--- /dev/null
+From fd30d1cdcc4ff405fc54765edf2e11b03f2ed4f3 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Thu, 30 Mar 2023 06:52:38 -0600
+Subject: io_uring: fix poll/netmsg alloc caches
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit fd30d1cdcc4ff405fc54765edf2e11b03f2ed4f3 upstream.
+
+We increase cache->nr_cached when we free into the cache but don't
+decrease when we take from it, so in some time we'll get an empty
+cache with cache->nr_cached larger than IO_ALLOC_CACHE_MAX, that fails
+io_alloc_cache_put() and effectively disables caching.
+
+Fixes: 9b797a37c4bd8 ("io_uring: add abstraction around apoll cache")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/alloc_cache.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/alloc_cache.h
++++ b/io_uring/alloc_cache.h
+@@ -27,6 +27,7 @@ static inline struct io_cache_entry *io_
+ struct hlist_node *node = cache->list.first;
+
+ hlist_del(node);
++ cache->nr_cached--;
+ return container_of(node, struct io_cache_entry, node);
+ }
+
--- /dev/null
+From 005308f7bdacf5685ed1a431244a183dbbb9e0e8 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 27 Mar 2023 19:56:18 -0600
+Subject: io_uring/poll: clear single/double poll flags on poll arming
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 005308f7bdacf5685ed1a431244a183dbbb9e0e8 upstream.
+
+Unless we have at least one entry queued, then don't call into
+io_poll_remove_entries(). Normally this isn't possible, but if we
+retry poll then we can have ->nr_entries cleared again as we're
+setting it up. If this happens for a poll retry, then we'll still have
+at least REQ_F_SINGLE_POLL set. io_poll_remove_entries() then thinks
+it has entries to remove.
+
+Clear REQ_F_SINGLE_POLL and REQ_F_DOUBLE_POLL unconditionally when
+arming a poll request.
+
+Fixes: c16bda37594f ("io_uring/poll: allow some retries for poll triggering spuriously")
+Cc: stable@vger.kernel.org
+Reported-by: Pengfei Xu <pengfei.xu@intel.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/poll.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/poll.c
++++ b/io_uring/poll.c
+@@ -724,6 +724,7 @@ int io_arm_poll_handler(struct io_kiocb
+ apoll = io_req_alloc_apoll(req, issue_flags);
+ if (!apoll)
+ return IO_APOLL_ABORTED;
++ req->flags &= ~(REQ_F_SINGLE_POLL | REQ_F_DOUBLE_POLL);
+ req->flags |= REQ_F_POLLED;
+ ipt.pt._qproc = io_async_queue_proc;
+
--- /dev/null
+From 4ff0b50de8cabba055efe50bbcb7506c41a69835 Mon Sep 17 00:00:00 2001
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 29 Mar 2023 15:03:43 +0100
+Subject: io_uring/rsrc: fix rogue rsrc node grabbing
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 4ff0b50de8cabba055efe50bbcb7506c41a69835 upstream.
+
+We should not be looking at ctx->rsrc_node and anyhow modifying the node
+without holding uring_lock, grabbing references in such a way is not
+safe either.
+
+Cc: stable@vger.kernel.org
+Fixes: 5106dd6e74ab6 ("io_uring: propagate issue_flags state down to file assignment")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/1202ede2d7bb90136e3482b2b84aad9ed483e5d6.1680098433.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/rsrc.h | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+--- a/io_uring/rsrc.h
++++ b/io_uring/rsrc.h
+@@ -144,15 +144,13 @@ static inline void io_req_set_rsrc_node(
+ unsigned int issue_flags)
+ {
+ if (!req->rsrc_node) {
+- req->rsrc_node = ctx->rsrc_node;
++ io_ring_submit_lock(ctx, issue_flags);
+
+- if (!(issue_flags & IO_URING_F_UNLOCKED)) {
+- lockdep_assert_held(&ctx->uring_lock);
++ lockdep_assert_held(&ctx->uring_lock);
+
+- io_charge_rsrc_node(ctx);
+- } else {
+- percpu_ref_get(&req->rsrc_node->refs);
+- }
++ req->rsrc_node = ctx->rsrc_node;
++ io_charge_rsrc_node(ctx);
++ io_ring_submit_unlock(ctx, issue_flags);
+ }
+ }
+
btrfs-fix-race-between-quota-disable-and-quota-assign-ioctls.patch
btrfs-scan-device-in-non-exclusive-mode.patch
btrfs-ignore-fiemap-path-cache-when-there-are-multiple-paths-for-a-node.patch
+zonefs-do-not-propagate-iomap_dio_rw-enotblk-error-to-user-space.patch
+io_uring-poll-clear-single-double-poll-flags-on-poll-arming.patch
+io_uring-rsrc-fix-rogue-rsrc-node-grabbing.patch
+io_uring-fix-poll-netmsg-alloc-caches.patch
--- /dev/null
+From 77af13ba3c7f91d91c377c7e2d122849bbc17128 Mon Sep 17 00:00:00 2001
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Date: Thu, 30 Mar 2023 09:47:58 +0900
+Subject: zonefs: Do not propagate iomap_dio_rw() ENOTBLK error to user space
+
+From: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+
+commit 77af13ba3c7f91d91c377c7e2d122849bbc17128 upstream.
+
+The call to invalidate_inode_pages2_range() in __iomap_dio_rw() may
+fail, in which case -ENOTBLK is returned and this error code is
+propagated back to user space trhough iomap_dio_rw() ->
+zonefs_file_dio_write() return chain. This error code is fairly obscure
+and may confuse the user. Avoid this and be consistent with the behavior
+of zonefs_file_dio_append() for similar invalidate_inode_pages2_range()
+errors by returning -EBUSY to user space when iomap_dio_rw() returns
+-ENOTBLK.
+
+Suggested-by: Christoph Hellwig <hch@infradead.org>
+Fixes: 8dcc1a9d90c1 ("fs: New zonefs file system")
+Cc: stable@vger.kernel.org
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Tested-by: Hans Holmberg <hans.holmberg@wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/zonefs/file.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/fs/zonefs/file.c
++++ b/fs/zonefs/file.c
+@@ -567,11 +567,21 @@ static ssize_t zonefs_file_dio_write(str
+ append = sync;
+ }
+
+- if (append)
++ if (append) {
+ ret = zonefs_file_dio_append(iocb, from);
+- else
++ } else {
++ /*
++ * iomap_dio_rw() may return ENOTBLK if there was an issue with
++ * page invalidation. Overwrite that error code with EBUSY to
++ * be consistent with zonefs_file_dio_append() return value for
++ * similar issues.
++ */
+ ret = iomap_dio_rw(iocb, from, &zonefs_write_iomap_ops,
+ &zonefs_write_dio_ops, 0, NULL, 0);
++ if (ret == -ENOTBLK)
++ ret = -EBUSY;
++ }
++
+ if (zonefs_zone_is_seq(z) &&
+ (ret > 0 || ret == -EIOCBQUEUED)) {
+ if (ret > 0)
projects / thirdparty / kernel / stable-queue.git / commitdiff
