From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 Jan 2025 10:52:05 +0000 (+0100)
Subject: 6.6-stable patches
X-Git-Tag: v6.1.125~21
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=62adb0905fcf16afe942900d638de392e3c57be3;p=thirdparty%2Fkernel%2Fstable-queue.git

6.6-stable patches

added patches:
	io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch
---

diff --git a/queue-6.6/io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch b/queue-6.6/io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch
new file mode 100644
index 00000000000..731efb4e596
--- /dev/null
+++ b/queue-6.6/io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch
@@ -0,0 +1,56 @@
+From 981586dd7b85fc424d59be8414255ad46251958c Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Wed, 8 Jan 2025 11:16:13 -0700
+Subject: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period
+
+From: Jens Axboe <axboe@kernel.dk>
+
+Commit c9a40292a44e78f71258b8522655bffaf5753bdb upstream.
+
+io_eventfd_do_signal() is invoked from an RCU callback, but when
+dropping the reference to the io_ev_fd, it calls io_eventfd_free()
+directly if the refcount drops to zero. This isn't correct, as any
+potential freeing of the io_ev_fd should be deferred another RCU grace
+period.
+
+Just call io_eventfd_put() rather than open-code the dec-and-test and
+free, which will correctly defer it another RCU grace period.
+
+Fixes: 21a091b970cd ("io_uring: signal registered eventfd to process deferred task work")
+Reported-by: Jann Horn <jannh@google.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/io_uring.c |   13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/io_uring/io_uring.c
++++ b/io_uring/io_uring.c
+@@ -537,6 +537,13 @@ static __cold void io_queue_deferred(str
+ 	}
+ }
+ 
++static void io_eventfd_free(struct rcu_head *rcu)
++{
++	struct io_ev_fd *ev_fd = container_of(rcu, struct io_ev_fd, rcu);
++
++	eventfd_ctx_put(ev_fd->cq_ev_fd);
++	kfree(ev_fd);
++}
+ 
+ static void io_eventfd_ops(struct rcu_head *rcu)
+ {
+@@ -550,10 +557,8 @@ static void io_eventfd_ops(struct rcu_he
+ 	 * ordering in a race but if references are 0 we know we have to free
+ 	 * it regardless.
+ 	 */
+-	if (atomic_dec_and_test(&ev_fd->refs)) {
+-		eventfd_ctx_put(ev_fd->cq_ev_fd);
+-		kfree(ev_fd);
+-	}
++	if (atomic_dec_and_test(&ev_fd->refs))
++		call_rcu(&ev_fd->rcu, io_eventfd_free);
+ }
+ 
+ static void io_eventfd_signal(struct io_ring_ctx *ctx)
diff --git a/queue-6.6/series b/queue-6.6/series
index 45a9ff3851c..d6712b0cc5c 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -113,3 +113,4 @@ iio-adc-at91-call-input_free_device-on-allocated-iio_dev.patch
 iio-inkern-call-iio_device_put-only-on-mapped-devices.patch
 iio-adc-ad7124-disable-all-channels-at-probe-time.patch
 riscv-kprobes-fix-incorrect-address-calculation.patch
+io_uring-eventfd-ensure-io_eventfd_signal-defers-another-rcu-period.patch