kernel v5.15 He Gao
@ 2023-11-13 19:32 ` He Gao
  2023-11-24 16:01 ` [PATCH 5.15] Backport the fix for CVE-2023-25012 to kernel v5.15 Greg KH
  1 sibling, 0 replies; 3+ messages in thread
From: He Gao @ 2023-11-13 19:32 UTC (permalink / raw)
  To: stable; +Cc: Jens Axboe, Gabriel Krisman Bertazi, He Gao

From: Jens Axboe <axboe@kernel.dk>

[ Upstream commit 7644b1a1c9a7ae8ab99175989bfc8676055edb46 ]

We could race with SQ thread exit, and if we do, we'll hit a NULL pointer
dereference when the thread is cleared. Grab the SQPOLL data lock before
attempting to get the task cpu and pid for fdinfo, this ensures we have a
stable view of it.

Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218032
Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: He Gao <hegao@google.com>
---
 io_uring/io_uring.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index d00bedfdadbb..e26292d8b845 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -10411,7 +10411,7 @@ static int io_uring_show_cred(struct seq_file *m, unsigned int id,
 
 static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
 {
-	struct io_sq_data *sq = NULL;
+	int sq_pid = -1, sq_cpu = -1;
 	bool has_lock;
 	int i;
 
@@ -10424,13 +10424,19 @@ static void __io_uring_show_fdinfo(struct io_ring_ctx *ctx, struct seq_file *m)
 	has_lock = mutex_trylock(&ctx->uring_lock);
 
 	if (has_lock && (ctx->flags & IORING_SETUP_SQPOLL)) {
-		sq = ctx->sq_data;
-		if (!sq->thread)
-			sq = NULL;
+		struct io_sq_data *sq = ctx->sq_data;
+
+		if (mutex_trylock(&sq->lock)) {
+			if (sq->thread) {
+				sq_pid = task_pid_nr(sq->thread);
+				sq_cpu = task_cpu(sq->thread);
+			}
+			mutex_unlock(&sq->lock);
+		}
 	}
 
-	seq_printf(m, "SqThread:\t%d\n", sq ? task_pid_nr(sq->thread) : -1);
-	seq_printf(m, "SqThreadCpu:\t%d\n", sq ? task_cpu(sq->thread) : -1);
+	seq_printf(m, "SqThread:\t%d\n", sq_pid);
+	seq_printf(m, "SqThreadCpu:\t%d\n", sq_cpu);
 	seq_printf(m, "UserFiles:\t%u\n", ctx->nr_user_files);
 	for (i = 0; has_lock && i < ctx->nr_user_files; i++) {
 		struct file *f = io_file_from_index(ctx, i);
-- 
2.42.0.869.gea05f2083d-goog


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH 5.15] Backport the fix for CVE-2023-25012 to kernel v5.15
  2023-11-13 19:32 [PATCH 5.15] Backport the fix for CVE-2023-25012 to kernel v5.15 He Gao
  2023-11-13 19:32 ` [PATCH 5.15] io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid He Gao
@ 2023-11-24 16:01 ` Greg KH
  1 sibling, 0 replies; 3+ messages in thread
From: Greg KH @ 2023-11-24 16:01 UTC (permalink / raw)
  To: He Gao; +Cc: stable

On Mon, Nov 13, 2023 at 07:32:26PM +0000, He Gao wrote:
> This is the fix of CVE-2023-25012 for kernel v5.15.
> 
> Upstream commit:  https://github.com/torvalds/linux/commit/7644b1a1c9a7ae8ab99175989bfc8676055edb46
> 
> The affected code is in io_uring/io_uring.c instead of io_uring/fdinfo.c for v5.15. So the patch applies the same change to io_uring/io_uring.c.

Both backports now queued up, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-11-24 16:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-13 19:32 [PATCH 5.15] Backport the fix for CVE-2023-25012 to kernel v5.15 He Gao
2023-11-13 19:32 ` [PATCH 5.15] io_uring/fdinfo: lock SQ thread while retrieving thread cpu/pid He Gao
2023-11-24 16:01 ` [PATCH 5.15] Backport the fix for CVE-2023-25012 to kernel v5.15 Greg KH

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.