Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/net: fix io_req_post_cqe abuse by send bundle [ 114.987980][ T5313] WARNING: CPU: 6 PID: 5313 at io_uring/io_uring.c:872 io_req_post_cqe+0x12e/0x4f0 [ 114.991597][ T5313] RIP: 0010:io_req_post_cqe+0x12e/0x4f0 [ 115.001880][ T5313] Call Trace: [ 115.002222][ T5313] <TASK> [ 115.007813][ T5313] io_send+0x4fe/0x10f0 [ 115.009317][ T5313] io_issue_sqe+0x1a6/0x1740 [ 115.012094][ T5313] io_wq_submit_work+0x38b/0xed0 [ 115.013223][ T5313] io_worker_handle_work+0x62a/0x1600 [ 115.013876][ T5313] io_wq_worker+0x34f/0xdf0 As the comment states, io_req_post_cqe() should only be used by multishot requests, i.e. REQ_F_APOLL_MULTISHOT, which bundled sends are not. Add a flag signifying whether a request wants to post multiple CQEs. Eventually REQ_F_APOLL_MULTISHOT should imply the new flag, but that's left out for simplicity.
Product status
a05d1f625c7aa681d8816bc0f10089289ad07aad (git) before b7c6d081c19a5e11bbd77bb97a62cff2b6b21cb5
a05d1f625c7aa681d8816bc0f10089289ad07aad (git) before 7888c9fc0b2d3636f2e821ed1ad3c6920fa8e378
a05d1f625c7aa681d8816bc0f10089289ad07aad (git) before 9aa804e6b9696998308095fb9d335046a71550f1
a05d1f625c7aa681d8816bc0f10089289ad07aad (git) before 6889ae1b4df1579bcdffef023e2ea9a982565dff
6.10
Any version before 6.10
6.12.24 (semver)
6.13.12 (semver)
6.14.3 (semver)
6.15 (original_commit_for_fix)
References
git.kernel.org/...c/b7c6d081c19a5e11bbd77bb97a62cff2b6b21cb5
git.kernel.org/...c/7888c9fc0b2d3636f2e821ed1ad3c6920fa8e378
git.kernel.org/...c/9aa804e6b9696998308095fb9d335046a71550f1
git.kernel.org/...c/6889ae1b4df1579bcdffef023e2ea9a982565dff