[UBUNTU OEM-6.0 1/5] io_uring: update res mask in io_poll_check_events

[Thadeu Lima de Souza Cascardo]

From: Pavel Begunkov <asml.silence at gmail.com>

When io_poll_check_events() collides with someone attempting to queue a
task work, it'll spin for one more time. However, it'll continue to use
the mask from the first iteration instead of updating it. For example,
if the first wake up was a EPOLLIN and the second EPOLLOUT, the
userspace will not get EPOLLOUT in time.

Clear the mask for all subsequent iterations to force vfs_poll().

Cc: stable at vger.kernel.org
Fixes: aa43477b04025 ("io_uring: poll rework")
Signed-off-by: Pavel Begunkov <asml.silence at gmail.com>
Link: https://lore.kernel.org/r/2dac97e8f691231049cb259c4ae57e79e40b537c.1668710222.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe at kernel.dk>
(cherry picked from commit b98186aee22fa593bc8c6b2c5d839c2ee518bc8c)
CVE-2023-0468
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
 io_uring/poll.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/io_uring/poll.c b/io_uring/poll.c
index 0d9f49c575e0..8c7af09a81d8 100644
--- a/io_uring/poll.c
+++ b/io_uring/poll.c
@@ -256,6 +256,9 @@ static int io_poll_check_events(struct io_kiocb *req, bool *locked)
 				return ret;
 		}
 
+		/* force the next iteration to vfs_poll() */
+		req->cqe.res = 0;
+
 		/*
 		 * Release all references, retry if someone tried to restart
 		 * task_work while we were executing it.
-- 
2.34.1