From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 7 Dec 2019 15:34:13 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v5.4.3~61
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=12b43aa5a4a5ff92ca1279cfec821a91149b665a;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch
	io_uring-fix-missing-kmap-declaration-on-powerpc.patch
---

diff --git a/queue-5.4/io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch b/queue-5.4/io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch
new file mode 100644
index 00000000000..5ac48b9a601
--- /dev/null
+++ b/queue-5.4/io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch
@@ -0,0 +1,80 @@
+From axboe@kernel.dk  Sat Dec  7 16:31:08 2019
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 4 Dec 2019 08:53:43 -0700
+Subject: io_uring: ensure req->submit is copied when req is deferred
+To: stable@vger.kernel.org
+Message-ID: <a33932d5-c5ff-ff4d-2bb4-3a1c3401a850@kernel.dk>
+
+From: Jens Axboe <axboe@kernel.dk>
+
+There's an issue with deferred requests through drain, where if we do
+need to defer, we're not copying over the sqe_submit state correctly.
+This can result in using uninitialized data when we then later go and
+submit the deferred request, like this check in __io_submit_sqe():
+
+         if (unlikely(s->index >= ctx->sq_entries))
+                 return -EINVAL;
+
+with 's' being uninitialized, we can randomly fail this check. Fix this
+by copying sqe_submit state when we defer a request.
+
+Because it was fixed as part of a cleanup series in mainline, before
+anyone realized we had this issue. That removed the separate states
+of ->index vs ->submit.sqe. That series is not something I was
+comfortable putting into stable, hence the much simpler addition.
+Here's the patch in the series that fixes the same issue:
+
+commit cf6fd4bd559ee61a4454b161863c8de6f30f8dca
+Author: Pavel Begunkov <asml.silence@gmail.com>
+Date:   Mon Nov 25 23:14:39 2019 +0300
+
+    io_uring: inline struct sqe_submit
+
+Reported-by: Andres Freund <andres@anarazel.de>
+Reported-by: Tomáš Chaloupka
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/io_uring.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -2039,7 +2039,7 @@ add:
+ }
+ 
+ static int io_req_defer(struct io_ring_ctx *ctx, struct io_kiocb *req,
+-			const struct io_uring_sqe *sqe)
++			struct sqe_submit *s)
+ {
+ 	struct io_uring_sqe *sqe_copy;
+ 
+@@ -2057,7 +2057,8 @@ static int io_req_defer(struct io_ring_c
+ 		return 0;
+ 	}
+ 
+-	memcpy(sqe_copy, sqe, sizeof(*sqe_copy));
++	memcpy(&req->submit, s, sizeof(*s));
++	memcpy(sqe_copy, s->sqe, sizeof(*sqe_copy));
+ 	req->submit.sqe = sqe_copy;
+ 
+ 	INIT_WORK(&req->work, io_sq_wq_submit_work);
+@@ -2425,7 +2426,7 @@ static int io_queue_sqe(struct io_ring_c
+ {
+ 	int ret;
+ 
+-	ret = io_req_defer(ctx, req, s->sqe);
++	ret = io_req_defer(ctx, req, s);
+ 	if (ret) {
+ 		if (ret != -EIOCBQUEUED) {
+ 			io_free_req(req);
+@@ -2452,7 +2453,7 @@ static int io_queue_link_head(struct io_
+ 	 * list.
+ 	 */
+ 	req->flags |= REQ_F_IO_DRAIN;
+-	ret = io_req_defer(ctx, req, s->sqe);
++	ret = io_req_defer(ctx, req, s);
+ 	if (ret) {
+ 		if (ret != -EIOCBQUEUED) {
+ 			io_free_req(req);
diff --git a/queue-5.4/io_uring-fix-missing-kmap-declaration-on-powerpc.patch b/queue-5.4/io_uring-fix-missing-kmap-declaration-on-powerpc.patch
new file mode 100644
index 00000000000..8feb3cd445f
--- /dev/null
+++ b/queue-5.4/io_uring-fix-missing-kmap-declaration-on-powerpc.patch
@@ -0,0 +1,53 @@
+From aa4c3967756c6c576a38a23ac511be211462a6b7 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Fri, 29 Nov 2019 10:14:00 -0700
+Subject: io_uring: fix missing kmap() declaration on powerpc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit aa4c3967756c6c576a38a23ac511be211462a6b7 upstream.
+
+Christophe reports that current master fails building on powerpc with
+this error:
+
+   CC      fs/io_uring.o
+fs/io_uring.c: In function ‘loop_rw_iter’:
+fs/io_uring.c:1628:21: error: implicit declaration of function ‘kmap’
+[-Werror=implicit-function-declaration]
+     iovec.iov_base = kmap(iter->bvec->bv_page)
+                      ^
+fs/io_uring.c:1628:19: warning: assignment makes pointer from integer
+without a cast [-Wint-conversion]
+     iovec.iov_base = kmap(iter->bvec->bv_page)
+                    ^
+fs/io_uring.c:1643:4: error: implicit declaration of function ‘kunmap’
+[-Werror=implicit-function-declaration]
+     kunmap(iter->bvec->bv_page);
+     ^
+
+which is caused by a missing highmem.h include. Fix it by including
+it.
+
+Fixes: 311ae9e159d8 ("io_uring: fix dead-hung for non-iter fixed rw")
+Reported-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Tested-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/io_uring.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -70,6 +70,7 @@
+ #include <linux/nospec.h>
+ #include <linux/sizes.h>
+ #include <linux/hugetlb.h>
++#include <linux/highmem.h>
+ 
+ #include <uapi/linux/io_uring.h>
+ 
diff --git a/queue-5.4/series b/queue-5.4/series
index 217d77483fa..062b8a7c069 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -23,3 +23,5 @@ fuse-fix-leak-of-fuse_io_priv.patch
 fuse-verify-nlink.patch
 fuse-verify-write-return.patch
 fuse-verify-attributes.patch
+io_uring-fix-missing-kmap-declaration-on-powerpc.patch
+io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch