tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

io_uring/poll: ensure EPOLL_ONESHOT is propagated for EPOLL_URING_WAKE

Commit:

aacf2f9f382c ("io_uring: fix req->apoll_events")

fixed an issue where poll->events and req->apoll_events weren't
synchronized, but then when the commit referenced in Fixes got added,
it didn't ensure the same thing.

If we mask in EPOLLONESHOT in the regular EPOLL_URING_WAKE path, then
ensure it's done for both. Including a link to the original report
below, even though it's mostly nonsense. But it includes a reproducer
that does show that IORING_CQE_F_MORE is set in the previous CQE,
while no more CQEs will be generated for this request. Just ignore
anything that pretends this is security related in any way, it's just
the typical AI nonsense.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/io-uring/CAM0zi7yQzF3eKncgHo4iVM5yFLAjsiob_ucqyWKs=hyd_GqiMg@mail.gmail.com/
Reported-by: Azizcan Daştan <azizcan.d@mileniumsec.com>
Fixes: 4464853277d0 ("io_uring: pass in EPOLL_URING_WAKE for eventfd signaling and wakeups")
Signed-off-by: Jens Axboe <axboe@kernel.dk>

Jens Axboe 1967f0b1 770594e7

+3 -1
+3 -1
io_uring/poll.c
··· 417 417 * disable multishot as there is a circular dependency between 418 418 * CQ posting and triggering the event. 419 419 */ 420 - if (mask & EPOLL_URING_WAKE) 420 + if (mask & EPOLL_URING_WAKE) { 421 421 poll->events |= EPOLLONESHOT; 422 + req->apoll_events |= EPOLLONESHOT; 423 + } 422 424 423 425 /* optional, saves extra locking for removal in tw handler */ 424 426 if (mask && poll->events & EPOLLONESHOT) {