[SRU Focal] io_uring: disable polling pollfree files

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Mon Sep 19 17:57:58 UTC 2022 

From: Pavel Begunkov <asml.silence at gmail.com>

Older kernels lack io_uring POLLFREE handling. As only affected files
are signalfd and android binder the safest option would be to disable
polling those files via io_uring and hope there are no users.

Fixes: 221c5eb233823 ("io_uring: add support for IORING_OP_POLL")
Signed-off-by: Pavel Begunkov <asml.silence at gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
(cherry picked from commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659)
CVE-2022-3176
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
 drivers/android/binder.c | 1 +
 fs/io_uring.c            | 3 +++
 fs/signalfd.c            | 1 +
 include/linux/fs.h       | 1 +
 4 files changed, 6 insertions(+)

diff --git a/drivers/android/binder.c b/drivers/android/binder.c
index eb2734106288..4b371c7caf44 100644
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -6083,6 +6083,7 @@ const struct file_operations binder_fops = {
 	.open = binder_open,
 	.flush = binder_flush,
 	.release = binder_release,
+	.may_pollfree = true,
 };
 
 static int __init init_binder_device(const char *name)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index e73969fa96bc..501c7e14c07c 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1908,6 +1908,9 @@ static int io_poll_add(struct io_kiocb *req, const struct io_uring_sqe *sqe)
 	__poll_t mask;
 	u16 events;
 
+	if (req->file->f_op->may_pollfree)
+		return -EOPNOTSUPP;
+
 	if (unlikely(req->ctx->flags & IORING_SETUP_IOPOLL))
 		return -EINVAL;
 	if (sqe->addr || sqe->ioprio || sqe->off || sqe->len || sqe->buf_index)
diff --git a/fs/signalfd.c b/fs/signalfd.c
index 3e94d181930f..c3415d969ecf 100644
--- a/fs/signalfd.c
+++ b/fs/signalfd.c
@@ -248,6 +248,7 @@ static const struct file_operations signalfd_fops = {
 	.poll		= signalfd_poll,
 	.read		= signalfd_read,
 	.llseek		= noop_llseek,
+	.may_pollfree	= true,
 };
 
 static int do_signalfd4(int ufd, sigset_t *mask, int flags)
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 2bd06577c02a..84eade09b3aa 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1862,6 +1862,7 @@ struct file_operations {
 				   struct file *file_out, loff_t pos_out,
 				   loff_t len, unsigned int remap_flags);
 	int (*fadvise)(struct file *, loff_t, loff_t, int);
+	bool may_pollfree;
 } __randomize_layout;
 
 struct inode_operations {
-- 
2.34.1

More information about the kernel-team mailing list