--- /dev/null
+From foo@baz Mon Apr 18 03:05:20 PM CEST 2022
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 18 Apr 2022 06:41:20 -0600
+Subject: io_uring: fix poll error reporting
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit 7179c3ce3dbff646c55f7cd664a895f462f049e5 upstream.
+
+We should not return an error code in req->result in
+io_poll_check_events(), because it may get mangled and returned as
+success. Just return the error code directly, the callers will fail the
+request or proceed accordingly.
+
+Fixes: 6bf9c47a3989 ("io_uring: defer file assignment")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/5f03514ee33324dc811fb93df84aee0f695fb044.1649862516.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -5513,9 +5513,8 @@ static int io_poll_check_events(struct i
+ unsigned flags = locked ? 0 : IO_URING_F_UNLOCKED;
+
+ if (unlikely(!io_assign_file(req, flags)))
+- req->result = -EBADF;
+- else
+- req->result = vfs_poll(req->file, &pt) & poll->events;
++ return -EBADF;
++ req->result = vfs_poll(req->file, &pt) & poll->events;
+ }
+
+ /* multishot, just fill an CQE and proceed */
--- /dev/null
+From foo@baz Mon Apr 18 03:05:20 PM CEST 2022
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Mon, 18 Apr 2022 06:40:30 -0600
+Subject: io_uring: fix poll file assign deadlock
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit cce64ef01308b677a687d90927fc2b2e0e1cba67 upstream.
+
+We pass "unlocked" into io_assign_file() in io_poll_check_events(),
+which can lead to double locking.
+
+Fixes: 6bf9c47a3989 ("io_uring: defer file assignment")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/2476d4ae46554324b599ee4055447b105f20a75a.1649862516.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -5510,8 +5510,9 @@ static int io_poll_check_events(struct i
+
+ if (!req->result) {
+ struct poll_table_struct pt = { ._key = poll->events };
++ unsigned flags = locked ? 0 : IO_URING_F_UNLOCKED;
+
+- if (unlikely(!io_assign_file(req, IO_URING_F_UNLOCKED)))
++ if (unlikely(!io_assign_file(req, flags)))
+ req->result = -EBADF;
+ else
+ req->result = vfs_poll(req->file, &pt) & poll->events;
--- /dev/null
+From foo@baz Mon Apr 18 03:05:20 PM CEST 2022
+From: Pavel Begunkov <asml.silence@gmail.com>
+Date: Wed, 13 Apr 2022 16:10:33 +0100
+Subject: io_uring: use right issue_flags for splice/tee
+
+From: Pavel Begunkov <asml.silence@gmail.com>
+
+commit e941976659f1f6834077a1596bf53e6bdb10e90b upstream.
+
+Pass right issue_flags into into io_file_get_fixed() instead of
+IO_URING_F_UNLOCKED. It's probably not a problem at the moment but let's
+do it safer.
+
+Fixes: 6bf9c47a3989 ("io_uring: defer file assignment")
+Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
+Link: https://lore.kernel.org/r/7d242daa9df5d776907686977cd29fbceb4a2d8d.1649862516.git.asml.silence@gmail.com
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -4140,7 +4140,7 @@ static int io_tee(struct io_kiocb *req,
+ return -EAGAIN;
+
+ if (sp->flags & SPLICE_F_FD_IN_FIXED)
+- in = io_file_get_fixed(req, sp->splice_fd_in, IO_URING_F_UNLOCKED);
++ in = io_file_get_fixed(req, sp->splice_fd_in, issue_flags);
+ else
+ in = io_file_get_normal(req, sp->splice_fd_in);
+ if (!in) {
+@@ -4182,7 +4182,7 @@ static int io_splice(struct io_kiocb *re
+ return -EAGAIN;
+
+ if (sp->flags & SPLICE_F_FD_IN_FIXED)
+- in = io_file_get_fixed(req, sp->splice_fd_in, IO_URING_F_UNLOCKED);
++ in = io_file_get_fixed(req, sp->splice_fd_in, issue_flags);
+ else
+ in = io_file_get_normal(req, sp->splice_fd_in);
+ if (!in) {
drm-i915-sunset-igpu-legacy-mmap-support-based-on-graphics_ver_full.patch
cpu-hotplug-remove-the-cpu-member-of-cpuhp_cpu_state.patch
ax25-fix-uaf-bugs-in-ax25-timers.patch
+io_uring-use-right-issue_flags-for-splice-tee.patch
+io_uring-fix-poll-file-assign-deadlock.patch
+io_uring-fix-poll-error-reporting.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
