io_uring/waitid: always prune wait queue entry in io_waitid_wait()

bmastbergen · bmastbergen · commit 7dd13f796192 · 2025-12-16T15:06:27.000-05:00
jira VULN-162139 cve CVE-2025-40047 commit-author Jens Axboe <axboe@kernel.dk> commit 2f8229d For a successful return, always remove our entry from the wait queue entry list. Previously this was skipped if a cancelation was in progress, but this can race with another invocation of the wait queue entry callback. Cc: stable@vger.kernel.org Fixes: f31ecf6 ("io_uring: add IORING_OP_WAITID support") Reported-by: syzbot+b9e83021d9c642a33d8c@syzkaller.appspotmail.com Tested-by: syzbot+b9e83021d9c642a33d8c@syzkaller.appspotmail.com Link: https://lore.kernel.org/io-uring/68e5195e.050a0220.256323.001f.GAE@google.com/ Signed-off-by: Jens Axboe <axboe@kernel.dk> (cherry picked from commit 2f8229d) Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
diff --git a/io_uring/waitid.c b/io_uring/waitid.c
@@ -272,13 +272,14 @@ static int io_waitid_wait(struct wait_queue_entry *wait, unsigned mode,
 	if (!pid_child_should_wake(wo, p))
 		return 0;
 
+	list_del_init(&wait->entry);
+
 	/* cancel is in progress */
 	if (atomic_fetch_inc(&iw->refs) & IO_WAITID_REF_MASK)
 		return 1;
 
 	req->io_task_work.func = io_waitid_cb;
 	io_req_task_work_add(req);
-	list_del_init(&wait->entry);
 	return 1;
 }
 
