From: Greg Kroah-Hartman Date: Mon, 4 Mar 2024 07:37:44 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.309~73 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d302195dc3f0672a7535711bf0b03b42d93b2b2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: fs-aio-make-io_cancel-generate-completions-again.patch --- diff --git a/queue-4.19/fs-aio-make-io_cancel-generate-completions-again.patch b/queue-4.19/fs-aio-make-io_cancel-generate-completions-again.patch new file mode 100644 index 00000000000..276018748fc --- /dev/null +++ b/queue-4.19/fs-aio-make-io_cancel-generate-completions-again.patch @@ -0,0 +1,85 @@ +From 54cbc058d86beca3515c994039b5c0f0a34f53dd Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 15 Feb 2024 12:47:39 -0800 +Subject: fs/aio: Make io_cancel() generate completions again + +From: Bart Van Assche + +commit 54cbc058d86beca3515c994039b5c0f0a34f53dd upstream. + +The following patch accidentally removed the code for delivering +completions for cancelled reads and writes to user space: "[PATCH 04/33] +aio: remove retry-based AIO" +(https://lore.kernel.org/all/1363883754-27966-5-git-send-email-koverstreet@google.com/) +>From that patch: + +- if (kiocbIsCancelled(iocb)) { +- ret = -EINTR; +- aio_complete(iocb, ret, 0); +- /* must not access the iocb after this */ +- goto out; +- } + +This leads to a leak in user space of a struct iocb. Hence this patch +that restores the code that reports to user space that a read or write +has been cancelled successfully. + +Fixes: 41003a7bcfed ("aio: remove retry-based AIO") +Cc: Christoph Hellwig +Cc: Avi Kivity +Cc: Sandeep Dhavale +Cc: Jens Axboe +Cc: Greg Kroah-Hartman +Cc: Kent Overstreet +Cc: stable@vger.kernel.org +Signed-off-by: Bart Van Assche +Link: https://lore.kernel.org/r/20240215204739.2677806-3-bvanassche@acm.org +Signed-off-by: Christian Brauner +Signed-off-by: Greg Kroah-Hartman +--- + fs/aio.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -2131,14 +2131,11 @@ COMPAT_SYSCALL_DEFINE3(io_submit, compat + #endif + + /* sys_io_cancel: +- * Attempts to cancel an iocb previously passed to io_submit. If +- * the operation is successfully cancelled, the resulting event is +- * copied into the memory pointed to by result without being placed +- * into the completion queue and 0 is returned. May fail with +- * -EFAULT if any of the data structures pointed to are invalid. +- * May fail with -EINVAL if aio_context specified by ctx_id is +- * invalid. May fail with -EAGAIN if the iocb specified was not +- * cancelled. Will fail with -ENOSYS if not implemented. ++ * Attempts to cancel an iocb previously passed to io_submit(). If the ++ * operation is successfully cancelled 0 is returned. May fail with ++ * -EFAULT if any of the data structures pointed to are invalid. May ++ * fail with -EINVAL if aio_context specified by ctx_id is invalid. Will ++ * fail with -ENOSYS if not implemented. + */ + SYSCALL_DEFINE3(io_cancel, aio_context_t, ctx_id, struct iocb __user *, iocb, + struct io_event __user *, result) +@@ -2169,14 +2166,12 @@ SYSCALL_DEFINE3(io_cancel, aio_context_t + } + spin_unlock_irq(&ctx->ctx_lock); + +- if (!ret) { +- /* +- * The result argument is no longer used - the io_event is +- * always delivered via the ring buffer. -EINPROGRESS indicates +- * cancellation is progress: +- */ +- ret = -EINPROGRESS; +- } ++ /* ++ * The result argument is no longer used - the io_event is always ++ * delivered via the ring buffer. ++ */ ++ if (ret == 0 && kiocb->rw.ki_flags & IOCB_AIO_RW) ++ aio_complete_rw(&kiocb->rw, -EINTR); + + percpu_ref_put(&ctx->users); + diff --git a/queue-4.19/series b/queue-4.19/series index 2bf5f766a01..fb40a88d3b2 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -12,3 +12,4 @@ gtp-fix-use-after-free-and-null-ptr-deref-in-gtp_newlink.patch wifi-nl80211-reject-iftype-change-with-mesh-id-change.patch btrfs-dev-replace-properly-validate-device-names.patch mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch +fs-aio-make-io_cancel-generate-completions-again.patch