From 4da9ddafb69b4d4748309e906a4e0a6586205cd2 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 3 Mar 2023 11:39:17 +0100
Subject: [PATCH] 5.15-stable patches

added patches:
	io_uring-add-missing-lock-in-io_get_file_fixed.patch
---
 ...dd-missing-lock-in-io_get_file_fixed.patch | 103 ++++++++++++++++++
 queue-5.15/series                             |   1 +
 2 files changed, 104 insertions(+)
 create mode 100644 queue-5.15/io_uring-add-missing-lock-in-io_get_file_fixed.patch

diff --git a/queue-5.15/io_uring-add-missing-lock-in-io_get_file_fixed.patch b/queue-5.15/io_uring-add-missing-lock-in-io_get_file_fixed.patch
new file mode 100644
index 00000000000..d988035b8b5
--- /dev/null
+++ b/queue-5.15/io_uring-add-missing-lock-in-io_get_file_fixed.patch
@@ -0,0 +1,103 @@
+From 56668f74d058b5c84a72bbb25300a343694c0b40 Mon Sep 17 00:00:00 2001
+From: Bing-Jhong Billy Jheng <billy@starlabs.sg>
+Date: Thu, 2 Mar 2023 21:00:06 +0800
+Subject: io_uring: add missing lock in io_get_file_fixed
+
+From: Bing-Jhong Billy Jheng <billy@starlabs.sg>
+
+io_get_file_fixed will access io_uring's context. Lock it if it is
+invoked unlocked (eg via io-wq) to avoid a race condition with fixed
+files getting unregistered.
+
+No single upstream patch exists for this issue, it was fixed as part
+of the file assignment changes that went into the 5.18 cycle.
+
+Signed-off-by: Jheng, Bing-Jhong Billy <billy@starlabs.sg>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c |   25 ++++++++++++++++---------
+ 1 file changed, 16 insertions(+), 9 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -1095,7 +1095,8 @@ static int __io_register_rsrc_update(str
+ 				     unsigned nr_args);
+ static void io_clean_op(struct io_kiocb *req);
+ static struct file *io_file_get(struct io_ring_ctx *ctx,
+-				struct io_kiocb *req, int fd, bool fixed);
++				struct io_kiocb *req, int fd, bool fixed,
++				unsigned int issue_flags);
+ static void __io_queue_sqe(struct io_kiocb *req);
+ static void io_rsrc_put_work(struct work_struct *work);
+ 
+@@ -4121,7 +4122,7 @@ static int io_tee(struct io_kiocb *req,
+ 		return -EAGAIN;
+ 
+ 	in = io_file_get(req->ctx, req, sp->splice_fd_in,
+-				  (sp->flags & SPLICE_F_FD_IN_FIXED));
++			 (sp->flags & SPLICE_F_FD_IN_FIXED), issue_flags);
+ 	if (!in) {
+ 		ret = -EBADF;
+ 		goto done;
+@@ -4161,7 +4162,7 @@ static int io_splice(struct io_kiocb *re
+ 		return -EAGAIN;
+ 
+ 	in = io_file_get(req->ctx, req, sp->splice_fd_in,
+-				  (sp->flags & SPLICE_F_FD_IN_FIXED));
++			 (sp->flags & SPLICE_F_FD_IN_FIXED), issue_flags);
+ 	if (!in) {
+ 		ret = -EBADF;
+ 		goto done;
+@@ -7047,13 +7048,16 @@ static void io_fixed_file_set(struct io_
+ }
+ 
+ static inline struct file *io_file_get_fixed(struct io_ring_ctx *ctx,
+-					     struct io_kiocb *req, int fd)
++					     struct io_kiocb *req, int fd,
++					     unsigned int issue_flags)
+ {
+-	struct file *file;
++	struct file *file = NULL;
+ 	unsigned long file_ptr;
+ 
++	io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));
++
+ 	if (unlikely((unsigned int)fd >= ctx->nr_user_files))
+-		return NULL;
++		goto out;
+ 	fd = array_index_nospec(fd, ctx->nr_user_files);
+ 	file_ptr = io_fixed_file_slot(&ctx->file_table, fd)->file_ptr;
+ 	file = (struct file *) (file_ptr & FFS_MASK);
+@@ -7061,6 +7065,8 @@ static inline struct file *io_file_get_f
+ 	/* mask in overlapping REQ_F and FFS bits */
+ 	req->flags |= (file_ptr << REQ_F_NOWAIT_READ_BIT);
+ 	io_req_set_rsrc_node(req);
++out:
++	io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));
+ 	return file;
+ }
+ 
+@@ -7078,10 +7084,11 @@ static struct file *io_file_get_normal(s
+ }
+ 
+ static inline struct file *io_file_get(struct io_ring_ctx *ctx,
+-				       struct io_kiocb *req, int fd, bool fixed)
++				       struct io_kiocb *req, int fd, bool fixed,
++				       unsigned int issue_flags)
+ {
+ 	if (fixed)
+-		return io_file_get_fixed(ctx, req, fd);
++		return io_file_get_fixed(ctx, req, fd, issue_flags);
+ 	else
+ 		return io_file_get_normal(ctx, req, fd);
+ }
+@@ -7303,7 +7310,7 @@ static int io_init_req(struct io_ring_ct
+ 
+ 	if (io_op_defs[req->opcode].needs_file) {
+ 		req->file = io_file_get(ctx, req, READ_ONCE(sqe->fd),
+-					(sqe_flags & IOSQE_FIXED_FILE));
++					(sqe_flags & IOSQE_FIXED_FILE), 0);
+ 		if (unlikely(!req->file))
+ 			ret = -EBADF;
+ 	}
diff --git a/queue-5.15/series b/queue-5.15/series
index 28ea150775a..e2027d1e7d9 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -20,3 +20,4 @@ usb-dwc3-pci-add-support-for-the-intel-meteor-lake-m.patch
 usb-serial-option-add-support-for-vw-skoda-carstick-lte.patch
 usb-gadget-u_serial-add-null-pointer-check-in-gserial_resume.patch
 usb-core-don-t-hold-device-lock-while-reading-the-descriptors-sysfs-file.patch
+io_uring-add-missing-lock-in-io_get_file_fixed.patch
-- 
2.47.3