From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 11 Dec 2023 13:23:10 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v4.14.333~34
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0b4b41e41042601cafbdf5372652d412e3401fd6;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	io_uring-af_unix-disable-sending-io_uring-over-sockets.patch
---

diff --git a/queue-5.4/io_uring-af_unix-disable-sending-io_uring-over-sockets.patch b/queue-5.4/io_uring-af_unix-disable-sending-io_uring-over-sockets.patch
new file mode 100644
index 00000000000..9fc2f894ec1
--- /dev/null
+++ b/queue-5.4/io_uring-af_unix-disable-sending-io_uring-over-sockets.patch
@@ -0,0 +1,167 @@
+From 2ad25288b0f67d4a5120fe9fe6279ef6635bb986 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 6 Dec 2023 13:26:47 +0000
+Subject: io_uring/af_unix: disable sending io_uring over sockets
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 705318a99a138c29a512a72c3e0043b3cd7f55f4 upstream.
+
+File reference cycles have caused lots of problems for io_uring
+in the past, and it still doesn't work exactly right and races with
+unix_stream_read_generic(). The safest fix would be to completely
+disallow sending io_uring files via sockets via SCM_RIGHT, so there
+are no possible cycles invloving registered files and thus rendering
+SCM accounting on the io_uring side unnecessary.
+
+Cc:  <stable@vger.kernel.org>
+Fixes: 0091bfc81741b ("io_uring/af_unix: defer registered files gc to io_uring release")
+Reported-and-suggested-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/c716c88321939156909cfa1bd8b0faaf1c804103.1701868795.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c  |  101 ---------------------------------------------------------
+ net/core/scm.c |    6 +++
+ 2 files changed, 7 insertions(+), 100 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -3137,101 +3137,6 @@ static void io_finish_async(struct io_ri
+ 	}
+ }
+ 
+-#if defined(CONFIG_UNIX)
+-static void io_destruct_skb(struct sk_buff *skb)
+-{
+-	struct io_ring_ctx *ctx = skb->sk->sk_user_data;
+-	int i;
+-
+-	for (i = 0; i < ARRAY_SIZE(ctx->sqo_wq); i++)
+-		if (ctx->sqo_wq[i])
+-			flush_workqueue(ctx->sqo_wq[i]);
+-
+-	unix_destruct_scm(skb);
+-}
+-
+-/*
+- * Ensure the UNIX gc is aware of our file set, so we are certain that
+- * the io_uring can be safely unregistered on process exit, even if we have
+- * loops in the file referencing.
+- */
+-static int __io_sqe_files_scm(struct io_ring_ctx *ctx, int nr, int offset)
+-{
+-	struct sock *sk = ctx->ring_sock->sk;
+-	struct scm_fp_list *fpl;
+-	struct sk_buff *skb;
+-	int i;
+-
+-	fpl = kzalloc(sizeof(*fpl), GFP_KERNEL);
+-	if (!fpl)
+-		return -ENOMEM;
+-
+-	skb = alloc_skb(0, GFP_KERNEL);
+-	if (!skb) {
+-		kfree(fpl);
+-		return -ENOMEM;
+-	}
+-
+-	skb->sk = sk;
+-	skb->scm_io_uring = 1;
+-	skb->destructor = io_destruct_skb;
+-
+-	fpl->user = get_uid(ctx->user);
+-	for (i = 0; i < nr; i++) {
+-		fpl->fp[i] = get_file(ctx->user_files[i + offset]);
+-		unix_inflight(fpl->user, fpl->fp[i]);
+-	}
+-
+-	fpl->max = fpl->count = nr;
+-	UNIXCB(skb).fp = fpl;
+-	refcount_add(skb->truesize, &sk->sk_wmem_alloc);
+-	skb_queue_head(&sk->sk_receive_queue, skb);
+-
+-	for (i = 0; i < nr; i++)
+-		fput(fpl->fp[i]);
+-
+-	return 0;
+-}
+-
+-/*
+- * If UNIX sockets are enabled, fd passing can cause a reference cycle which
+- * causes regular reference counting to break down. We rely on the UNIX
+- * garbage collection to take care of this problem for us.
+- */
+-static int io_sqe_files_scm(struct io_ring_ctx *ctx)
+-{
+-	unsigned left, total;
+-	int ret = 0;
+-
+-	total = 0;
+-	left = ctx->nr_user_files;
+-	while (left) {
+-		unsigned this_files = min_t(unsigned, left, SCM_MAX_FD);
+-
+-		ret = __io_sqe_files_scm(ctx, this_files, total);
+-		if (ret)
+-			break;
+-		left -= this_files;
+-		total += this_files;
+-	}
+-
+-	if (!ret)
+-		return 0;
+-
+-	while (total < ctx->nr_user_files) {
+-		fput(ctx->user_files[total]);
+-		total++;
+-	}
+-
+-	return ret;
+-}
+-#else
+-static int io_sqe_files_scm(struct io_ring_ctx *ctx)
+-{
+-	return 0;
+-}
+-#endif
+-
+ static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg,
+ 				 unsigned nr_args)
+ {
+@@ -3285,11 +3190,7 @@ static int io_sqe_files_register(struct
+ 		return ret;
+ 	}
+ 
+-	ret = io_sqe_files_scm(ctx);
+-	if (ret)
+-		io_sqe_files_unregister(ctx);
+-
+-	return ret;
++	return 0;
+ }
+ 
+ static int io_sq_offload_start(struct io_ring_ctx *ctx,
+--- a/net/core/scm.c
++++ b/net/core/scm.c
+@@ -26,6 +26,7 @@
+ #include <linux/nsproxy.h>
+ #include <linux/slab.h>
+ #include <linux/errqueue.h>
++#include <linux/io_uring.h>
+ 
+ #include <linux/uaccess.h>
+ 
+@@ -103,6 +104,11 @@ static int scm_fp_copy(struct cmsghdr *c
+ 
+ 		if (fd < 0 || !(file = fget_raw(fd)))
+ 			return -EBADF;
++		/* don't allow io_uring files */
++		if (io_uring_get_socket(file)) {
++			fput(file);
++			return -EINVAL;
++		}
+ 		*fpp++ = file;
+ 		fpl->count++;
+ 	}
diff --git a/queue-5.4/nilfs2-fix-missing-error-check-for-sb_set_blocksize-call.patch b/queue-5.4/nilfs2-fix-missing-error-check-for-sb_set_blocksize-call.patch
index 487a84df8c8..af85a21c2e8 100644
--- a/queue-5.4/nilfs2-fix-missing-error-check-for-sb_set_blocksize-call.patch
+++ b/queue-5.4/nilfs2-fix-missing-error-check-for-sb_set_blocksize-call.patch
@@ -70,7 +70,7 @@ Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  		nilfs_release_super_block(nilfs);
 -		sb_set_blocksize(sb, blocksize);
 +		if (!sb_set_blocksize(sb, blocksize)) {
-+			nilfs_error(sb, "bad blocksize %d", blocksize);
++			nilfs_msg(sb, KERN_ERR, "bad blocksize %d", blocksize);
 +			err = -EINVAL;
 +			goto out;
 +		}
diff --git a/queue-5.4/series b/queue-5.4/series
index 805abf7f9eb..af8368f65d7 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -33,7 +33,6 @@ arm-imx-check-return-value-of-devm_kasprintf-in-imx_.patch
 arm-dts-imx-make-gpt-node-name-generic.patch
 arm-dts-imx7-declare-timers-compatible-with-fsl-imx6.patch
 alsa-pcm-fix-out-of-bounds-in-snd_pcm_state_names.patch
-nilfs2-fix-missing-error-check-for-sb_set_blocksize-call.patch
 nilfs2-prevent-warning-in-nilfs_sufile_set_segment_usage.patch
 tracing-always-update-snapshot-buffer-size.patch
 tracing-fix-incomplete-locking-when-disabling-buffered-events.patch
@@ -54,3 +53,5 @@ serial-sc16is7xx-address-rx-timeout-interrupt-errata.patch
 serial-8250_omap-add-earlycon-support-for-the-am654-uart-controller.patch
 x86-cpu-amd-check-vendor-in-the-amd-microcode-callback.patch
 kvm-s390-mm-properly-reset-no-dat.patch
+nilfs2-fix-missing-error-check-for-sb_set_blocksize-call.patch
+io_uring-af_unix-disable-sending-io_uring-over-sockets.patch