From: Greg Kroah-Hartman Date: Mon, 16 Jan 2023 14:49:29 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.14.303~33 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=230121037c635b3361e262637c279e8327ad2cb6;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch io_uring-io-wq-only-free-worker-if-it-was-allocated-for-creation.patch --- diff --git a/queue-5.10/io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch b/queue-5.10/io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch new file mode 100644 index 00000000000..730e1a6699b --- /dev/null +++ b/queue-5.10/io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch @@ -0,0 +1,34 @@ +From af82425c6a2d2f347c79b63ce74fca6dc6be157f Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 2 Jan 2023 16:49:46 -0700 +Subject: io_uring/io-wq: free worker if task_work creation is canceled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jens Axboe + +commit af82425c6a2d2f347c79b63ce74fca6dc6be157f upstream. + +If we cancel the task_work, the worker will never come into existance. +As this is the last reference to it, ensure that we get it freed +appropriately. + +Cc: stable@vger.kernel.org +Reported-by: 진호 +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io-wq.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -1217,6 +1217,7 @@ static void io_wq_cancel_tw_create(struc + + worker = container_of(cb, struct io_worker, create_work); + io_worker_cancel_cb(worker); ++ kfree(worker); + } + } + diff --git a/queue-5.10/io_uring-io-wq-only-free-worker-if-it-was-allocated-for-creation.patch b/queue-5.10/io_uring-io-wq-only-free-worker-if-it-was-allocated-for-creation.patch new file mode 100644 index 00000000000..e3983a8c58c --- /dev/null +++ b/queue-5.10/io_uring-io-wq-only-free-worker-if-it-was-allocated-for-creation.patch @@ -0,0 +1,38 @@ +From e6db6f9398dadcbc06318a133d4c44a2d3844e61 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 8 Jan 2023 10:39:17 -0700 +Subject: io_uring/io-wq: only free worker if it was allocated for creation + +From: Jens Axboe + +commit e6db6f9398dadcbc06318a133d4c44a2d3844e61 upstream. + +We have two types of task_work based creation, one is using an existing +worker to setup a new one (eg when going to sleep and we have no free +workers), and the other is allocating a new worker. Only the latter +should be freed when we cancel task_work creation for a new worker. + +Fixes: af82425c6a2d ("io_uring/io-wq: free worker if task_work creation is canceled") +Reported-by: syzbot+d56ec896af3637bdb7e4@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io-wq.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/io_uring/io-wq.c ++++ b/io_uring/io-wq.c +@@ -1217,7 +1217,12 @@ static void io_wq_cancel_tw_create(struc + + worker = container_of(cb, struct io_worker, create_work); + io_worker_cancel_cb(worker); +- kfree(worker); ++ /* ++ * Only the worker continuation helper has worker allocated and ++ * hence needs freeing. ++ */ ++ if (cb->func == create_worker_cont) ++ kfree(worker); + } + } + diff --git a/queue-5.10/series b/queue-5.10/series index f9c59c49a48..e6fe98c5095 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -59,3 +59,5 @@ arm64-atomics-remove-ll-sc-trampolines.patch arm64-cmpxchg_double-hazard-against-entire-exchange-.patch efi-fix-null-deref-in-init-error-path.patch drm-virtio-fix-gem-handle-creation-uaf.patch +io_uring-io-wq-free-worker-if-task_work-creation-is-canceled.patch +io_uring-io-wq-only-free-worker-if-it-was-allocated-for-creation.patch