--- /dev/null
+From af82425c6a2d2f347c79b63ce74fca6dc6be157f Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 2 Jan 2023 16:49:46 -0700
+Subject: io_uring/io-wq: free worker if task_work creation is canceled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit af82425c6a2d2f347c79b63ce74fca6dc6be157f upstream.
+
+If we cancel the task_work, the worker will never come into existance.
+As this is the last reference to it, ensure that we get it freed
+appropriately.
+
+Cc: stable@vger.kernel.org
+Reported-by: 진호 <wnwlsgh98@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io-wq.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -1217,6 +1217,7 @@ static void io_wq_cancel_tw_create(struc
+
+ worker = container_of(cb, struct io_worker, create_work);
+ io_worker_cancel_cb(worker);
++ kfree(worker);
+ }
+ }
+
--- /dev/null
+From e6db6f9398dadcbc06318a133d4c44a2d3844e61 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Sun, 8 Jan 2023 10:39:17 -0700
+Subject: io_uring/io-wq: only free worker if it was allocated for creation
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit e6db6f9398dadcbc06318a133d4c44a2d3844e61 upstream.
+
+We have two types of task_work based creation, one is using an existing
+worker to setup a new one (eg when going to sleep and we have no free
+workers), and the other is allocating a new worker. Only the latter
+should be freed when we cancel task_work creation for a new worker.
+
+Fixes: af82425c6a2d ("io_uring/io-wq: free worker if task_work creation is canceled")
+Reported-by: syzbot+d56ec896af3637bdb7e4@syzkaller.appspotmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io-wq.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/io_uring/io-wq.c
++++ b/io_uring/io-wq.c
+@@ -1217,7 +1217,12 @@ static void io_wq_cancel_tw_create(struc
+
+ worker = container_of(cb, struct io_worker, create_work);
+ io_worker_cancel_cb(worker);
+- kfree(worker);
++ /*
++ * Only the worker continuation helper has worker allocated and
++ * hence needs freeing.
++ */
++ if (cb->func == create_worker_cont)
++ kfree(worker);
+ }
+ }
+
arm64-cmpxchg_double-hazard-against-entire-exchange-.patch
efi-fix-null-deref-in-init-error-path.patch
drm-virtio-fix-gem-handle-creation-uaf.patch
+io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch
+io_uring-io-wq-only-free-worker-if-it-was-allocated-for-creation.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
