From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 Jan 2025 10:52:16 +0000 (+0100)
Subject: 6.12-stable patches
X-Git-Tag: v6.1.125~20
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1e726fb9e995bfa4539b8830caa5e038622d3387;p=thirdparty%2Fkernel%2Fstable-queue.git

6.12-stable patches

added patches:
	io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch
---

diff --git a/queue-6.12/io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch b/queue-6.12/io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch
new file mode 100644
index 00000000000..c6b485f53d8
--- /dev/null
+++ b/queue-6.12/io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch
@@ -0,0 +1,38 @@
+From 5bf17fd4610dd0224652e6aa1d3ead093778ee4d Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 8 Jan 2025 10:28:05 -0700
+Subject: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period
+
+From: Jens Axboe <axboe@kernel.dk>
+
+Commit c9a40292a44e78f71258b8522655bffaf5753bdb upstream.
+
+io_eventfd_do_signal() is invoked from an RCU callback, but when
+dropping the reference to the io_ev_fd, it calls io_eventfd_free()
+directly if the refcount drops to zero. This isn't correct, as any
+potential freeing of the io_ev_fd should be deferred another RCU grace
+period.
+
+Just call io_eventfd_put() rather than open-code the dec-and-test and
+free, which will correctly defer it another RCU grace period.
+
+Fixes: 21a091b970cd ("io_uring: signal registered eventfd to process deferred task work")
+Reported-by: Jann Horn <jannh@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/eventfd.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/io_uring/eventfd.c
++++ b/io_uring/eventfd.c
+@@ -38,7 +38,7 @@ static void io_eventfd_do_signal(struct
+ 	eventfd_signal_mask(ev_fd->cq_ev_fd, EPOLL_URING_WAKE);
+ 
+ 	if (refcount_dec_and_test(&ev_fd->refs))
+-		io_eventfd_free(rcu);
++		call_rcu(&ev_fd->rcu, io_eventfd_free);
+ }
+ 
+ void io_eventfd_signal(struct io_ring_ctx *ctx)
diff --git a/queue-6.12/series b/queue-6.12/series
index d4053c10408..32b1f27d772 100644
--- a/queue-6.12/series
+++ b/queue-6.12/series
@@ -171,3 +171,4 @@ iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch
 iio-inkern-call-iio_device_put-only-on-mapped-devices.patch
 iio-adc-ad7173-fix-using-shared-static-info-struct.patch
 iio-adc-ad7124-disable-all-channels-at-probe-time.patch
+io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch