From: Greg Kroah-Hartman Date: Mon, 4 Jan 2021 14:34:25 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.19.165~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b56029d0a423fb5348372333ae50b384777107f;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: io_uring-use-bottom-half-safe-lock-for-fixed-file-data.patch --- diff --git a/queue-5.10/io_uring-add-a-helper-for-setting-a-ref-node.patch b/queue-5.10/io_uring-add-a-helper-for-setting-a-ref-node.patch index a49160c9cda..8b11cd66348 100644 --- a/queue-5.10/io_uring-add-a-helper-for-setting-a-ref-node.patch +++ b/queue-5.10/io_uring-add-a-helper-for-setting-a-ref-node.patch @@ -28,10 +28,10 @@ Signed-off-by: Greg Kroah-Hartman +static void io_sqe_files_set_node(struct fixed_file_data *file_data, + struct fixed_file_ref_node *ref_node) +{ -+ spin_lock(&file_data->lock); ++ spin_lock_bh(&file_data->lock); + file_data->node = ref_node; + list_add_tail(&ref_node->node, &file_data->ref_list); -+ spin_unlock(&file_data->lock); ++ spin_unlock_bh(&file_data->lock); + percpu_ref_get(&file_data->refs); +} + @@ -43,9 +43,9 @@ Signed-off-by: Greg Kroah-Hartman } - file_data->node = ref_node; -- spin_lock(&file_data->lock); +- spin_lock_bh(&file_data->lock); - list_add_tail(&ref_node->node, &file_data->ref_list); -- spin_unlock(&file_data->lock); +- spin_unlock_bh(&file_data->lock); - percpu_ref_get(&file_data->refs); + io_sqe_files_set_node(file_data, ref_node); return ret; @@ -55,10 +55,10 @@ Signed-off-by: Greg Kroah-Hartman if (needs_switch) { percpu_ref_kill(&data->node->refs); -- spin_lock(&data->lock); +- spin_lock_bh(&data->lock); - list_add_tail(&ref_node->node, &data->ref_list); - data->node = ref_node; -- spin_unlock(&data->lock); +- spin_unlock_bh(&data->lock); - percpu_ref_get(&ctx->file_data->refs); + io_sqe_files_set_node(data, ref_node); } else diff --git a/queue-5.10/io_uring-fix-io_sqe_files_unregister-hangs.patch b/queue-5.10/io_uring-fix-io_sqe_files_unregister-hangs.patch index 33d6660ddeb..5ffa4859d53 100644 --- a/queue-5.10/io_uring-fix-io_sqe_files_unregister-hangs.patch +++ b/queue-5.10/io_uring-fix-io_sqe_files_unregister-hangs.patch @@ -49,7 +49,7 @@ Signed-off-by: Greg Kroah-Hartman + if (!backup_node) + return -ENOMEM; - spin_lock(&data->lock); + spin_lock_bh(&data->lock); ref_node = data->node; @@ -7020,7 +7028,18 @@ static int io_sqe_files_unregister(struc diff --git a/queue-5.10/io_uring-use-bottom-half-safe-lock-for-fixed-file-data.patch b/queue-5.10/io_uring-use-bottom-half-safe-lock-for-fixed-file-data.patch new file mode 100644 index 00000000000..f6287d8cf34 --- /dev/null +++ b/queue-5.10/io_uring-use-bottom-half-safe-lock-for-fixed-file-data.patch @@ -0,0 +1,78 @@ +From ac0648a56c1ff66c1cbf735075ad33a26cbc50de Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 23 Nov 2020 09:37:51 -0700 +Subject: io_uring: use bottom half safe lock for fixed file data + +From: Jens Axboe + +commit ac0648a56c1ff66c1cbf735075ad33a26cbc50de upstream. + +io_file_data_ref_zero() can be invoked from soft-irq from the RCU core, +hence we need to ensure that the file_data lock is bottom half safe. Use +the _bh() variants when grabbing this lock. + +Reported-by: syzbot+1f4ba1e5520762c523c6@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -7000,9 +7000,9 @@ static int io_sqe_files_unregister(struc + if (!data) + return -ENXIO; + +- spin_lock(&data->lock); ++ spin_lock_bh(&data->lock); + ref_node = data->node; +- spin_unlock(&data->lock); ++ spin_unlock_bh(&data->lock); + if (ref_node) + percpu_ref_kill(&ref_node->refs); + +@@ -7385,7 +7385,7 @@ static void io_file_data_ref_zero(struct + data = ref_node->file_data; + ctx = data->ctx; + +- spin_lock(&data->lock); ++ spin_lock_bh(&data->lock); + ref_node->done = true; + + while (!list_empty(&data->ref_list)) { +@@ -7397,7 +7397,7 @@ static void io_file_data_ref_zero(struct + list_del(&ref_node->node); + first_add |= llist_add(&ref_node->llist, &ctx->file_put_llist); + } +- spin_unlock(&data->lock); ++ spin_unlock_bh(&data->lock); + + if (percpu_ref_is_dying(&data->refs)) + delay = 0; +@@ -7520,9 +7520,9 @@ static int io_sqe_files_register(struct + } + + file_data->node = ref_node; +- spin_lock(&file_data->lock); ++ spin_lock_bh(&file_data->lock); + list_add_tail(&ref_node->node, &file_data->ref_list); +- spin_unlock(&file_data->lock); ++ spin_unlock_bh(&file_data->lock); + percpu_ref_get(&file_data->refs); + return ret; + out_fput: +@@ -7679,10 +7679,10 @@ static int __io_sqe_files_update(struct + + if (needs_switch) { + percpu_ref_kill(&data->node->refs); +- spin_lock(&data->lock); ++ spin_lock_bh(&data->lock); + list_add_tail(&ref_node->node, &data->ref_list); + data->node = ref_node; +- spin_unlock(&data->lock); ++ spin_unlock_bh(&data->lock); + percpu_ref_get(&ctx->file_data->refs); + } else + destroy_fixed_file_ref_node(ref_node); diff --git a/queue-5.10/series b/queue-5.10/series index 5bd7881658e..79a86712013 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -15,6 +15,7 @@ mm-hugetlb-fix-deadlock-in-hugetlb_cow-error-path.patch mm-memmap-defer-init-doesn-t-work-as-expected.patch lib-zlib-fix-inflating-zlib-streams-on-s390.patch io_uring-don-t-assume-mm-is-constant-across-submits.patch +io_uring-use-bottom-half-safe-lock-for-fixed-file-data.patch io_uring-add-a-helper-for-setting-a-ref-node.patch io_uring-fix-io_sqe_files_unregister-hangs.patch kernel-io_uring-cancel-io_uring-before-task-works.patch