--- /dev/null
+From a185f1db59f13de73aa470559030e90e50b34d93 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Tue, 23 Mar 2021 10:52:38 +0000
+Subject: io_uring: do ctx sqd ejection in a clear context
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit a185f1db59f13de73aa470559030e90e50b34d93 upstream.
+
+WARNING: CPU: 1 PID: 27907 at fs/io_uring.c:7147 io_sq_thread_park+0xb5/0xd0 fs/io_uring.c:7147
+CPU: 1 PID: 27907 Comm: iou-sqp-27905 Not tainted 5.12.0-rc4-syzkaller #0
+RIP: 0010:io_sq_thread_park+0xb5/0xd0 fs/io_uring.c:7147
+Call Trace:
+ io_ring_ctx_wait_and_kill+0x214/0x700 fs/io_uring.c:8619
+ io_uring_release+0x3e/0x50 fs/io_uring.c:8646
+ __fput+0x288/0x920 fs/file_table.c:280
+ task_work_run+0xdd/0x1a0 kernel/task_work.c:140
+ io_run_task_work fs/io_uring.c:2238 [inline]
+ io_run_task_work fs/io_uring.c:2228 [inline]
+ io_uring_try_cancel_requests+0x8ec/0xc60 fs/io_uring.c:8770
+ io_uring_cancel_sqpoll+0x1cf/0x290 fs/io_uring.c:8974
+ io_sqpoll_cancel_cb+0x87/0xb0 fs/io_uring.c:8907
+ io_run_task_work_head+0x58/0xb0 fs/io_uring.c:1961
+ io_sq_thread+0x3e2/0x18d0 fs/io_uring.c:6763
+ ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294
+
+May happen that last ctx ref is killed in io_uring_cancel_sqpoll(), so
+fput callback (i.e. io_uring_release()) is enqueued through task_work,
+and run by same cancellation. As it's deeply nested we can't do parking
+or taking sqd->lock there, because its state is unclear. So avoid
+ctx ejection from sqd list from io_ring_ctx_wait_and_kill() and do it
+in a clear context in io_ring_exit_work().
+
+Fixes: f6d54255f423 ("io_uring: halt SQO submission on ctx exit")
+Reported-by: syzbot+e3a3f84f5cecf61f0583@syzkaller.appspotmail.com
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/e90df88b8ff2cabb14a7534601d35d62ab4cb8c7.1616496707.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -8738,6 +8738,14 @@ static __poll_t io_uring_poll(struct fil
+ if (!io_sqring_full(ctx))
+ mask |= EPOLLOUT | EPOLLWRNORM;
+
++ /* prevent SQPOLL from submitting new requests */
++ if (ctx->sq_data) {
++ io_sq_thread_park(ctx->sq_data);
++ list_del_init(&ctx->sqd_list);
++ io_sqd_update_thread_idle(ctx->sq_data);
++ io_sq_thread_unpark(ctx->sq_data);
++ }
++
+ /*
+ * Don't flush cqring overflow list here, just do a simple check.
+ * Otherwise there could possible be ABBA deadlock:
+@@ -8816,14 +8824,6 @@ static void io_ring_ctx_wait_and_kill(st
+ __io_cqring_overflow_flush(ctx, true, NULL, NULL);
+ mutex_unlock(&ctx->uring_lock);
+
+- /* prevent SQPOLL from submitting new requests */
+- if (ctx->sq_data) {
+- io_sq_thread_park(ctx->sq_data);
+- list_del_init(&ctx->sqd_list);
+- io_sqd_update_thread_idle(ctx->sq_data);
+- io_sq_thread_unpark(ctx->sq_data);
+- }
+-
+ io_kill_timeouts(ctx, NULL, NULL);
+ io_poll_remove_all(ctx, NULL, NULL);
+
--- /dev/null
+From 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 Mon Sep 17 00:00:00 2001
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+Date: Mon, 29 Mar 2021 10:57:49 +0100
+Subject: riscv: evaluate put_user() arg before enabling user access
+
+From: Ben Dooks <ben.dooks@codethink.co.uk>
+
+commit 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 upstream.
+
+The <asm/uaccess.h> header has a problem with put_user(a, ptr) if
+the 'a' is not a simple variable, such as a function. This can lead
+to the compiler producing code as so:
+
+1: enable_user_access()
+2: evaluate 'a' into register 'r'
+3: put 'r' to 'ptr'
+4: disable_user_acess()
+
+The issue is that 'a' is now being evaluated with the user memory
+protections disabled. So we try and force the evaulation by assigning
+'x' to __val at the start, and hoping the compiler barriers in
+ enable_user_access() do the job of ordering step 2 before step 1.
+
+This has shown up in a bug where 'a' sleeps and thus schedules out
+and loses the SR_SUM flag. This isn't sufficient to fully fix, but
+should reduce the window of opportunity. The first instance of this
+we found is in scheudle_tail() where the code does:
+
+$ less -N kernel/sched/core.c
+
+4263 if (current->set_child_tid)
+4264 put_user(task_pid_vnr(current), current->set_child_tid);
+
+Here, the task_pid_vnr(current) is called within the block that has
+enabled the user memory access. This can be made worse with KASAN
+which makes task_pid_vnr() a rather large call with plenty of
+opportunity to sleep.
+
+Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
+Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com
+Suggested-by: Arnd Bergman <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+--
+Changes since v1:
+- fixed formatting and updated the patch description with more info
+
+Changes since v2:
+- fixed commenting on __put_user() (schwab@linux-m68k.org)
+
+Change since v3:
+- fixed RFC in patch title. Should be ready to merge.
+
+Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
+---
+ arch/riscv/include/asm/uaccess.h | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/arch/riscv/include/asm/uaccess.h
++++ b/arch/riscv/include/asm/uaccess.h
+@@ -306,7 +306,9 @@ do { \
+ * data types like structures or arrays.
+ *
+ * @ptr must have pointer-to-simple-variable type, and @x must be assignable
+- * to the result of dereferencing @ptr.
++ * to the result of dereferencing @ptr. The value of @x is copied to avoid
++ * re-ordering where @x is evaluated inside the block that enables user-space
++ * access (thus bypassing user space protection if @x is a function).
+ *
+ * Caller must check the pointer with access_ok() before calling this
+ * function.
+@@ -316,12 +318,13 @@ do { \
+ #define __put_user(x, ptr) \
+ ({ \
+ __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \
++ __typeof__(*__gu_ptr) __val = (x); \
+ long __pu_err = 0; \
+ \
+ __chk_user_ptr(__gu_ptr); \
+ \
+ __enable_user_access(); \
+- __put_user_nocheck(x, __gu_ptr, __pu_err); \
++ __put_user_nocheck(__val, __gu_ptr, __pu_err); \
+ __disable_user_access(); \
+ \
+ __pu_err; \
staging-rtl8192e-change-state-information-from-u16-to-u8.patch
driver-core-clear-deferred-probe-reason-on-probe-retry.patch
drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch
+riscv-evaluate-put_user-arg-before-enabling-user-access.patch
+io_uring-do-ctx-sqd-ejection-in-a-clear-context.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
