CVE-2021-46942
io_uring: fix shared sqpoll cancellation hangs
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix shared sqpoll cancellation hangs
[ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.
[ 736.982897] Call Trace:
[ 736.982901] schedule+0x68/0xe0
[ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110
[ 736.982908] io_sqpoll_cancel_cb+0x24/0x30
[ 736.982911] io_run_task_work_head+0x28/0x50
[ 736.982913] io_sq_thread+0x4e3/0x720
We call io_uring_cancel_sqpoll() one by one for each ctx either in
sq_thread() itself or via task works, and it's intended to cancel all
requests of a specified context. However the function uses per-task
counters to track the number of inflight requests, so it counts more
requests than available via currect io_uring ctx and goes to sleep for
them to appear (e.g. from IRQ), that will never happen.
Cancel a bit more than before, i.e. all ctxs that share sqpoll
and continue to use shared counters. Don't forget that we should not
remove ctx from the list before running that task_work sqpoll-cancel,
otherwise the function wouldn't be able to find the context and will
hang.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: io_uring: corrige bloqueos de cancelación de sqpoll compartido [736.982891] INFORMACIÓN: tarea iou-sqp-4294:4295 bloqueada durante más de 122 segundos. [ 736.982897] Seguimiento de llamadas: [ 736.982901] agenda+0x68/0xe0 [ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110 [ 736.982908] io_sqpoll_cancel_cb+0x24/0x30 [ 736.982911] io_run_task_work_head+0x28/0x50 [ 736.982913] io_sq_thread+0x4e3/0x720 Llamamos a io_uring_cancel_sqpoll( ) uno por uno para cada ctx, ya sea en sq_thread() o mediante tareas, y está destinado a cancelar todas las solicitudes de un contexto específico. Sin embargo, la función utiliza contadores por tarea para rastrear la cantidad de solicitudes en curso, por lo que cuenta más solicitudes de las disponibles a través de currect io_uring ctx y se pone en suspensión para que aparezcan (por ejemplo, desde IRQ), eso nunca sucederá. Cancele un poco más que antes, es decir, todos los ctx que comparten sqpoll y continúan usando contadores compartidos. No olvide que no debemos eliminar ctx de la lista antes de ejecutar task_work sqpoll-cancel; de lo contrario, la función no podrá encontrar el contexto y se bloqueará.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-25 CVE Reserved
- 2024-02-27 CVE Published
- 2024-02-28 EPSS Updated
- 2024-09-11 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/37d1e2e3642e2380750d7f35279180826f29660e | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://git.kernel.org/stable/c/cb5e0b3d0f993a6268c1a2c7ede2f9aa0c17ef68 | 2021-05-12 | |
| https://git.kernel.org/stable/c/734551df6f9bedfbefcd113ede665945e9de0b99 | 2021-04-19 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.12 < 5.12.3 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 5.12.3" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.12 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 5.13" | en |
Affected
| ||||||