CVE-2021-46942
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
27/02/2024
Last modified:
10/04/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
io_uring: fix shared sqpoll cancellation hangs<br />
<br />
[ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.<br />
[ 736.982897] Call Trace:<br />
[ 736.982901] schedule+0x68/0xe0<br />
[ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110<br />
[ 736.982908] io_sqpoll_cancel_cb+0x24/0x30<br />
[ 736.982911] io_run_task_work_head+0x28/0x50<br />
[ 736.982913] io_sq_thread+0x4e3/0x720<br />
<br />
We call io_uring_cancel_sqpoll() one by one for each ctx either in<br />
sq_thread() itself or via task works, and it&#39;s intended to cancel all<br />
requests of a specified context. However the function uses per-task<br />
counters to track the number of inflight requests, so it counts more<br />
requests than available via currect io_uring ctx and goes to sleep for<br />
them to appear (e.g. from IRQ), that will never happen.<br />
<br />
Cancel a bit more than before, i.e. all ctxs that share sqpoll<br />
and continue to use shared counters. Don&#39;t forget that we should not<br />
remove ctx from the list before running that task_work sqpoll-cancel,<br />
otherwise the function wouldn&#39;t be able to find the context and will<br />
hang.
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.12.0 (including) | 5.12.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page