+++ /dev/null
-From 2ae2eb9dde18979b40629dd413b9adbd6c894cdf Mon Sep 17 00:00:00 2001
-From: Pavel Begunkov <asml.silence@gmail.com>
-Date: Thu, 9 Sep 2021 13:56:27 +0100
-Subject: io_uring: fail links of cancelled timeouts
-
-From: Pavel Begunkov <asml.silence@gmail.com>
-
-commit 2ae2eb9dde18979b40629dd413b9adbd6c894cdf upstream.
-
-When we cancel a timeout we should mark it with REQ_F_FAIL, so
-linked requests are cancelled as well, but not queued for further
-execution.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
-Link: https://lore.kernel.org/r/fff625b44eeced3a5cae79f60e6acf3fbdf8f990.1631192135.git.asml.silence@gmail.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/io_uring.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/fs/io_uring.c
-+++ b/fs/io_uring.c
-@@ -1307,6 +1307,8 @@ static void io_kill_timeout(struct io_ki
- struct io_timeout_data *io = req->async_data;
-
- if (hrtimer_try_to_cancel(&io->timer) != -1) {
-+ if (status)
-+ req_set_fail(req);
- atomic_set(&req->ctx->cq_timeouts,
- atomic_read(&req->ctx->cq_timeouts) + 1);
- list_del_init(&req->timeout.list);
+++ /dev/null
-From 89c2b3b74918200e46699338d7bcc19b1ea12110 Mon Sep 17 00:00:00 2001
-From: Pavel Begunkov <asml.silence@gmail.com>
-Date: Mon, 23 Aug 2021 11:18:45 +0100
-Subject: io_uring: reexpand under-reexpanded iters
-
-From: Pavel Begunkov <asml.silence@gmail.com>
-
-commit 89c2b3b74918200e46699338d7bcc19b1ea12110 upstream.
-
-[ 74.211232] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x809/0x900
-[ 74.212778] Read of size 8 at addr ffff888025dc78b8 by task
-syz-executor.0/828
-[ 74.214756] CPU: 0 PID: 828 Comm: syz-executor.0 Not tainted
-5.14.0-rc3-next-20210730 #1
-[ 74.216525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
-BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
-[ 74.219033] Call Trace:
-[ 74.219683] dump_stack_lvl+0x8b/0xb3
-[ 74.220706] print_address_description.constprop.0+0x1f/0x140
-[ 74.224226] kasan_report.cold+0x7f/0x11b
-[ 74.226085] iov_iter_revert+0x809/0x900
-[ 74.227960] io_write+0x57d/0xe40
-[ 74.232647] io_issue_sqe+0x4da/0x6a80
-[ 74.242578] __io_queue_sqe+0x1ac/0xe60
-[ 74.245358] io_submit_sqes+0x3f6e/0x76a0
-[ 74.248207] __do_sys_io_uring_enter+0x90c/0x1a20
-[ 74.257167] do_syscall_64+0x3b/0x90
-[ 74.257984] entry_SYSCALL_64_after_hwframe+0x44/0xae
-
-old_size = iov_iter_count();
-...
-iov_iter_revert(old_size - iov_iter_count());
-
-If iov_iter_revert() is done base on the initial size as above, and the
-iter is truncated and not reexpanded in the middle, it miscalculates
-borders causing problems. This trace is due to no one reexpanding after
-generic_write_checks().
-
-Now iters store how many bytes has been truncated, so reexpand them to
-the initial state right before reverting.
-
-Cc: stable@vger.kernel.org
-Reported-by: Palash Oswal <oswalpalash@gmail.com>
-Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
-Reported-and-tested-by: syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com
-Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/io_uring.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/fs/io_uring.c
-+++ b/fs/io_uring.c
-@@ -3316,6 +3316,7 @@ static int io_read(struct io_kiocb *req,
- if (req->flags & REQ_F_NOWAIT)
- goto done;
- /* some cases will consume bytes even on error returns */
-+ iov_iter_reexpand(iter, iter->count + iter->truncated);
- iov_iter_revert(iter, io_size - iov_iter_count(iter));
- ret = 0;
- } else if (ret == -EIOCBQUEUED) {
-@@ -3455,6 +3456,7 @@ done:
- } else {
- copy_iov:
- /* some cases will consume bytes even on error returns */
-+ iov_iter_reexpand(iter, iter->count + iter->truncated);
- iov_iter_revert(iter, io_size - iov_iter_count(iter));
- ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
- return ret ?: -EAGAIN;
io_uring-limit-fixed-table-size-by-rlimit_nofile.patch
io_uring-ioring_op_write-needs-hash_reg_file-set.patch
io_uring-io_uring_complete-trace-should-take-an-integer.patch
-io_uring-reexpand-under-reexpanded-iters.patch
-io_uring-fail-links-of-cancelled-timeouts.patch
bio-fix-page-leak-bio_add_hw_page-failure.patch
raid1-ensure-write-behind-bio-has-less-than-bio_max_vecs-sectors.patch
cifs-do-not-leak-edeadlk-to-dgetents64-for-status_user_session_deleted.patch
+++ /dev/null
-From 89c2b3b74918200e46699338d7bcc19b1ea12110 Mon Sep 17 00:00:00 2001
-From: Pavel Begunkov <asml.silence@gmail.com>
-Date: Mon, 23 Aug 2021 11:18:45 +0100
-Subject: io_uring: reexpand under-reexpanded iters
-
-From: Pavel Begunkov <asml.silence@gmail.com>
-
-commit 89c2b3b74918200e46699338d7bcc19b1ea12110 upstream.
-
-[ 74.211232] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x809/0x900
-[ 74.212778] Read of size 8 at addr ffff888025dc78b8 by task
-syz-executor.0/828
-[ 74.214756] CPU: 0 PID: 828 Comm: syz-executor.0 Not tainted
-5.14.0-rc3-next-20210730 #1
-[ 74.216525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
-BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
-[ 74.219033] Call Trace:
-[ 74.219683] dump_stack_lvl+0x8b/0xb3
-[ 74.220706] print_address_description.constprop.0+0x1f/0x140
-[ 74.224226] kasan_report.cold+0x7f/0x11b
-[ 74.226085] iov_iter_revert+0x809/0x900
-[ 74.227960] io_write+0x57d/0xe40
-[ 74.232647] io_issue_sqe+0x4da/0x6a80
-[ 74.242578] __io_queue_sqe+0x1ac/0xe60
-[ 74.245358] io_submit_sqes+0x3f6e/0x76a0
-[ 74.248207] __do_sys_io_uring_enter+0x90c/0x1a20
-[ 74.257167] do_syscall_64+0x3b/0x90
-[ 74.257984] entry_SYSCALL_64_after_hwframe+0x44/0xae
-
-old_size = iov_iter_count();
-...
-iov_iter_revert(old_size - iov_iter_count());
-
-If iov_iter_revert() is done base on the initial size as above, and the
-iter is truncated and not reexpanded in the middle, it miscalculates
-borders causing problems. This trace is due to no one reexpanding after
-generic_write_checks().
-
-Now iters store how many bytes has been truncated, so reexpand them to
-the initial state right before reverting.
-
-Cc: stable@vger.kernel.org
-Reported-by: Palash Oswal <oswalpalash@gmail.com>
-Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
-Reported-and-tested-by: syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com
-Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/io_uring.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/fs/io_uring.c
-+++ b/fs/io_uring.c
-@@ -3324,6 +3324,7 @@ static int io_read(struct io_kiocb *req,
- if (req->flags & REQ_F_NOWAIT)
- goto done;
- /* some cases will consume bytes even on error returns */
-+ iov_iter_reexpand(iter, iter->count + iter->truncated);
- iov_iter_revert(iter, io_size - iov_iter_count(iter));
- ret = 0;
- } else if (ret == -EIOCBQUEUED) {
-@@ -3463,6 +3464,7 @@ done:
- } else {
- copy_iov:
- /* some cases will consume bytes even on error returns */
-+ iov_iter_reexpand(iter, iter->count + iter->truncated);
- iov_iter_revert(iter, io_size - iov_iter_count(iter));
- ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
- return ret ?: -EAGAIN;
io_uring-limit-fixed-table-size-by-rlimit_nofile.patch
io_uring-ioring_op_write-needs-hash_reg_file-set.patch
io_uring-io_uring_complete-trace-should-take-an-integer.patch
-io_uring-reexpand-under-reexpanded-iters.patch
io_uring-fail-links-of-cancelled-timeouts.patch
bio-fix-page-leak-bio_add_hw_page-failure.patch
raid1-ensure-write-behind-bio-has-less-than-bio_max_vecs-sectors.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
