From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 11 Dec 2023 13:23:20 +0000 (+0100)
Subject: 5.10-stable patches
X-Git-Tag: v4.14.333~33
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=549f3e22a4d3eacb1177216b0ddede434c4660d1;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	io_uring-af_unix-disable-sending-io_uring-over-sockets.patch
---

diff --git a/queue-5.10/io_uring-af_unix-disable-sending-io_uring-over-sockets.patch b/queue-5.10/io_uring-af_unix-disable-sending-io_uring-over-sockets.patch
new file mode 100644
index 00000000000..bc2518f29ad
--- /dev/null
+++ b/queue-5.10/io_uring-af_unix-disable-sending-io_uring-over-sockets.patch
@@ -0,0 +1,128 @@
+From 2ad25288b0f67d4a5120fe9fe6279ef6635bb986 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 6 Dec 2023 13:26:47 +0000
+Subject: io_uring/af_unix: disable sending io_uring over sockets
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 705318a99a138c29a512a72c3e0043b3cd7f55f4 upstream.
+
+File reference cycles have caused lots of problems for io_uring
+in the past, and it still doesn't work exactly right and races with
+unix_stream_read_generic(). The safest fix would be to completely
+disallow sending io_uring files via sockets via SCM_RIGHT, so there
+are no possible cycles invloving registered files and thus rendering
+SCM accounting on the io_uring side unnecessary.
+
+Cc:  <stable@vger.kernel.org>
+Fixes: 0091bfc81741b ("io_uring/af_unix: defer registered files gc to io_uring release")
+Reported-and-suggested-by: Jann Horn <jannh@google.com>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/c716c88321939156909cfa1bd8b0faaf1c804103.1701868795.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c |   55 ----------------------------------------------------
+ net/core/scm.c      |    6 +++++
+ 2 files changed, 6 insertions(+), 55 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -8452,49 +8452,6 @@ out_free:
+ 	return ret;
+ }
+ 
+-static int io_sqe_file_register(struct io_ring_ctx *ctx, struct file *file,
+-				int index)
+-{
+-#if defined(CONFIG_UNIX)
+-	struct sock *sock = ctx->ring_sock->sk;
+-	struct sk_buff_head *head = &sock->sk_receive_queue;
+-	struct sk_buff *skb;
+-
+-	/*
+-	 * See if we can merge this file into an existing skb SCM_RIGHTS
+-	 * file set. If there's no room, fall back to allocating a new skb
+-	 * and filling it in.
+-	 */
+-	spin_lock_irq(&head->lock);
+-	skb = skb_peek(head);
+-	if (skb) {
+-		struct scm_fp_list *fpl = UNIXCB(skb).fp;
+-
+-		if (fpl->count < SCM_MAX_FD) {
+-			__skb_unlink(skb, head);
+-			spin_unlock_irq(&head->lock);
+-			fpl->fp[fpl->count] = get_file(file);
+-			unix_inflight(fpl->user, fpl->fp[fpl->count]);
+-			fpl->count++;
+-			spin_lock_irq(&head->lock);
+-			__skb_queue_head(head, skb);
+-		} else {
+-			skb = NULL;
+-		}
+-	}
+-	spin_unlock_irq(&head->lock);
+-
+-	if (skb) {
+-		fput(file);
+-		return 0;
+-	}
+-
+-	return __io_sqe_files_scm(ctx, 1, index);
+-#else
+-	return 0;
+-#endif
+-}
+-
+ static int io_queue_rsrc_removal(struct io_rsrc_data *data, unsigned idx,
+ 				 struct io_rsrc_node *node, void *rsrc)
+ {
+@@ -8552,12 +8509,6 @@ static int io_install_fixed_file(struct
+ 
+ 	*io_get_tag_slot(ctx->file_data, slot_index) = 0;
+ 	io_fixed_file_set(file_slot, file);
+-	ret = io_sqe_file_register(ctx, file, slot_index);
+-	if (ret) {
+-		file_slot->file_ptr = 0;
+-		goto err;
+-	}
+-
+ 	ret = 0;
+ err:
+ 	if (needs_switch)
+@@ -8671,12 +8622,6 @@ static int __io_sqe_files_update(struct
+ 			}
+ 			*io_get_tag_slot(data, i) = tag;
+ 			io_fixed_file_set(file_slot, file);
+-			err = io_sqe_file_register(ctx, file, i);
+-			if (err) {
+-				file_slot->file_ptr = 0;
+-				fput(file);
+-				break;
+-			}
+ 		}
+ 	}
+ 
+--- a/net/core/scm.c
++++ b/net/core/scm.c
+@@ -26,6 +26,7 @@
+ #include <linux/nsproxy.h>
+ #include <linux/slab.h>
+ #include <linux/errqueue.h>
++#include <linux/io_uring.h>
+ 
+ #include <linux/uaccess.h>
+ 
+@@ -103,6 +104,11 @@ static int scm_fp_copy(struct cmsghdr *c
+ 
+ 		if (fd < 0 || !(file = fget_raw(fd)))
+ 			return -EBADF;
++		/* don't allow io_uring files */
++		if (io_uring_get_socket(file)) {
++			fput(file);
++			return -EINVAL;
++		}
+ 		*fpp++ = file;
+ 		fpl->count++;
+ 	}
diff --git a/queue-5.10/series b/queue-5.10/series
index 05fd3959395..fa65f1fd7b1 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -79,3 +79,4 @@ x86-cpu-amd-check-vendor-in-the-amd-microcode-callback.patch
 kvm-s390-mm-properly-reset-no-dat.patch
 mips-loongson64-reserve-vgabios-memory-on-boot.patch
 mips-loongson64-enable-dma-noncoherent-support.patch
+io_uring-af_unix-disable-sending-io_uring-over-sockets.patch