Description
In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ensure that if an update does cause an existing POLL_ADD to complete, that the completion value isn't always overwritten with -ECANCELED. For that case, whatever io_poll_add() set the value to should just be retained.
Product status
97b388d70b53fd7d286ac1b81e5a88bd6af98209 (git) before 8b777ab48441b153502772ecfc78c107d4353f29
97b388d70b53fd7d286ac1b81e5a88bd6af98209 (git) before 0126560370ed5217958b85657b590ad25e8b9c00
97b388d70b53fd7d286ac1b81e5a88bd6af98209 (git) before c1669c03bfbc2a9b5ebff4428eecebe734c646fe
97b388d70b53fd7d286ac1b81e5a88bd6af98209 (git) before 13a8f7b88c2d40c6b33f6216190478dda95d385f
97b388d70b53fd7d286ac1b81e5a88bd6af98209 (git) before 84230ad2d2afbf0c44c32967e525c0ad92e26b4e
6.0
Any version before 6.0
6.1.160 (semver)
6.6.120 (semver)
6.12.64 (semver)
6.18.3 (semver)
6.19 (original_commit_for_fix)
References
git.kernel.org/...c/8b777ab48441b153502772ecfc78c107d4353f29
git.kernel.org/...c/0126560370ed5217958b85657b590ad25e8b9c00
git.kernel.org/...c/c1669c03bfbc2a9b5ebff4428eecebe734c646fe
git.kernel.org/...c/13a8f7b88c2d40c6b33f6216190478dda95d385f
git.kernel.org/...c/84230ad2d2afbf0c44c32967e525c0ad92e26b4e