From 54de1d82f55cf7faad599040f41d1d1b128ca00b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 17 Oct 2022 11:44:35 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	io_uring-af_unix-defer-registered-files-gc-to-io_uring-release.patch
	io_uring-correct-pinned_vm-accounting.patch
---
 ...istered-files-gc-to-io_uring-release.patch | 102 ++++++++++++++++++
 ...o_uring-correct-pinned_vm-accounting.patch |  48 +++++++++
 queue-5.10/series                             |   2 +
 3 files changed, 152 insertions(+)
 create mode 100644 queue-5.10/io_uring-af_unix-defer-registered-files-gc-to-io_uring-release.patch
 create mode 100644 queue-5.10/io_uring-correct-pinned_vm-accounting.patch

diff --git a/queue-5.10/io_uring-af_unix-defer-registered-files-gc-to-io_uring-release.patch b/queue-5.10/io_uring-af_unix-defer-registered-files-gc-to-io_uring-release.patch
new file mode 100644
index 00000000000..c5ffa1ddf34
--- /dev/null
+++ b/queue-5.10/io_uring-af_unix-defer-registered-files-gc-to-io_uring-release.patch
@@ -0,0 +1,102 @@
+From foo@baz Mon Oct 17 11:44:18 AM CEST 2022
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Sun, 16 Oct 2022 23:31:26 +0100
+Subject: io_uring/af_unix: defer registered files gc to io_uring release
+To: stable@vger.kernel.org
+Cc: Jens Axboe <axboe@kernel.dk>, asml.silence@gmail.com
+Message-ID: <3b70b8129d507c477912c442311be4f5d205e057.1665959215.git.asml.silence@gmail.com>
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ upstream commit 0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 ]
+
+Instead of putting io_uring's registered files in unix_gc() we want it
+to be done by io_uring itself. The trick here is to consider io_uring
+registered files for cycle detection but not actually putting them down.
+Because io_uring can't register other ring instances, this will remove
+all refs to the ring file triggering the ->release path and clean up
+with io_ring_ctx_free().
+
+Cc: stable@vger.kernel.org
+Fixes: 6b06314c47e1 ("io_uring: add file set registration")
+Reported-and-tested-by: David Bouman <dbouman03@gmail.com>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+[axboe: add kerneldoc comment to skb, fold in skb leak fix]
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c          |    1 +
+ include/linux/skbuff.h |    2 ++
+ net/unix/garbage.c     |   20 ++++++++++++++++++++
+ 3 files changed, 23 insertions(+)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -7301,6 +7301,7 @@ static int __io_sqe_files_scm(struct io_
+ 	}
+ 
+ 	skb->sk = sk;
++	skb->scm_io_uring = 1;
+ 
+ 	nr_files = 0;
+ 	fpl->user = get_uid(ctx->user);
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -681,6 +681,7 @@ typedef unsigned char *sk_buff_data_t;
+  *	@csum_level: indicates the number of consecutive checksums found in
+  *		the packet minus one that have been verified as
+  *		CHECKSUM_UNNECESSARY (max 3)
++ *	@scm_io_uring: SKB holds io_uring registered files
+  *	@dst_pending_confirm: need to confirm neighbour
+  *	@decrypted: Decrypted SKB
+  *	@napi_id: id of the NAPI struct this skb came from
+@@ -858,6 +859,7 @@ struct sk_buff {
+ #ifdef CONFIG_TLS_DEVICE
+ 	__u8			decrypted:1;
+ #endif
++	__u8			scm_io_uring:1;
+ 
+ #ifdef CONFIG_NET_SCHED
+ 	__u16			tc_index;	/* traffic control index */
+--- a/net/unix/garbage.c
++++ b/net/unix/garbage.c
+@@ -204,6 +204,7 @@ void wait_for_unix_gc(void)
+ /* The external entry point: unix_gc() */
+ void unix_gc(void)
+ {
++	struct sk_buff *next_skb, *skb;
+ 	struct unix_sock *u;
+ 	struct unix_sock *next;
+ 	struct sk_buff_head hitlist;
+@@ -297,11 +298,30 @@ void unix_gc(void)
+ 
+ 	spin_unlock(&unix_gc_lock);
+ 
++	/* We need io_uring to clean its registered files, ignore all io_uring
++	 * originated skbs. It's fine as io_uring doesn't keep references to
++	 * other io_uring instances and so killing all other files in the cycle
++	 * will put all io_uring references forcing it to go through normal
++	 * release.path eventually putting registered files.
++	 */
++	skb_queue_walk_safe(&hitlist, skb, next_skb) {
++		if (skb->scm_io_uring) {
++			__skb_unlink(skb, &hitlist);
++			skb_queue_tail(&skb->sk->sk_receive_queue, skb);
++		}
++	}
++
+ 	/* Here we are. Hitlist is filled. Die. */
+ 	__skb_queue_purge(&hitlist);
+ 
+ 	spin_lock(&unix_gc_lock);
+ 
++	/* There could be io_uring registered files, just push them back to
++	 * the inflight list
++	 */
++	list_for_each_entry_safe(u, next, &gc_candidates, link)
++		list_move_tail(&u->link, &gc_inflight_list);
++
+ 	/* All candidates should have been detached by now. */
+ 	BUG_ON(!list_empty(&gc_candidates));
+ 
diff --git a/queue-5.10/io_uring-correct-pinned_vm-accounting.patch b/queue-5.10/io_uring-correct-pinned_vm-accounting.patch
new file mode 100644
index 00000000000..97345432d55
--- /dev/null
+++ b/queue-5.10/io_uring-correct-pinned_vm-accounting.patch
@@ -0,0 +1,48 @@
+From foo@baz Mon Oct 17 11:44:18 AM CEST 2022
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Sun, 16 Oct 2022 23:31:25 +0100
+Subject: io_uring: correct pinned_vm accounting
+To: stable@vger.kernel.org
+Cc: Jens Axboe <axboe@kernel.dk>, asml.silence@gmail.com
+Message-ID: <24dd0e2b9c4cdcff826a5370a68ad7a953ecb648.1665959215.git.asml.silence@gmail.com>
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+[ upstream commit 42b6419d0aba47c5d8644cdc0b68502254671de5 ]
+
+->mm_account should be released only after we free all registered
+buffers, otherwise __io_sqe_buffers_unregister() will see a NULL
+->mm_account and skip locked_vm accounting.
+
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/6d798f65ed4ab8db3664c4d3397d4af16ca98846.1664849932.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -8436,8 +8436,6 @@ static void io_ring_ctx_free(struct io_r
+ 	if (ctx->sqo_task) {
+ 		put_task_struct(ctx->sqo_task);
+ 		ctx->sqo_task = NULL;
+-		mmdrop(ctx->mm_account);
+-		ctx->mm_account = NULL;
+ 	}
+ 
+ #ifdef CONFIG_BLK_CGROUP
+@@ -8456,6 +8454,11 @@ static void io_ring_ctx_free(struct io_r
+ 	}
+ #endif
+ 
++	if (ctx->mm_account) {
++		mmdrop(ctx->mm_account);
++		ctx->mm_account = NULL;
++	}
++
+ 	io_mem_free(ctx->rings);
+ 	io_mem_free(ctx->sq_sqes);
+ 
diff --git a/queue-5.10/series b/queue-5.10/series
index b1cb08e7546..44fef5a8f0c 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -457,3 +457,5 @@ fsi-master-ast-cf-fix-missing-of_node_put-in-fsi_mas.patch
 clk-bcm2835-make-peripheral-pllc-critical.patch
 perf-intel-pt-fix-segfault-in-intel_pt_print_info-with-uclibc.patch
 arm64-topology-fix-possible-overflow-in-amu_fie_setup.patch
+io_uring-correct-pinned_vm-accounting.patch
+io_uring-af_unix-defer-registered-files-gc-to-io_uring-release.patch
-- 
2.47.2