+++ /dev/null
-From 84c4e1f89fefe70554da0ab33be72c9be7994379 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Sun, 3 Mar 2019 14:23:33 -0800
-Subject: aio: simplify - and fix - fget/fput for io_submit()
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit 84c4e1f89fefe70554da0ab33be72c9be7994379 upstream.
-
-Al Viro root-caused a race where the IOCB_CMD_POLL handling of
-fget/fput() could cause us to access the file pointer after it had
-already been freed:
-
- "In more details - normally IOCB_CMD_POLL handling looks so:
-
- 1) io_submit(2) allocates aio_kiocb instance and passes it to
- aio_poll()
-
- 2) aio_poll() resolves the descriptor to struct file by req->file =
- fget(iocb->aio_fildes)
-
- 3) aio_poll() sets ->woken to false and raises ->ki_refcnt of that
- aio_kiocb to 2 (bumps by 1, that is).
-
- 4) aio_poll() calls vfs_poll(). After sanity checks (basically,
- "poll_wait() had been called and only once") it locks the queue.
- That's what the extra reference to iocb had been for - we know we
- can safely access it.
-
- 5) With queue locked, we check if ->woken has already been set to
- true (by aio_poll_wake()) and, if it had been, we unlock the
- queue, drop a reference to aio_kiocb and bugger off - at that
- point it's a responsibility to aio_poll_wake() and the stuff
- called/scheduled by it. That code will drop the reference to file
- in req->file, along with the other reference to our aio_kiocb.
-
- 6) otherwise, we see whether we need to wait. If we do, we unlock the
- queue, drop one reference to aio_kiocb and go away - eventual
- wakeup (or cancel) will deal with the reference to file and with
- the other reference to aio_kiocb
-
- 7) otherwise we remove ourselves from waitqueue (still under the
- queue lock), so that wakeup won't get us. No async activity will
- be happening, so we can safely drop req->file and iocb ourselves.
-
- If wakeup happens while we are in vfs_poll(), we are fine - aio_kiocb
- won't get freed under us, so we can do all the checks and locking
- safely. And we don't touch ->file if we detect that case.
-
- However, vfs_poll() most certainly *does* touch the file it had been
- given. So wakeup coming while we are still in ->poll() might end up
- doing fput() on that file. That case is not too rare, and usually we
- are saved by the still present reference from descriptor table - that
- fput() is not the final one.
-
- But if another thread closes that descriptor right after our fget()
- and wakeup does happen before ->poll() returns, we are in trouble -
- final fput() done while we are in the middle of a method:
-
-Al also wrote a patch to take an extra reference to the file descriptor
-to fix this, but I instead suggested we just streamline the whole file
-pointer handling by submit_io() so that the generic aio submission code
-simply keeps the file pointer around until the aio has completed.
-
-Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL")
-Acked-by: Al Viro <viro@zeniv.linux.org.uk>
-Reported-by: syzbot+503d4cc169fcec1cb18c@syzkaller.appspotmail.com
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- fs/aio.c | 67 +++++++++++++++++++++--------------------------------
- include/linux/fs.h | 8 +++++-
- 2 files changed, 34 insertions(+), 41 deletions(-)
-
---- a/fs/aio.c
-+++ b/fs/aio.c
-@@ -161,9 +161,13 @@ struct kioctx {
- unsigned id;
- };
-
-+/*
-+ * First field must be the file pointer in all the
-+ * iocb unions! See also 'struct kiocb' in <linux/fs.h>
-+ */
- struct fsync_iocb {
-- struct work_struct work;
- struct file *file;
-+ struct work_struct work;
- bool datasync;
- };
-
-@@ -177,8 +181,15 @@ struct poll_iocb {
- struct work_struct work;
- };
-
-+/*
-+ * NOTE! Each of the iocb union members has the file pointer
-+ * as the first entry in their struct definition. So you can
-+ * access the file pointer through any of the sub-structs,
-+ * or directly as just 'ki_filp' in this struct.
-+ */
- struct aio_kiocb {
- union {
-+ struct file *ki_filp;
- struct kiocb rw;
- struct fsync_iocb fsync;
- struct poll_iocb poll;
-@@ -1054,6 +1065,8 @@ static inline void iocb_put(struct aio_k
- {
- if (refcount_read(&iocb->ki_refcnt) == 0 ||
- refcount_dec_and_test(&iocb->ki_refcnt)) {
-+ if (iocb->ki_filp)
-+ fput(iocb->ki_filp);
- percpu_ref_put(&iocb->ki_ctx->reqs);
- kmem_cache_free(kiocb_cachep, iocb);
- }
-@@ -1412,7 +1425,6 @@ static void aio_complete_rw(struct kiocb
- file_end_write(kiocb->ki_filp);
- }
-
-- fput(kiocb->ki_filp);
- aio_complete(iocb, res, res2);
- }
-
-@@ -1420,9 +1432,6 @@ static int aio_prep_rw(struct kiocb *req
- {
- int ret;
-
-- req->ki_filp = fget(iocb->aio_fildes);
-- if (unlikely(!req->ki_filp))
-- return -EBADF;
- req->ki_complete = aio_complete_rw;
- req->ki_pos = iocb->aio_offset;
- req->ki_flags = iocb_flags(req->ki_filp);
-@@ -1438,7 +1447,6 @@ static int aio_prep_rw(struct kiocb *req
- ret = ioprio_check_cap(iocb->aio_reqprio);
- if (ret) {
- pr_debug("aio ioprio check cap error: %d\n", ret);
-- fput(req->ki_filp);
- return ret;
- }
-
-@@ -1447,8 +1455,6 @@ static int aio_prep_rw(struct kiocb *req
- req->ki_ioprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, 0);
-
- ret = kiocb_set_rw_flags(req, iocb->aio_rw_flags);
-- if (unlikely(ret))
-- fput(req->ki_filp);
- return ret;
- }
-
-@@ -1503,24 +1509,19 @@ static ssize_t aio_read(struct kiocb *re
- if (ret)
- return ret;
- file = req->ki_filp;
--
-- ret = -EBADF;
- if (unlikely(!(file->f_mode & FMODE_READ)))
-- goto out_fput;
-+ return -EBADF;
- ret = -EINVAL;
- if (unlikely(!file->f_op->read_iter))
-- goto out_fput;
-+ return -EINVAL;
-
- ret = aio_setup_rw(READ, iocb, &iovec, vectored, compat, &iter);
- if (ret)
-- goto out_fput;
-+ return ret;
- ret = rw_verify_area(READ, file, &req->ki_pos, iov_iter_count(&iter));
- if (!ret)
- aio_rw_done(req, call_read_iter(file, req, &iter));
- kfree(iovec);
--out_fput:
-- if (unlikely(ret))
-- fput(file);
- return ret;
- }
-
-@@ -1537,16 +1538,14 @@ static ssize_t aio_write(struct kiocb *r
- return ret;
- file = req->ki_filp;
-
-- ret = -EBADF;
- if (unlikely(!(file->f_mode & FMODE_WRITE)))
-- goto out_fput;
-- ret = -EINVAL;
-+ return -EBADF;
- if (unlikely(!file->f_op->write_iter))
-- goto out_fput;
-+ return -EINVAL;
-
- ret = aio_setup_rw(WRITE, iocb, &iovec, vectored, compat, &iter);
- if (ret)
-- goto out_fput;
-+ return ret;
- ret = rw_verify_area(WRITE, file, &req->ki_pos, iov_iter_count(&iter));
- if (!ret) {
- /*
-@@ -1564,9 +1563,6 @@ static ssize_t aio_write(struct kiocb *r
- aio_rw_done(req, call_write_iter(file, req, &iter));
- }
- kfree(iovec);
--out_fput:
-- if (unlikely(ret))
-- fput(file);
- return ret;
- }
-
-@@ -1576,7 +1572,6 @@ static void aio_fsync_work(struct work_s
- int ret;
-
- ret = vfs_fsync(req->file, req->datasync);
-- fput(req->file);
- aio_complete(container_of(req, struct aio_kiocb, fsync), ret, 0);
- }
-
-@@ -1586,13 +1581,8 @@ static int aio_fsync(struct fsync_iocb *
- iocb->aio_rw_flags))
- return -EINVAL;
-
-- req->file = fget(iocb->aio_fildes);
-- if (unlikely(!req->file))
-- return -EBADF;
-- if (unlikely(!req->file->f_op->fsync)) {
-- fput(req->file);
-+ if (unlikely(!req->file->f_op->fsync))
- return -EINVAL;
-- }
-
- req->datasync = datasync;
- INIT_WORK(&req->work, aio_fsync_work);
-@@ -1602,10 +1592,7 @@ static int aio_fsync(struct fsync_iocb *
-
- static inline void aio_poll_complete(struct aio_kiocb *iocb, __poll_t mask)
- {
-- struct file *file = iocb->poll.file;
--
- aio_complete(iocb, mangle_poll(mask), 0);
-- fput(file);
- }
-
- static void aio_poll_complete_work(struct work_struct *work)
-@@ -1730,9 +1717,6 @@ static ssize_t aio_poll(struct aio_kiocb
-
- INIT_WORK(&req->work, aio_poll_complete_work);
- req->events = demangle_poll(iocb->aio_buf) | EPOLLERR | EPOLLHUP;
-- req->file = fget(iocb->aio_fildes);
-- if (unlikely(!req->file))
-- return -EBADF;
-
- apt.pt._qproc = aio_poll_queue_proc;
- apt.pt._key = req->events;
-@@ -1771,10 +1755,8 @@ static ssize_t aio_poll(struct aio_kiocb
- spin_unlock_irq(&ctx->ctx_lock);
-
- out:
-- if (unlikely(apt.error)) {
-- fput(req->file);
-+ if (unlikely(apt.error))
- return apt.error;
-- }
-
- if (mask)
- aio_poll_complete(aiocb, mask);
-@@ -1812,6 +1794,11 @@ static int io_submit_one(struct kioctx *
- if (unlikely(!req))
- return -EAGAIN;
-
-+ req->ki_filp = fget(iocb->aio_fildes);
-+ ret = -EBADF;
-+ if (unlikely(!req->ki_filp))
-+ goto out_put_req;
-+
- if (iocb.aio_flags & IOCB_FLAG_RESFD) {
- /*
- * If the IOCB_FLAG_RESFD flag of aio_flags is set, get an
---- a/include/linux/fs.h
-+++ b/include/linux/fs.h
-@@ -304,13 +304,19 @@ enum rw_hint {
-
- struct kiocb {
- struct file *ki_filp;
-+
-+ /* The 'ki_filp' pointer is shared in a union for aio */
-+ randomized_struct_fields_start
-+
- loff_t ki_pos;
- void (*ki_complete)(struct kiocb *iocb, long ret, long ret2);
- void *private;
- int ki_flags;
- u16 ki_hint;
- u16 ki_ioprio; /* See linux/ioprio.h */
--} __randomize_layout;
-+
-+ randomized_struct_fields_end
-+};
-
- static inline bool is_sync_kiocb(struct kiocb *kiocb)
- {
+++ /dev/null
-From 12209993e98c5fa1855c467f22a24e3d5b8be205 Mon Sep 17 00:00:00 2001
-From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-Date: Thu, 29 Nov 2018 16:02:10 +0100
-Subject: x86/fpu: Don't export __kernel_fpu_{begin,end}()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-
-commit 12209993e98c5fa1855c467f22a24e3d5b8be205 upstream.
-
-There is one user of __kernel_fpu_begin() and before invoking it,
-it invokes preempt_disable(). So it could invoke kernel_fpu_begin()
-right away. The 32bit version of arch_efi_call_virt_setup() and
-arch_efi_call_virt_teardown() does this already.
-
-The comment above *kernel_fpu*() claims that before invoking
-__kernel_fpu_begin() preemption should be disabled and that KVM is a
-good example of doing it. Well, KVM doesn't do that since commit
-
- f775b13eedee2 ("x86,kvm: move qemu/guest FPU switching out to vcpu_run")
-
-so it is not an example anymore.
-
-With EFI gone as the last user of __kernel_fpu_{begin|end}(), both can
-be made static and not exported anymore.
-
-Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
-Signed-off-by: Borislav Petkov <bp@suse.de>
-Reviewed-by: Rik van Riel <riel@surriel.com>
-Cc: "H. Peter Anvin" <hpa@zytor.com>
-Cc: "Jason A. Donenfeld" <Jason@zx2c4.com>
-Cc: Andy Lutomirski <luto@kernel.org>
-Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
-Cc: Dave Hansen <dave.hansen@linux.intel.com>
-Cc: Ingo Molnar <mingo@redhat.com>
-Cc: Nicolai Stange <nstange@suse.de>
-Cc: Paolo Bonzini <pbonzini@redhat.com>
-Cc: Radim Krčmář <rkrcmar@redhat.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: kvm ML <kvm@vger.kernel.org>
-Cc: linux-efi <linux-efi@vger.kernel.org>
-Cc: x86-ml <x86@kernel.org>
-Link: https://lkml.kernel.org/r/20181129150210.2k4mawt37ow6c2vq@linutronix.de
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
-diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h
-index eea40d52ca78..45864898f7e5 100644
---- a/arch/x86/include/asm/efi.h
-+++ b/arch/x86/include/asm/efi.h
-@@ -82,8 +82,7 @@ struct efi_scratch {
- #define arch_efi_call_virt_setup() \
- ({ \
- efi_sync_low_kernel_mappings(); \
-- preempt_disable(); \
-- __kernel_fpu_begin(); \
-+ kernel_fpu_begin(); \
- firmware_restrict_branch_speculation_start(); \
- \
- if (!efi_enabled(EFI_OLD_MEMMAP)) \
-@@ -99,8 +98,7 @@ struct efi_scratch {
- efi_switch_mm(efi_scratch.prev_mm); \
- \
- firmware_restrict_branch_speculation_end(); \
-- __kernel_fpu_end(); \
-- preempt_enable(); \
-+ kernel_fpu_end(); \
- })
-
- extern void __iomem *__init efi_ioremap(unsigned long addr, unsigned long size,
-diff --git a/arch/x86/include/asm/fpu/api.h b/arch/x86/include/asm/fpu/api.h
-index a9caac9d4a72..b56d504af654 100644
---- a/arch/x86/include/asm/fpu/api.h
-+++ b/arch/x86/include/asm/fpu/api.h
-@@ -12,17 +12,12 @@
- #define _ASM_X86_FPU_API_H
-
- /*
-- * Careful: __kernel_fpu_begin/end() must be called with preempt disabled
-- * and they don't touch the preempt state on their own.
-- * If you enable preemption after __kernel_fpu_begin(), preempt notifier
-- * should call the __kernel_fpu_end() to prevent the kernel/user FPU
-- * state from getting corrupted. KVM for example uses this model.
-- *
-- * All other cases use kernel_fpu_begin/end() which disable preemption
-- * during kernel FPU usage.
-+ * Use kernel_fpu_begin/end() if you intend to use FPU in kernel context. It
-+ * disables preemption so be careful if you intend to use it for long periods
-+ * of time.
-+ * If you intend to use the FPU in softirq you need to check first with
-+ * irq_fpu_usable() if it is possible.
- */
--extern void __kernel_fpu_begin(void);
--extern void __kernel_fpu_end(void);
- extern void kernel_fpu_begin(void);
- extern void kernel_fpu_end(void);
- extern bool irq_fpu_usable(void);
-diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
-index 2ea85b32421a..2e5003fef51a 100644
---- a/arch/x86/kernel/fpu/core.c
-+++ b/arch/x86/kernel/fpu/core.c
-@@ -93,7 +93,7 @@ bool irq_fpu_usable(void)
- }
- EXPORT_SYMBOL(irq_fpu_usable);
-
--void __kernel_fpu_begin(void)
-+static void __kernel_fpu_begin(void)
- {
- struct fpu *fpu = ¤t->thread.fpu;
-
-@@ -111,9 +111,8 @@ void __kernel_fpu_begin(void)
- __cpu_invalidate_fpregs_state();
- }
- }
--EXPORT_SYMBOL(__kernel_fpu_begin);
-
--void __kernel_fpu_end(void)
-+static void __kernel_fpu_end(void)
- {
- struct fpu *fpu = ¤t->thread.fpu;
-
-@@ -122,7 +121,6 @@ void __kernel_fpu_end(void)
-
- kernel_fpu_enable();
- }
--EXPORT_SYMBOL(__kernel_fpu_end);
-
- void kernel_fpu_begin(void)
- {
projects / thirdparty / kernel / stable-queue.git / commitdiff
