From: Greg Kroah-Hartman Date: Mon, 29 Apr 2019 14:35:59 +0000 (+0200) Subject: drop some pending patches that are now in "real" trees. X-Git-Tag: v4.9.172~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4f2b823c24857968db260d8b2f3677b0b8e76ea7;p=thirdparty%2Fkernel%2Fstable-queue.git drop some pending patches that are now in "real" trees. --- diff --git a/pending/aio-simplify-and-fix-fget-fput-for-io_submit.patch b/pending/aio-simplify-and-fix-fget-fput-for-io_submit.patch deleted file mode 100644 index 6af0ba99aad..00000000000 --- a/pending/aio-simplify-and-fix-fget-fput-for-io_submit.patch +++ /dev/null @@ -1,301 +0,0 @@ -From 84c4e1f89fefe70554da0ab33be72c9be7994379 Mon Sep 17 00:00:00 2001 -From: Linus Torvalds -Date: Sun, 3 Mar 2019 14:23:33 -0800 -Subject: aio: simplify - and fix - fget/fput for io_submit() - -From: Linus Torvalds - -commit 84c4e1f89fefe70554da0ab33be72c9be7994379 upstream. - -Al Viro root-caused a race where the IOCB_CMD_POLL handling of -fget/fput() could cause us to access the file pointer after it had -already been freed: - - "In more details - normally IOCB_CMD_POLL handling looks so: - - 1) io_submit(2) allocates aio_kiocb instance and passes it to - aio_poll() - - 2) aio_poll() resolves the descriptor to struct file by req->file = - fget(iocb->aio_fildes) - - 3) aio_poll() sets ->woken to false and raises ->ki_refcnt of that - aio_kiocb to 2 (bumps by 1, that is). - - 4) aio_poll() calls vfs_poll(). After sanity checks (basically, - "poll_wait() had been called and only once") it locks the queue. - That's what the extra reference to iocb had been for - we know we - can safely access it. - - 5) With queue locked, we check if ->woken has already been set to - true (by aio_poll_wake()) and, if it had been, we unlock the - queue, drop a reference to aio_kiocb and bugger off - at that - point it's a responsibility to aio_poll_wake() and the stuff - called/scheduled by it. That code will drop the reference to file - in req->file, along with the other reference to our aio_kiocb. - - 6) otherwise, we see whether we need to wait. If we do, we unlock the - queue, drop one reference to aio_kiocb and go away - eventual - wakeup (or cancel) will deal with the reference to file and with - the other reference to aio_kiocb - - 7) otherwise we remove ourselves from waitqueue (still under the - queue lock), so that wakeup won't get us. No async activity will - be happening, so we can safely drop req->file and iocb ourselves. - - If wakeup happens while we are in vfs_poll(), we are fine - aio_kiocb - won't get freed under us, so we can do all the checks and locking - safely. And we don't touch ->file if we detect that case. - - However, vfs_poll() most certainly *does* touch the file it had been - given. So wakeup coming while we are still in ->poll() might end up - doing fput() on that file. That case is not too rare, and usually we - are saved by the still present reference from descriptor table - that - fput() is not the final one. - - But if another thread closes that descriptor right after our fget() - and wakeup does happen before ->poll() returns, we are in trouble - - final fput() done while we are in the middle of a method: - -Al also wrote a patch to take an extra reference to the file descriptor -to fix this, but I instead suggested we just streamline the whole file -pointer handling by submit_io() so that the generic aio submission code -simply keeps the file pointer around until the aio has completed. - -Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL") -Acked-by: Al Viro -Reported-by: syzbot+503d4cc169fcec1cb18c@syzkaller.appspotmail.com -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman - ---- - fs/aio.c | 67 +++++++++++++++++++++-------------------------------- - include/linux/fs.h | 8 +++++- - 2 files changed, 34 insertions(+), 41 deletions(-) - ---- a/fs/aio.c -+++ b/fs/aio.c -@@ -161,9 +161,13 @@ struct kioctx { - unsigned id; - }; - -+/* -+ * First field must be the file pointer in all the -+ * iocb unions! See also 'struct kiocb' in -+ */ - struct fsync_iocb { -- struct work_struct work; - struct file *file; -+ struct work_struct work; - bool datasync; - }; - -@@ -177,8 +181,15 @@ struct poll_iocb { - struct work_struct work; - }; - -+/* -+ * NOTE! Each of the iocb union members has the file pointer -+ * as the first entry in their struct definition. So you can -+ * access the file pointer through any of the sub-structs, -+ * or directly as just 'ki_filp' in this struct. -+ */ - struct aio_kiocb { - union { -+ struct file *ki_filp; - struct kiocb rw; - struct fsync_iocb fsync; - struct poll_iocb poll; -@@ -1054,6 +1065,8 @@ static inline void iocb_put(struct aio_k - { - if (refcount_read(&iocb->ki_refcnt) == 0 || - refcount_dec_and_test(&iocb->ki_refcnt)) { -+ if (iocb->ki_filp) -+ fput(iocb->ki_filp); - percpu_ref_put(&iocb->ki_ctx->reqs); - kmem_cache_free(kiocb_cachep, iocb); - } -@@ -1412,7 +1425,6 @@ static void aio_complete_rw(struct kiocb - file_end_write(kiocb->ki_filp); - } - -- fput(kiocb->ki_filp); - aio_complete(iocb, res, res2); - } - -@@ -1420,9 +1432,6 @@ static int aio_prep_rw(struct kiocb *req - { - int ret; - -- req->ki_filp = fget(iocb->aio_fildes); -- if (unlikely(!req->ki_filp)) -- return -EBADF; - req->ki_complete = aio_complete_rw; - req->ki_pos = iocb->aio_offset; - req->ki_flags = iocb_flags(req->ki_filp); -@@ -1438,7 +1447,6 @@ static int aio_prep_rw(struct kiocb *req - ret = ioprio_check_cap(iocb->aio_reqprio); - if (ret) { - pr_debug("aio ioprio check cap error: %d\n", ret); -- fput(req->ki_filp); - return ret; - } - -@@ -1447,8 +1455,6 @@ static int aio_prep_rw(struct kiocb *req - req->ki_ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, 0); - - ret = kiocb_set_rw_flags(req, iocb->aio_rw_flags); -- if (unlikely(ret)) -- fput(req->ki_filp); - return ret; - } - -@@ -1503,24 +1509,19 @@ static ssize_t aio_read(struct kiocb *re - if (ret) - return ret; - file = req->ki_filp; -- -- ret = -EBADF; - if (unlikely(!(file->f_mode & FMODE_READ))) -- goto out_fput; -+ return -EBADF; - ret = -EINVAL; - if (unlikely(!file->f_op->read_iter)) -- goto out_fput; -+ return -EINVAL; - - ret = aio_setup_rw(READ, iocb, &iovec, vectored, compat, &iter); - if (ret) -- goto out_fput; -+ return ret; - ret = rw_verify_area(READ, file, &req->ki_pos, iov_iter_count(&iter)); - if (!ret) - aio_rw_done(req, call_read_iter(file, req, &iter)); - kfree(iovec); --out_fput: -- if (unlikely(ret)) -- fput(file); - return ret; - } - -@@ -1537,16 +1538,14 @@ static ssize_t aio_write(struct kiocb *r - return ret; - file = req->ki_filp; - -- ret = -EBADF; - if (unlikely(!(file->f_mode & FMODE_WRITE))) -- goto out_fput; -- ret = -EINVAL; -+ return -EBADF; - if (unlikely(!file->f_op->write_iter)) -- goto out_fput; -+ return -EINVAL; - - ret = aio_setup_rw(WRITE, iocb, &iovec, vectored, compat, &iter); - if (ret) -- goto out_fput; -+ return ret; - ret = rw_verify_area(WRITE, file, &req->ki_pos, iov_iter_count(&iter)); - if (!ret) { - /* -@@ -1564,9 +1563,6 @@ static ssize_t aio_write(struct kiocb *r - aio_rw_done(req, call_write_iter(file, req, &iter)); - } - kfree(iovec); --out_fput: -- if (unlikely(ret)) -- fput(file); - return ret; - } - -@@ -1576,7 +1572,6 @@ static void aio_fsync_work(struct work_s - int ret; - - ret = vfs_fsync(req->file, req->datasync); -- fput(req->file); - aio_complete(container_of(req, struct aio_kiocb, fsync), ret, 0); - } - -@@ -1586,13 +1581,8 @@ static int aio_fsync(struct fsync_iocb * - iocb->aio_rw_flags)) - return -EINVAL; - -- req->file = fget(iocb->aio_fildes); -- if (unlikely(!req->file)) -- return -EBADF; -- if (unlikely(!req->file->f_op->fsync)) { -- fput(req->file); -+ if (unlikely(!req->file->f_op->fsync)) - return -EINVAL; -- } - - req->datasync = datasync; - INIT_WORK(&req->work, aio_fsync_work); -@@ -1602,10 +1592,7 @@ static int aio_fsync(struct fsync_iocb * - - static inline void aio_poll_complete(struct aio_kiocb *iocb, __poll_t mask) - { -- struct file *file = iocb->poll.file; -- - aio_complete(iocb, mangle_poll(mask), 0); -- fput(file); - } - - static void aio_poll_complete_work(struct work_struct *work) -@@ -1730,9 +1717,6 @@ static ssize_t aio_poll(struct aio_kiocb - - INIT_WORK(&req->work, aio_poll_complete_work); - req->events = demangle_poll(iocb->aio_buf) | EPOLLERR | EPOLLHUP; -- req->file = fget(iocb->aio_fildes); -- if (unlikely(!req->file)) -- return -EBADF; - - apt.pt._qproc = aio_poll_queue_proc; - apt.pt._key = req->events; -@@ -1771,10 +1755,8 @@ static ssize_t aio_poll(struct aio_kiocb - spin_unlock_irq(&ctx->ctx_lock); - - out: -- if (unlikely(apt.error)) { -- fput(req->file); -+ if (unlikely(apt.error)) - return apt.error; -- } - - if (mask) - aio_poll_complete(aiocb, mask); -@@ -1812,6 +1794,11 @@ static int io_submit_one(struct kioctx * - if (unlikely(!req)) - return -EAGAIN; - -+ req->ki_filp = fget(iocb->aio_fildes); -+ ret = -EBADF; -+ if (unlikely(!req->ki_filp)) -+ goto out_put_req; -+ - if (iocb.aio_flags & IOCB_FLAG_RESFD) { - /* - * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an ---- a/include/linux/fs.h -+++ b/include/linux/fs.h -@@ -304,13 +304,19 @@ enum rw_hint { - - struct kiocb { - struct file *ki_filp; -+ -+ /* The 'ki_filp' pointer is shared in a union for aio */ -+ randomized_struct_fields_start -+ - loff_t ki_pos; - void (*ki_complete)(struct kiocb *iocb, long ret, long ret2); - void *private; - int ki_flags; - u16 ki_hint; - u16 ki_ioprio; /* See linux/ioprio.h */ --} __randomize_layout; -+ -+ randomized_struct_fields_end -+}; - - static inline bool is_sync_kiocb(struct kiocb *kiocb) - { diff --git a/pending/x86-fpu-don-t-export-__kernel_fpu_-begin-end.patch b/pending/x86-fpu-don-t-export-__kernel_fpu_-begin-end.patch deleted file mode 100644 index f83eb18bb2a..00000000000 --- a/pending/x86-fpu-don-t-export-__kernel_fpu_-begin-end.patch +++ /dev/null @@ -1,130 +0,0 @@ -From 12209993e98c5fa1855c467f22a24e3d5b8be205 Mon Sep 17 00:00:00 2001 -From: Sebastian Andrzej Siewior -Date: Thu, 29 Nov 2018 16:02:10 +0100 -Subject: x86/fpu: Don't export __kernel_fpu_{begin,end}() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Sebastian Andrzej Siewior - -commit 12209993e98c5fa1855c467f22a24e3d5b8be205 upstream. - -There is one user of __kernel_fpu_begin() and before invoking it, -it invokes preempt_disable(). So it could invoke kernel_fpu_begin() -right away. The 32bit version of arch_efi_call_virt_setup() and -arch_efi_call_virt_teardown() does this already. - -The comment above *kernel_fpu*() claims that before invoking -__kernel_fpu_begin() preemption should be disabled and that KVM is a -good example of doing it. Well, KVM doesn't do that since commit - - f775b13eedee2 ("x86,kvm: move qemu/guest FPU switching out to vcpu_run") - -so it is not an example anymore. - -With EFI gone as the last user of __kernel_fpu_{begin|end}(), both can -be made static and not exported anymore. - -Signed-off-by: Sebastian Andrzej Siewior -Signed-off-by: Borislav Petkov -Reviewed-by: Rik van Riel -Cc: "H. Peter Anvin" -Cc: "Jason A. Donenfeld" -Cc: Andy Lutomirski -Cc: Ard Biesheuvel -Cc: Dave Hansen -Cc: Ingo Molnar -Cc: Nicolai Stange -Cc: Paolo Bonzini -Cc: Radim Krčmář -Cc: Thomas Gleixner -Cc: kvm ML -Cc: linux-efi -Cc: x86-ml -Link: https://lkml.kernel.org/r/20181129150210.2k4mawt37ow6c2vq@linutronix.de -Signed-off-by: Greg Kroah-Hartman - -diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h -index eea40d52ca78..45864898f7e5 100644 ---- a/arch/x86/include/asm/efi.h -+++ b/arch/x86/include/asm/efi.h -@@ -82,8 +82,7 @@ struct efi_scratch { - #define arch_efi_call_virt_setup() \ - ({ \ - efi_sync_low_kernel_mappings(); \ -- preempt_disable(); \ -- __kernel_fpu_begin(); \ -+ kernel_fpu_begin(); \ - firmware_restrict_branch_speculation_start(); \ - \ - if (!efi_enabled(EFI_OLD_MEMMAP)) \ -@@ -99,8 +98,7 @@ struct efi_scratch { - efi_switch_mm(efi_scratch.prev_mm); \ - \ - firmware_restrict_branch_speculation_end(); \ -- __kernel_fpu_end(); \ -- preempt_enable(); \ -+ kernel_fpu_end(); \ - }) - - extern void __iomem *__init efi_ioremap(unsigned long addr, unsigned long size, -diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h -index a9caac9d4a72..b56d504af654 100644 ---- a/arch/x86/include/asm/fpu/api.h -+++ b/arch/x86/include/asm/fpu/api.h -@@ -12,17 +12,12 @@ - #define _ASM_X86_FPU_API_H - - /* -- * Careful: __kernel_fpu_begin/end() must be called with preempt disabled -- * and they don't touch the preempt state on their own. -- * If you enable preemption after __kernel_fpu_begin(), preempt notifier -- * should call the __kernel_fpu_end() to prevent the kernel/user FPU -- * state from getting corrupted. KVM for example uses this model. -- * -- * All other cases use kernel_fpu_begin/end() which disable preemption -- * during kernel FPU usage. -+ * Use kernel_fpu_begin/end() if you intend to use FPU in kernel context. It -+ * disables preemption so be careful if you intend to use it for long periods -+ * of time. -+ * If you intend to use the FPU in softirq you need to check first with -+ * irq_fpu_usable() if it is possible. - */ --extern void __kernel_fpu_begin(void); --extern void __kernel_fpu_end(void); - extern void kernel_fpu_begin(void); - extern void kernel_fpu_end(void); - extern bool irq_fpu_usable(void); -diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c -index 2ea85b32421a..2e5003fef51a 100644 ---- a/arch/x86/kernel/fpu/core.c -+++ b/arch/x86/kernel/fpu/core.c -@@ -93,7 +93,7 @@ bool irq_fpu_usable(void) - } - EXPORT_SYMBOL(irq_fpu_usable); - --void __kernel_fpu_begin(void) -+static void __kernel_fpu_begin(void) - { - struct fpu *fpu = ¤t->thread.fpu; - -@@ -111,9 +111,8 @@ void __kernel_fpu_begin(void) - __cpu_invalidate_fpregs_state(); - } - } --EXPORT_SYMBOL(__kernel_fpu_begin); - --void __kernel_fpu_end(void) -+static void __kernel_fpu_end(void) - { - struct fpu *fpu = ¤t->thread.fpu; - -@@ -122,7 +121,6 @@ void __kernel_fpu_end(void) - - kernel_fpu_enable(); - } --EXPORT_SYMBOL(__kernel_fpu_end); - - void kernel_fpu_begin(void) - {