--- /dev/null
+From 077ca7235339ca86a455377fae51cd6c3396c04a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Aug 2021 13:15:01 +0100
+Subject: io_uring: fix xa_alloc_cycle() error return value check
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ upstream commit a30f895ad3239f45012e860d4f94c1a388b36d14 ]
+
+We currently check for ret != 0 to indicate error, but '1' is a valid
+return and just indicates that the allocation succeeded with a wrap.
+Correct the check to be for < 0, like it was before the xarray
+conversion.
+
+Cc: stable@vger.kernel.org
+Fixes: 61cf93700fe6 ("io_uring: Convert personality_idr to XArray")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index ed641dca7957..762eae2440b5 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -9601,11 +9601,12 @@ static int io_register_personality(struct io_ring_ctx *ctx)
+
+ ret = xa_alloc_cyclic(&ctx->personalities, &id, (void *)iod,
+ XA_LIMIT(0, USHRT_MAX), &ctx->pers_next, GFP_KERNEL);
+- if (!ret)
+- return id;
+- put_cred(iod->creds);
+- kfree(iod);
+- return ret;
++ if (ret < 0) {
++ put_cred(iod->creds);
++ kfree(iod);
++ return ret;
++ }
++ return id;
+ }
+
+ static int io_register_restrictions(struct io_ring_ctx *ctx, void __user *arg,
+--
+2.30.2
+
--- /dev/null
+From 2ef5886671905159cc2e2e3f3e2be24d7bd8c985 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Aug 2021 13:15:31 +0100
+Subject: io_uring: only assign io_uring_enter() SQPOLL error in actual error
+ case
+
+From: Jens Axboe <axboe@kernel.dk>
+
+[ upstream commit 21f965221e7c42609521342403e8fb91b8b3e76e ]
+
+If an SQPOLL based ring is newly created and an application issues an
+io_uring_enter(2) system call on it, then we can return a spurious
+-EOWNERDEAD error. This happens because there's nothing to submit, and
+if the caller doesn't specify any other action, the initial error
+assignment of -EOWNERDEAD never gets overwritten. This causes us to
+return it directly, even if it isn't valid.
+
+Move the error assignment into the actual failure case instead.
+
+Cc: stable@vger.kernel.org
+Fixes: d9d05217cb69 ("io_uring: stop SQPOLL submit on creator's death")
+Reported-by: Sherlock Holo sherlockya@gmail.com
+Link: https://github.com/axboe/liburing/issues/413
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/io_uring.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/fs/io_uring.c b/fs/io_uring.c
+index 762eae2440b5..108b0ed31c11 100644
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -9078,9 +9078,10 @@ SYSCALL_DEFINE6(io_uring_enter, unsigned int, fd, u32, to_submit,
+ if (ctx->flags & IORING_SETUP_SQPOLL) {
+ io_cqring_overflow_flush(ctx, false, NULL, NULL);
+
+- ret = -EOWNERDEAD;
+- if (unlikely(ctx->sqo_dead))
++ if (unlikely(ctx->sqo_dead)) {
++ ret = -EOWNERDEAD;
+ goto out;
++ }
+ if (flags & IORING_ENTER_SQ_WAKEUP)
+ wake_up(&ctx->sq_data->wait);
+ if (flags & IORING_ENTER_SQ_WAIT) {
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
