From 1e8e5cf323d9798da47520f8e52f92fbe0a7ca5a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 30 Jan 2025 15:40:51 +0100 Subject: [PATCH] 6.12-stable patches added patches: io_uring-rsrc-require-cloned-buffers-to-share-accounting-contexts.patch --- ...buffers-to-share-accounting-contexts.patch | 44 +++++++++++++++++++ queue-6.12/series | 1 + 2 files changed, 45 insertions(+) create mode 100644 queue-6.12/io_uring-rsrc-require-cloned-buffers-to-share-accounting-contexts.patch diff --git a/queue-6.12/io_uring-rsrc-require-cloned-buffers-to-share-accounting-contexts.patch b/queue-6.12/io_uring-rsrc-require-cloned-buffers-to-share-accounting-contexts.patch new file mode 100644 index 0000000000..8e0b4dffdd --- /dev/null +++ b/queue-6.12/io_uring-rsrc-require-cloned-buffers-to-share-accounting-contexts.patch @@ -0,0 +1,44 @@ +From 605dc321522f4334849759d9585bef54dc60994f Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Tue, 14 Jan 2025 18:49:00 +0100 +Subject: io_uring/rsrc: require cloned buffers to share accounting contexts + +From: Jann Horn + +Commit 19d340a2988d4f3e673cded9dde405d727d7e248 upstream. + +When IORING_REGISTER_CLONE_BUFFERS is used to clone buffers from uring +instance A to uring instance B, where A and B use different MMs for +accounting, the accounting can go wrong: +If uring instance A is closed before uring instance B, the pinned memory +counters for uring instance B will be decremented, even though the pinned +memory was originally accounted through uring instance A; so the MM of +uring instance B can end up with negative locked memory. + +Cc: stable@vger.kernel.org +Closes: https://lore.kernel.org/r/CAG48ez1zez4bdhmeGLEFxtbFADY4Czn3CV0u9d_TMcbvRA01bg@mail.gmail.com +Fixes: 7cc2a6eadcd7 ("io_uring: add IORING_REGISTER_COPY_BUFFERS method") +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20250114-uring-check-accounting-v1-1-42e4145aa743@google.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/rsrc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/io_uring/rsrc.c ++++ b/io_uring/rsrc.c +@@ -1154,6 +1154,13 @@ static int io_clone_buffers(struct io_ri + int i, ret, nbufs; + + /* ++ * Accounting state is shared between the two rings; that only works if ++ * both rings are accounted towards the same counters. ++ */ ++ if (ctx->user != src_ctx->user || ctx->mm_account != src_ctx->mm_account) ++ return -EINVAL; ++ ++ /* + * Drop our own lock here. We'll setup the data we need and reference + * the source buffers, then re-grab, check, and assign at the end. + */ diff --git a/queue-6.12/series b/queue-6.12/series index bd115053a6..2f9df21586 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -38,3 +38,4 @@ input-xpad-add-qh-electronics-vid-pid.patch input-xpad-improve-name-of-8bitdo-controller-2dc8-3106.patch input-xpad-add-support-for-nacon-evol-x-xbox-one-controller.patch input-xpad-add-support-for-wooting-two-he-arm.patch +io_uring-rsrc-require-cloned-buffers-to-share-accounting-contexts.patch -- 2.47.3