From: Greg Kroah-Hartman Date: Mon, 23 Jan 2023 09:48:29 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v4.14.304~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2488c1f8b2dac602296a5ce147a95af12f92697c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: io_uring-clean-up-a-false-positive-warning-from-gcc-9.3.0.patch io_uring-fix-double-poll-leak-on-repolling.patch io_uring-rw-ensure-kiocb_end_write-is-always-called.patch io_uring-rw-remove-leftover-debug-statement.patch --- diff --git a/queue-5.10/io_uring-clean-up-a-false-positive-warning-from-gcc-9.3.0.patch b/queue-5.10/io_uring-clean-up-a-false-positive-warning-from-gcc-9.3.0.patch new file mode 100644 index 00000000000..40cdf5fad9e --- /dev/null +++ b/queue-5.10/io_uring-clean-up-a-false-positive-warning-from-gcc-9.3.0.patch @@ -0,0 +1,61 @@ +From f79aabb5fcef594b03b9c7d790640833d95b0604 Mon Sep 17 00:00:00 2001 +From: Alviro Iskandar Setiawan +Date: Mon, 7 Feb 2022 21:05:33 +0700 +Subject: io_uring: Clean up a false-positive warning from GCC 9.3.0 + +From: Alviro Iskandar Setiawan + +commit 0d7c1153d9291197c1dc473cfaade77acb874b4b upstream. + +In io_recv(), if import_single_range() fails, the @flags variable is +uninitialized, then it will goto out_free. + +After the goto, the compiler doesn't know that (ret < min_ret) is +always true, so it thinks the "if ((flags & MSG_WAITALL) ..." path +could be taken. + +The complaint comes from gcc-9 (Debian 9.3.0-22) 9.3.0: +``` + fs/io_uring.c:5238 io_recvfrom() error: uninitialized symbol 'flags' +``` +Fix this by bypassing the @ret and @flags check when +import_single_range() fails. + +Reasons: + 1. import_single_range() only returns -EFAULT when it fails. + 2. At that point, @flags is uninitialized and shouldn't be read. + +Reported-by: kernel test robot +Reported-by: Dan Carpenter +Reported-by: "Chen, Rong A" +Link: https://lore.gnuweeb.org/timl/d33bb5a9-8173-f65b-f653-51fc0681c6d6@intel.com/ +Cc: Pavel Begunkov +Suggested-by: Ammar Faizi +Fixes: 7297ce3d59449de49d3c9e1f64ae25488750a1fc ("io_uring: improve send/recv error handling") +Signed-off-by: Alviro Iskandar Setiawan +Signed-off-by: Ammar Faizi +Link: https://lore.kernel.org/r/20220207140533.565411-1-ammarfaizi2@gnuweeb.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -5094,7 +5094,6 @@ static int io_recv(struct io_kiocb *req, + min_ret = iov_iter_count(&msg.msg_iter); + + ret = sock_recvmsg(sock, &msg, flags); +-out_free: + if (ret < min_ret) { + if (ret == -EAGAIN && force_nonblock) + return -EAGAIN; +@@ -5109,6 +5108,7 @@ out_free: + } + req_set_fail(req); + } else if ((flags & MSG_WAITALL) && (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))) { ++out_free: + req_set_fail(req); + } + if (req->flags & REQ_F_BUFFER_SELECTED) diff --git a/queue-5.10/io_uring-fix-double-poll-leak-on-repolling.patch b/queue-5.10/io_uring-fix-double-poll-leak-on-repolling.patch new file mode 100644 index 00000000000..ee31d509546 --- /dev/null +++ b/queue-5.10/io_uring-fix-double-poll-leak-on-repolling.patch @@ -0,0 +1,40 @@ +From 25143ba20b82094e275abe38b44b7e1ade886a92 Mon Sep 17 00:00:00 2001 +From: Pavel Begunkov +Date: Sun, 22 Jan 2023 10:24:20 -0700 +Subject: io_uring: fix double poll leak on repolling + +From: Pavel Begunkov + +commit c0737fa9a5a5cf5a053bcc983f72d58919b997c6 upstream. + +We have re-polling for partial IO, so a request can be polled twice. If +it used two poll entries the first time then on the second +io_arm_poll_handler() it will find the old apoll entry and NULL +kmalloc()'ed second entry, i.e. apoll->double_poll, so leaking it. + +Fixes: 10c873334feba ("io_uring: allow re-poll if we made progress") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/fee2452494222ecc7f1f88c8fb659baef971414a.1655852245.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -5751,10 +5751,12 @@ static int io_arm_poll_handler(struct io + mask |= POLLOUT | POLLWRNORM; + } + +- if (req->flags & REQ_F_POLLED) ++ if (req->flags & REQ_F_POLLED) { + apoll = req->apoll; +- else ++ kfree(apoll->double_poll); ++ } else { + apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC); ++ } + if (unlikely(!apoll)) + return IO_APOLL_ABORTED; + apoll->double_poll = NULL; diff --git a/queue-5.10/io_uring-rw-ensure-kiocb_end_write-is-always-called.patch b/queue-5.10/io_uring-rw-ensure-kiocb_end_write-is-always-called.patch new file mode 100644 index 00000000000..066ebf47fa9 --- /dev/null +++ b/queue-5.10/io_uring-rw-ensure-kiocb_end_write-is-always-called.patch @@ -0,0 +1,112 @@ +From 847059841bf49921adc58c31b910b52e46568e3e Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 22 Jan 2023 10:36:37 -0700 +Subject: io_uring/rw: ensure kiocb_end_write() is always called + +From: Jens Axboe + +commit 2ec33a6c3cca9fe2465e82050c81f5ffdc508b36 upstream. + +A previous commit moved the notifications and end-write handling, but +it is now missing a few spots where we also want to call both of those. +Without that, we can potentially be missing file notifications, and +more importantly, have an imbalance in the super_block writers sem +accounting. + +Fixes: b000145e9907 ("io_uring/rw: defer fsnotify calls to task context") +Reported-by: Dave Chinner +Link: https://lore.kernel.org/all/20221010050319.GC2703033@dread.disaster.area/ +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 57 +++++++++++++++++++++++++++++++++------------------- + 1 file changed, 37 insertions(+), 20 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2700,11 +2700,34 @@ static bool io_rw_should_reissue(struct + } + #endif + ++/* ++ * Trigger the notifications after having done some IO, and finish the write ++ * accounting, if any. ++ */ ++static void io_req_io_end(struct io_kiocb *req) ++{ ++ struct io_rw *rw = &req->rw; ++ ++ WARN_ON(!in_task()); ++ ++ if (rw->kiocb.ki_flags & IOCB_WRITE) { ++ kiocb_end_write(req); ++ fsnotify_modify(req->file); ++ } else { ++ fsnotify_access(req->file); ++ } ++} ++ + static bool __io_complete_rw_common(struct io_kiocb *req, long res) + { + if (res != req->result) { + if ((res == -EAGAIN || res == -EOPNOTSUPP) && + io_rw_should_reissue(req)) { ++ /* ++ * Reissue will start accounting again, finish the ++ * current cycle. ++ */ ++ io_req_io_end(req); + req->flags |= REQ_F_REISSUE; + return true; + } +@@ -2746,25 +2769,9 @@ static void io_req_task_complete(struct + } + } + +-static void __io_complete_rw(struct io_kiocb *req, long res, long res2, +- unsigned int issue_flags) +-{ +- if (__io_complete_rw_common(req, res)) +- return; +- __io_req_complete(req, issue_flags, io_fixup_rw_res(req, res), io_put_rw_kbuf(req)); +-} +- + static void io_req_rw_complete(struct io_kiocb *req, bool *locked) + { +- struct io_rw *rw = &req->rw; +- +- if (rw->kiocb.ki_flags & IOCB_WRITE) { +- kiocb_end_write(req); +- fsnotify_modify(req->file); +- } else { +- fsnotify_access(req->file); +- } +- ++ io_req_io_end(req); + io_req_task_complete(req, locked); + } + +@@ -3032,10 +3039,20 @@ static void kiocb_done(struct kiocb *kio + + if (req->flags & REQ_F_CUR_POS) + req->file->f_pos = kiocb->ki_pos; +- if (ret >= 0 && (kiocb->ki_complete == io_complete_rw)) +- __io_complete_rw(req, ret, 0, issue_flags); +- else ++ if (ret >= 0 && (kiocb->ki_complete == io_complete_rw)) { ++ if (!__io_complete_rw_common(req, ret)) { ++ /* ++ * Safe to call io_end from here as we're inline ++ * from the submission path. ++ */ ++ io_req_io_end(req); ++ __io_req_complete(req, issue_flags, ++ io_fixup_rw_res(req, ret), ++ io_put_rw_kbuf(req)); ++ } ++ } else { + io_rw_done(kiocb, ret); ++ } + + if (req->flags & REQ_F_REISSUE) { + req->flags &= ~REQ_F_REISSUE; diff --git a/queue-5.10/io_uring-rw-remove-leftover-debug-statement.patch b/queue-5.10/io_uring-rw-remove-leftover-debug-statement.patch new file mode 100644 index 00000000000..aa480691c97 --- /dev/null +++ b/queue-5.10/io_uring-rw-remove-leftover-debug-statement.patch @@ -0,0 +1,31 @@ +From e07a8781fe8045af3b8b277aaae735a8f4011b09 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Sun, 16 Oct 2022 17:24:10 -0600 +Subject: io_uring/rw: remove leftover debug statement + +From: Jens Axboe + +commit 5c61795ea97c170347c5c4af0c159bd877b8af71 upstream. + +This debug statement was never meant to go into the upstream release, +kill it off before it ends up in a release. It was just part of the +testing for the initial version of the patch. + +Fixes: 2ec33a6c3cca ("io_uring/rw: ensure kiocb_end_write() is always called") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2708,8 +2708,6 @@ static void io_req_io_end(struct io_kioc + { + struct io_rw *rw = &req->rw; + +- WARN_ON(!in_task()); +- + if (rw->kiocb.ki_flags & IOCB_WRITE) { + kiocb_end_write(req); + fsnotify_modify(req->file); diff --git a/queue-5.10/series b/queue-5.10/series index 2fdce7e1c2e..5112dd28f02 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -92,3 +92,7 @@ bluetooth-hci_qca-wait-for-ssr-completion-during-suspend.patch bluetooth-hci_qca-check-for-ssr-triggered-flag-while-suspend.patch bluetooth-hci_qca-fixed-issue-during-suspend.patch mm-khugepaged-fix-collapse_pte_mapped_thp-to-allow-anon_vma.patch +io_uring-clean-up-a-false-positive-warning-from-gcc-9.3.0.patch +io_uring-fix-double-poll-leak-on-repolling.patch +io_uring-rw-ensure-kiocb_end_write-is-always-called.patch +io_uring-rw-remove-leftover-debug-statement.patch