io_uring: fix wrong arm_poll error handling

[ upstream commmit 9d2ad2947a53abf5e5e6527a9eeed50a3a4cbc72 ]

Leaving ip.error set when a request was punted to task_work execution is
problematic, don't forget to clear it.

Fixes: aa43477b04025 ("io_uring: poll rework")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/a6c84ef4182c6962380aebe11b35bdcb25b0ccfb.1655852245.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[pavel: backport]
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 182dc3aa5ae2f6e2ec6a95667845a819179a78e8 linux-5.15.y)
CVE-2022-3176
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 0a14cb2c55c559fcec1fd77086379f0838298e60..5ce0254d2cbecb2d6aff955d3b80b2cbd2ab9d64 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5627,8 +5627,10 @@ static int __io_arm_poll_handler(struct io_kiocb *req,
 
        if (mask) {
                /* can't multishot if failed, just queue the event we've got */
-               if (unlikely(ipt->error || !ipt->nr_entries))
+               if (unlikely(ipt->error || !ipt->nr_entries)) {
                        poll->events |= EPOLLONESHOT;
+                       ipt->error = 0;
+               }
                __io_poll_execute(req, mask);
                return 0;
        }