From 92f08f4b75a5ac6da79dfb462f6eb9f99d00979a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 7 Dec 2019 16:33:53 +0100 Subject: [PATCH] 5.3-stable patches added patches: io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch --- ...ubmit-is-copied-when-req-is-deferred.patch | 71 +++++++++++++++++++ queue-5.3/series | 1 + 2 files changed, 72 insertions(+) create mode 100644 queue-5.3/io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch diff --git a/queue-5.3/io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch b/queue-5.3/io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch new file mode 100644 index 00000000000..a39d8aca2f7 --- /dev/null +++ b/queue-5.3/io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch @@ -0,0 +1,71 @@ +From axboe@kernel.dk Sat Dec 7 16:31:08 2019 +From: Jens Axboe +Date: Wed, 4 Dec 2019 08:53:43 -0700 +Subject: io_uring: ensure req->submit is copied when req is deferred +To: stable@vger.kernel.org +Message-ID: + +From: Jens Axboe + +There's an issue with deferred requests through drain, where if we do +need to defer, we're not copying over the sqe_submit state correctly. +This can result in using uninitialized data when we then later go and +submit the deferred request, like this check in __io_submit_sqe(): + + if (unlikely(s->index >= ctx->sq_entries)) + return -EINVAL; + +with 's' being uninitialized, we can randomly fail this check. Fix this +by copying sqe_submit state when we defer a request. + +Because it was fixed as part of a cleanup series in mainline, before +anyone realized we had this issue. That removed the separate states +of ->index vs ->submit.sqe. That series is not something I was +comfortable putting into stable, hence the much simpler addition. +Here's the patch in the series that fixes the same issue: + +commit cf6fd4bd559ee61a4454b161863c8de6f30f8dca +Author: Pavel Begunkov +Date: Mon Nov 25 23:14:39 2019 +0300 + + io_uring: inline struct sqe_submit + +Reported-by: Andres Freund +Reported-by: Tomáš Chaloupka +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/io_uring.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -1787,7 +1787,7 @@ static int io_poll_add(struct io_kiocb * + } + + static int io_req_defer(struct io_ring_ctx *ctx, struct io_kiocb *req, +- const struct io_uring_sqe *sqe) ++ struct sqe_submit *s) + { + struct io_uring_sqe *sqe_copy; + +@@ -1805,7 +1805,8 @@ static int io_req_defer(struct io_ring_c + return 0; + } + +- memcpy(sqe_copy, sqe, sizeof(*sqe_copy)); ++ memcpy(&req->submit, s, sizeof(*s)); ++ memcpy(sqe_copy, s->sqe, sizeof(*sqe_copy)); + req->submit.sqe = sqe_copy; + + INIT_WORK(&req->work, io_sq_wq_submit_work); +@@ -2114,7 +2115,7 @@ static int io_queue_sqe(struct io_ring_c + { + int ret; + +- ret = io_req_defer(ctx, req, s->sqe); ++ ret = io_req_defer(ctx, req, s); + if (ret) { + if (ret != -EIOCBQUEUED) { + io_free_req(req); diff --git a/queue-5.3/series b/queue-5.3/series index b72b9e3f6d6..e60d7613464 100644 --- a/queue-5.3/series +++ b/queue-5.3/series @@ -44,3 +44,4 @@ i2c-core-fix-use-after-free-in-of_i2c_notify.patch io_uring-transform-send-recvmsg-erestartsys-to-eintr.patch fuse-verify-nlink.patch fuse-verify-attributes.patch +io_uring-ensure-req-submit-is-copied-when-req-is-deferred.patch -- 2.47.3