CVE-2021-46942

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> io_uring: fix shared sqpoll cancellation hangs<br /> <br /> [ 736.982891] INFO: task iou-sqp-4294:4295 blocked for more than 122 seconds.<br /> [ 736.982897] Call Trace:<br /> [ 736.982901] schedule+0x68/0xe0<br /> [ 736.982903] io_uring_cancel_sqpoll+0xdb/0x110<br /> [ 736.982908] io_sqpoll_cancel_cb+0x24/0x30<br /> [ 736.982911] io_run_task_work_head+0x28/0x50<br /> [ 736.982913] io_sq_thread+0x4e3/0x720<br /> <br /> We call io_uring_cancel_sqpoll() one by one for each ctx either in<br /> sq_thread() itself or via task works, and it&amp;#39;s intended to cancel all<br /> requests of a specified context. However the function uses per-task<br /> counters to track the number of inflight requests, so it counts more<br /> requests than available via currect io_uring ctx and goes to sleep for<br /> them to appear (e.g. from IRQ), that will never happen.<br /> <br /> Cancel a bit more than before, i.e. all ctxs that share sqpoll<br /> and continue to use shared counters. Don&amp;#39;t forget that we should not<br /> remove ctx from the list before running that task_work sqpoll-cancel,<br /> otherwise the function wouldn&amp;#39;t be able to find the context and will<br /> hang.