From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 19 Feb 2025 06:03:54 +0000 (+0100)
Subject: 6.6-stable patches
X-Git-Tag: v6.1.129~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ec7f394cc4a3d6f13c9c1761c836a11e8fb89ec6;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	io_uring-kbuf-reallocate-buf-lists-on-upgrade.patch
---

diff --git a/queue-6.6/io_uring-kbuf-reallocate-buf-lists-on-upgrade.patch b/queue-6.6/io_uring-kbuf-reallocate-buf-lists-on-upgrade.patch
new file mode 100644
index 0000000000..6266480ea5
--- /dev/null
+++ b/queue-6.6/io_uring-kbuf-reallocate-buf-lists-on-upgrade.patch
@@ -0,0 +1,57 @@
+From 8802766324e1f5d414a81ac43365c20142e85603 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 12 Feb 2025 13:46:46 +0000
+Subject: io_uring/kbuf: reallocate buf lists on upgrade
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 8802766324e1f5d414a81ac43365c20142e85603 upstream.
+
+IORING_REGISTER_PBUF_RING can reuse an old struct io_buffer_list if it
+was created for legacy selected buffer and has been emptied. It violates
+the requirement that most of the field should stay stable after publish.
+Always reallocate it instead.
+
+Cc: stable@vger.kernel.org
+Reported-by: Pumpkin Chang <pumpkin@devco.re>
+Fixes: 2fcabce2d7d34 ("io_uring: disallow mixed provided buffer group registrations")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/kbuf.c |   15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+--- a/io_uring/kbuf.c
++++ b/io_uring/kbuf.c
+@@ -301,6 +301,12 @@ void io_destroy_buffers(struct io_ring_c
+ 	}
+ }
+ 
++static void io_destroy_bl(struct io_ring_ctx *ctx, struct io_buffer_list *bl)
++{
++	xa_erase(&ctx->io_bl_xa, bl->bgid);
++	io_put_bl(ctx, bl);
++}
++
+ int io_remove_buffers_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
+ {
+ 	struct io_provide_buf *p = io_kiocb_to_cmd(req, struct io_provide_buf);
+@@ -642,12 +648,13 @@ int io_register_pbuf_ring(struct io_ring
+ 		/* if mapped buffer ring OR classic exists, don't allow */
+ 		if (bl->is_mapped || !list_empty(&bl->buf_list))
+ 			return -EEXIST;
+-	} else {
+-		free_bl = bl = kzalloc(sizeof(*bl), GFP_KERNEL);
+-		if (!bl)
+-			return -ENOMEM;
++		io_destroy_bl(ctx, bl);
+ 	}
+ 
++	free_bl = bl = kzalloc(sizeof(*bl), GFP_KERNEL);
++	if (!bl)
++		return -ENOMEM;
++
+ 	if (!(reg.flags & IOU_PBUF_RING_MMAP))
+ 		ret = io_pin_pbuf_ring(&reg, bl);
+ 	else
diff --git a/queue-6.6/series b/queue-6.6/series
index b15e3570e5..8cff11b7a5 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -145,3 +145,4 @@ arm64-filter-out-sve-hwcaps-when-feat_sve-isn-t-implemented.patch
 mm-gup-fix-infinite-loop-within-__get_longterm_locked.patch
 alpha-replace-hardcoded-stack-offsets-with-autogenerated-ones.patch
 hid-hid-steam-don-t-use-cancel_delayed_work_sync-in-irq-context.patch
+io_uring-kbuf-reallocate-buf-lists-on-upgrade.patch