From 0930fd56c55a6ddc4ea3e98d065d663f1eea3fe9 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@kernel.dk>
Date: Wed, 11 Jan 2023 11:47:25 +0800
Subject: [PATCH] io_uring: kill goto error handling in io_sqpoll_wait_sq()

stable inclusion
from stable-v5.10.155
commit 0f544353fec8e717d37724d95b92538e1de79e86
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I69NMA
CVE: CVE-2022-47946

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0f544353fec8e717d37724d95b92538e1de79e86

--------------------------------

Hunk extracted from commit 70aacfe66136809d7f080f89c492c278298719f4
upstream.

If the sqpoll thread has died, the out condition doesn't remove the
waiting task from the waitqueue. The goto and check are not needed, just
make it a break condition after setting the error value. That ensures
that we always remove ourselves from sqo_sq_wait waitqueue.

Reported-by: Xingyuan Mo <hdthky0@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com>
---
 fs/io_uring.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 81d982fdc9b5..9d5a041d329e 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -9073,7 +9073,7 @@ static int io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
 
 		if (unlikely(ctx->sqo_dead)) {
 			ret = -EOWNERDEAD;
-			goto out;
+			break;
 		}
 
 		if (!io_sqring_full(ctx))
@@ -9083,7 +9083,6 @@ static int io_sqpoll_wait_sq(struct io_ring_ctx *ctx)
 	} while (!signal_pending(current));
 
 	finish_wait(&ctx->sqo_sq_wait, &wait);
-out:
 	return ret;
 }
 
-- 
GitLab