CVE-2021-46942 - Resolving Linux Kernel Vulnerability in io_uring Shared SQPoll Cancellation

A recent vulnerability, labeled CVE-2021-46942, was found in the Linux kernel, specifically in the io_uring subsystem. The issue is related to shared squared polling (sqpoll) cancellation hangs, which could potentially lead to unexpected behavior in the affected systems. In this post, we will go through the details of the vulnerability, its resolution, and discuss the related code changes.

Background

The io_uring is a Linux kernel feature that allows asynchronous I/O operations, improving performance and efficiency. In certain situations, io_uring needs to cancel shared sqpoll requests. However, the io_uring_cancel_sqpoll() function has been found to use per-task counters to track the number of inflight requests, causing it to account for more requests than are actually available via the current io_uring context. This leads to the function going to sleep while waiting for inflight requests to appear, causing hangs.

The vulnerability is mainly observed in the following call traces

[  736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.
[  736.982897] Call Trace:
[  736.982901]  schedule+x68/xe
[  736.982903]  io_uring_cancel_sqpoll+xdb/x110
[  736.982908]  io_sqpoll_cancel_cb+x24/x30
[  736.982911]  io_run_task_work_head+x28/x50
[  736.982913]  io_sq_thread+x4e3/x720

Resolution

To address this vulnerability, changes were made to cancel all contexts that share sqpoll and continue to use shared counters. Additionally, ensure the ctx isn't removed from the list before running task_work sqpoll-cancel, as this would cause the function to be unable to find the context and hang.

Original references

Linux kernel commit: 5978918

Mailing list discussion: LKML

Conclusion

The resolution of the CVE-2021-46942 vulnerability ensures that the Linux kernel's io_uring subsystem no longer hangs during the cancellation of shared sqpoll requests. The changes to the io_uring_cancel_sqpoll() function ensure proper tracking of inflight requests and eliminate the hanging issue, improving the overall stability and reliability of the Linux kernel. Make sure to apply the necessary patches and updates to your systems to mitigate the risk associated with this vulnerability.

Timeline

Published on: 02/27/2024 19:04:06 UTC
Last modified on: 04/10/2024 19:56:14 UTC