From 18e8f001fe93334a66f948872b305d0295303d7e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 5 Apr 2021 10:27:50 +0200 Subject: [PATCH] 5.11-stable patches added patches: io_uring-do-ctx-sqd-ejection-in-a-clear-context.patch riscv-evaluate-put_user-arg-before-enabling-user-access.patch --- ...-ctx-sqd-ejection-in-a-clear-context.patch | 75 ++++++++++++++++ ...user-arg-before-enabling-user-access.patch | 86 +++++++++++++++++++ queue-5.11/series | 2 + 3 files changed, 163 insertions(+) create mode 100644 queue-5.11/io_uring-do-ctx-sqd-ejection-in-a-clear-context.patch create mode 100644 queue-5.11/riscv-evaluate-put_user-arg-before-enabling-user-access.patch diff --git a/queue-5.11/io_uring-do-ctx-sqd-ejection-in-a-clear-context.patch b/queue-5.11/io_uring-do-ctx-sqd-ejection-in-a-clear-context.patch new file mode 100644 index 00000000000..42cd6db4aee --- /dev/null +++ b/queue-5.11/io_uring-do-ctx-sqd-ejection-in-a-clear-context.patch @@ -0,0 +1,75 @@ +From a185f1db59f13de73aa470559030e90e50b34d93 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Tue, 23 Mar 2021 10:52:38 +0000 +Subject: io_uring: do ctx sqd ejection in a clear context + +From: Pavel Begunkov + +commit a185f1db59f13de73aa470559030e90e50b34d93 upstream. + +WARNING: CPU: 1 PID: 27907 at fs/io_uring.c:7147 io_sq_thread_park+0xb5/0xd0 fs/io_uring.c:7147 +CPU: 1 PID: 27907 Comm: iou-sqp-27905 Not tainted 5.12.0-rc4-syzkaller #0 +RIP: 0010:io_sq_thread_park+0xb5/0xd0 fs/io_uring.c:7147 +Call Trace: + io_ring_ctx_wait_and_kill+0x214/0x700 fs/io_uring.c:8619 + io_uring_release+0x3e/0x50 fs/io_uring.c:8646 + __fput+0x288/0x920 fs/file_table.c:280 + task_work_run+0xdd/0x1a0 kernel/task_work.c:140 + io_run_task_work fs/io_uring.c:2238 [inline] + io_run_task_work fs/io_uring.c:2228 [inline] + io_uring_try_cancel_requests+0x8ec/0xc60 fs/io_uring.c:8770 + io_uring_cancel_sqpoll+0x1cf/0x290 fs/io_uring.c:8974 + io_sqpoll_cancel_cb+0x87/0xb0 fs/io_uring.c:8907 + io_run_task_work_head+0x58/0xb0 fs/io_uring.c:1961 + io_sq_thread+0x3e2/0x18d0 fs/io_uring.c:6763 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 + +May happen that last ctx ref is killed in io_uring_cancel_sqpoll(), so +fput callback (i.e. io_uring_release()) is enqueued through task_work, +and run by same cancellation. As it's deeply nested we can't do parking +or taking sqd->lock there, because its state is unclear. So avoid +ctx ejection from sqd list from io_ring_ctx_wait_and_kill() and do it +in a clear context in io_ring_exit_work(). + +Fixes: f6d54255f423 ("io_uring: halt SQO submission on ctx exit") +Reported-by: syzbot+e3a3f84f5cecf61f0583@syzkaller.appspotmail.com +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/e90df88b8ff2cabb14a7534601d35d62ab4cb8c7.1616496707.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -8738,6 +8738,14 @@ static __poll_t io_uring_poll(struct fil + if (!io_sqring_full(ctx)) + mask |= EPOLLOUT | EPOLLWRNORM; + ++ /* prevent SQPOLL from submitting new requests */ ++ if (ctx->sq_data) { ++ io_sq_thread_park(ctx->sq_data); ++ list_del_init(&ctx->sqd_list); ++ io_sqd_update_thread_idle(ctx->sq_data); ++ io_sq_thread_unpark(ctx->sq_data); ++ } ++ + /* + * Don't flush cqring overflow list here, just do a simple check. + * Otherwise there could possible be ABBA deadlock: +@@ -8816,14 +8824,6 @@ static void io_ring_ctx_wait_and_kill(st + __io_cqring_overflow_flush(ctx, true, NULL, NULL); + mutex_unlock(&ctx->uring_lock); + +- /* prevent SQPOLL from submitting new requests */ +- if (ctx->sq_data) { +- io_sq_thread_park(ctx->sq_data); +- list_del_init(&ctx->sqd_list); +- io_sqd_update_thread_idle(ctx->sq_data); +- io_sq_thread_unpark(ctx->sq_data); +- } +- + io_kill_timeouts(ctx, NULL, NULL); + io_poll_remove_all(ctx, NULL, NULL); + diff --git a/queue-5.11/riscv-evaluate-put_user-arg-before-enabling-user-access.patch b/queue-5.11/riscv-evaluate-put_user-arg-before-enabling-user-access.patch new file mode 100644 index 00000000000..aea74bd4eff --- /dev/null +++ b/queue-5.11/riscv-evaluate-put_user-arg-before-enabling-user-access.patch @@ -0,0 +1,86 @@ +From 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 Mon Sep 17 00:00:00 2001 +From: Ben Dooks +Date: Mon, 29 Mar 2021 10:57:49 +0100 +Subject: riscv: evaluate put_user() arg before enabling user access + +From: Ben Dooks + +commit 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 upstream. + +The header has a problem with put_user(a, ptr) if +the 'a' is not a simple variable, such as a function. This can lead +to the compiler producing code as so: + +1: enable_user_access() +2: evaluate 'a' into register 'r' +3: put 'r' to 'ptr' +4: disable_user_acess() + +The issue is that 'a' is now being evaluated with the user memory +protections disabled. So we try and force the evaulation by assigning +'x' to __val at the start, and hoping the compiler barriers in + enable_user_access() do the job of ordering step 2 before step 1. + +This has shown up in a bug where 'a' sleeps and thus schedules out +and loses the SR_SUM flag. This isn't sufficient to fully fix, but +should reduce the window of opportunity. The first instance of this +we found is in scheudle_tail() where the code does: + +$ less -N kernel/sched/core.c + +4263 if (current->set_child_tid) +4264 put_user(task_pid_vnr(current), current->set_child_tid); + +Here, the task_pid_vnr(current) is called within the block that has +enabled the user memory access. This can be made worse with KASAN +which makes task_pid_vnr() a rather large call with plenty of +opportunity to sleep. + +Signed-off-by: Ben Dooks +Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com +Suggested-by: Arnd Bergman +Signed-off-by: Greg Kroah-Hartman + +-- +Changes since v1: +- fixed formatting and updated the patch description with more info + +Changes since v2: +- fixed commenting on __put_user() (schwab@linux-m68k.org) + +Change since v3: +- fixed RFC in patch title. Should be ready to merge. + +Signed-off-by: Palmer Dabbelt +--- + arch/riscv/include/asm/uaccess.h | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/riscv/include/asm/uaccess.h ++++ b/arch/riscv/include/asm/uaccess.h +@@ -306,7 +306,9 @@ do { \ + * data types like structures or arrays. + * + * @ptr must have pointer-to-simple-variable type, and @x must be assignable +- * to the result of dereferencing @ptr. ++ * to the result of dereferencing @ptr. The value of @x is copied to avoid ++ * re-ordering where @x is evaluated inside the block that enables user-space ++ * access (thus bypassing user space protection if @x is a function). + * + * Caller must check the pointer with access_ok() before calling this + * function. +@@ -316,12 +318,13 @@ do { \ + #define __put_user(x, ptr) \ + ({ \ + __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \ ++ __typeof__(*__gu_ptr) __val = (x); \ + long __pu_err = 0; \ + \ + __chk_user_ptr(__gu_ptr); \ + \ + __enable_user_access(); \ +- __put_user_nocheck(x, __gu_ptr, __pu_err); \ ++ __put_user_nocheck(__val, __gu_ptr, __pu_err); \ + __disable_user_access(); \ + \ + __pu_err; \ diff --git a/queue-5.11/series b/queue-5.11/series index baf32aaef89..bebbd62feda 100644 --- a/queue-5.11/series +++ b/queue-5.11/series @@ -146,3 +146,5 @@ staging-rtl8192e-fix-incorrect-source-in-memcpy.patch staging-rtl8192e-change-state-information-from-u16-to-u8.patch driver-core-clear-deferred-probe-reason-on-probe-retry.patch drivers-video-fbcon-fix-null-dereference-in-fbcon_cursor.patch +riscv-evaluate-put_user-arg-before-enabling-user-access.patch +io_uring-do-ctx-sqd-ejection-in-a-clear-context.patch -- 2.47.3