From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 Sep 2021 10:51:53 +0000 (+0200)
Subject: drop some broken io_uring patches from 5.14 and 5.13 queues.
X-Git-Tag: v5.4.146~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6053814f8cd4aa28c6f5edbd7a54fc8e8ac4bcc4;p=thirdparty%2Fkernel%2Fstable-queue.git

drop some broken io_uring patches from 5.14 and 5.13 queues.
---

diff --git a/queue-5.13/io_uring-fail-links-of-cancelled-timeouts.patch b/queue-5.13/io_uring-fail-links-of-cancelled-timeouts.patch
deleted file mode 100644
index 5553a6ed928..00000000000
--- a/queue-5.13/io_uring-fail-links-of-cancelled-timeouts.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 2ae2eb9dde18979b40629dd413b9adbd6c894cdf Mon Sep 17 00:00:00 2001
-From: Pavel Begunkov <asml.silence@gmail.com>
-Date: Thu, 9 Sep 2021 13:56:27 +0100
-Subject: io_uring: fail links of cancelled timeouts
-
-From: Pavel Begunkov <asml.silence@gmail.com>
-
-commit 2ae2eb9dde18979b40629dd413b9adbd6c894cdf upstream.
-
-When we cancel a timeout we should mark it with REQ_F_FAIL, so
-linked requests are cancelled as well, but not queued for further
-execution.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
-Link: https://lore.kernel.org/r/fff625b44eeced3a5cae79f60e6acf3fbdf8f990.1631192135.git.asml.silence@gmail.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/io_uring.c |    2 ++
- 1 file changed, 2 insertions(+)
-
---- a/fs/io_uring.c
-+++ b/fs/io_uring.c
-@@ -1307,6 +1307,8 @@ static void io_kill_timeout(struct io_ki
- 	struct io_timeout_data *io = req->async_data;
- 
- 	if (hrtimer_try_to_cancel(&io->timer) != -1) {
-+		if (status)
-+			req_set_fail(req);
- 		atomic_set(&req->ctx->cq_timeouts,
- 			atomic_read(&req->ctx->cq_timeouts) + 1);
- 		list_del_init(&req->timeout.list);
diff --git a/queue-5.13/io_uring-reexpand-under-reexpanded-iters.patch b/queue-5.13/io_uring-reexpand-under-reexpanded-iters.patch
deleted file mode 100644
index bd4b11b97ed..00000000000
--- a/queue-5.13/io_uring-reexpand-under-reexpanded-iters.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 89c2b3b74918200e46699338d7bcc19b1ea12110 Mon Sep 17 00:00:00 2001
-From: Pavel Begunkov <asml.silence@gmail.com>
-Date: Mon, 23 Aug 2021 11:18:45 +0100
-Subject: io_uring: reexpand under-reexpanded iters
-
-From: Pavel Begunkov <asml.silence@gmail.com>
-
-commit 89c2b3b74918200e46699338d7bcc19b1ea12110 upstream.
-
-[   74.211232] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x809/0x900
-[   74.212778] Read of size 8 at addr ffff888025dc78b8 by task
-syz-executor.0/828
-[   74.214756] CPU: 0 PID: 828 Comm: syz-executor.0 Not tainted
-5.14.0-rc3-next-20210730 #1
-[   74.216525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
-BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
-[   74.219033] Call Trace:
-[   74.219683]  dump_stack_lvl+0x8b/0xb3
-[   74.220706]  print_address_description.constprop.0+0x1f/0x140
-[   74.224226]  kasan_report.cold+0x7f/0x11b
-[   74.226085]  iov_iter_revert+0x809/0x900
-[   74.227960]  io_write+0x57d/0xe40
-[   74.232647]  io_issue_sqe+0x4da/0x6a80
-[   74.242578]  __io_queue_sqe+0x1ac/0xe60
-[   74.245358]  io_submit_sqes+0x3f6e/0x76a0
-[   74.248207]  __do_sys_io_uring_enter+0x90c/0x1a20
-[   74.257167]  do_syscall_64+0x3b/0x90
-[   74.257984]  entry_SYSCALL_64_after_hwframe+0x44/0xae
-
-old_size = iov_iter_count();
-...
-iov_iter_revert(old_size - iov_iter_count());
-
-If iov_iter_revert() is done base on the initial size as above, and the
-iter is truncated and not reexpanded in the middle, it miscalculates
-borders causing problems. This trace is due to no one reexpanding after
-generic_write_checks().
-
-Now iters store how many bytes has been truncated, so reexpand them to
-the initial state right before reverting.
-
-Cc: stable@vger.kernel.org
-Reported-by: Palash Oswal <oswalpalash@gmail.com>
-Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
-Reported-and-tested-by: syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com
-Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/io_uring.c |    2 ++
- 1 file changed, 2 insertions(+)
-
---- a/fs/io_uring.c
-+++ b/fs/io_uring.c
-@@ -3316,6 +3316,7 @@ static int io_read(struct io_kiocb *req,
- 		if (req->flags & REQ_F_NOWAIT)
- 			goto done;
- 		/* some cases will consume bytes even on error returns */
-+		iov_iter_reexpand(iter, iter->count + iter->truncated);
- 		iov_iter_revert(iter, io_size - iov_iter_count(iter));
- 		ret = 0;
- 	} else if (ret == -EIOCBQUEUED) {
-@@ -3455,6 +3456,7 @@ done:
- 	} else {
- copy_iov:
- 		/* some cases will consume bytes even on error returns */
-+		iov_iter_reexpand(iter, iter->count + iter->truncated);
- 		iov_iter_revert(iter, io_size - iov_iter_count(iter));
- 		ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
- 		return ret ?: -EAGAIN;
diff --git a/queue-5.13/series b/queue-5.13/series
index 28407704756..bbcf2dacf03 100644
--- a/queue-5.13/series
+++ b/queue-5.13/series
@@ -269,8 +269,6 @@ auxdisplay-hd44780-fix-oops-on-module-unloading.patch
 io_uring-limit-fixed-table-size-by-rlimit_nofile.patch
 io_uring-ioring_op_write-needs-hash_reg_file-set.patch
 io_uring-io_uring_complete-trace-should-take-an-integer.patch
-io_uring-reexpand-under-reexpanded-iters.patch
-io_uring-fail-links-of-cancelled-timeouts.patch
 bio-fix-page-leak-bio_add_hw_page-failure.patch
 raid1-ensure-write-behind-bio-has-less-than-bio_max_vecs-sectors.patch
 cifs-do-not-leak-edeadlk-to-dgetents64-for-status_user_session_deleted.patch
diff --git a/queue-5.14/io_uring-reexpand-under-reexpanded-iters.patch b/queue-5.14/io_uring-reexpand-under-reexpanded-iters.patch
deleted file mode 100644
index f80bf9a9a26..00000000000
--- a/queue-5.14/io_uring-reexpand-under-reexpanded-iters.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 89c2b3b74918200e46699338d7bcc19b1ea12110 Mon Sep 17 00:00:00 2001
-From: Pavel Begunkov <asml.silence@gmail.com>
-Date: Mon, 23 Aug 2021 11:18:45 +0100
-Subject: io_uring: reexpand under-reexpanded iters
-
-From: Pavel Begunkov <asml.silence@gmail.com>
-
-commit 89c2b3b74918200e46699338d7bcc19b1ea12110 upstream.
-
-[   74.211232] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x809/0x900
-[   74.212778] Read of size 8 at addr ffff888025dc78b8 by task
-syz-executor.0/828
-[   74.214756] CPU: 0 PID: 828 Comm: syz-executor.0 Not tainted
-5.14.0-rc3-next-20210730 #1
-[   74.216525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
-BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
-[   74.219033] Call Trace:
-[   74.219683]  dump_stack_lvl+0x8b/0xb3
-[   74.220706]  print_address_description.constprop.0+0x1f/0x140
-[   74.224226]  kasan_report.cold+0x7f/0x11b
-[   74.226085]  iov_iter_revert+0x809/0x900
-[   74.227960]  io_write+0x57d/0xe40
-[   74.232647]  io_issue_sqe+0x4da/0x6a80
-[   74.242578]  __io_queue_sqe+0x1ac/0xe60
-[   74.245358]  io_submit_sqes+0x3f6e/0x76a0
-[   74.248207]  __do_sys_io_uring_enter+0x90c/0x1a20
-[   74.257167]  do_syscall_64+0x3b/0x90
-[   74.257984]  entry_SYSCALL_64_after_hwframe+0x44/0xae
-
-old_size = iov_iter_count();
-...
-iov_iter_revert(old_size - iov_iter_count());
-
-If iov_iter_revert() is done base on the initial size as above, and the
-iter is truncated and not reexpanded in the middle, it miscalculates
-borders causing problems. This trace is due to no one reexpanding after
-generic_write_checks().
-
-Now iters store how many bytes has been truncated, so reexpand them to
-the initial state right before reverting.
-
-Cc: stable@vger.kernel.org
-Reported-by: Palash Oswal <oswalpalash@gmail.com>
-Reported-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
-Reported-and-tested-by: syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com
-Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
-Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/io_uring.c |    2 ++
- 1 file changed, 2 insertions(+)
-
---- a/fs/io_uring.c
-+++ b/fs/io_uring.c
-@@ -3324,6 +3324,7 @@ static int io_read(struct io_kiocb *req,
- 		if (req->flags & REQ_F_NOWAIT)
- 			goto done;
- 		/* some cases will consume bytes even on error returns */
-+		iov_iter_reexpand(iter, iter->count + iter->truncated);
- 		iov_iter_revert(iter, io_size - iov_iter_count(iter));
- 		ret = 0;
- 	} else if (ret == -EIOCBQUEUED) {
-@@ -3463,6 +3464,7 @@ done:
- 	} else {
- copy_iov:
- 		/* some cases will consume bytes even on error returns */
-+		iov_iter_reexpand(iter, iter->count + iter->truncated);
- 		iov_iter_revert(iter, io_size - iov_iter_count(iter));
- 		ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false);
- 		return ret ?: -EAGAIN;
diff --git a/queue-5.14/series b/queue-5.14/series
index 72731c0857e..5508e0caff0 100644
--- a/queue-5.14/series
+++ b/queue-5.14/series
@@ -300,7 +300,6 @@ auxdisplay-hd44780-fix-oops-on-module-unloading.patch
 io_uring-limit-fixed-table-size-by-rlimit_nofile.patch
 io_uring-ioring_op_write-needs-hash_reg_file-set.patch
 io_uring-io_uring_complete-trace-should-take-an-integer.patch
-io_uring-reexpand-under-reexpanded-iters.patch
 io_uring-fail-links-of-cancelled-timeouts.patch
 bio-fix-page-leak-bio_add_hw_page-failure.patch
 raid1-ensure-write-behind-bio-has-less-than-bio_max_vecs-sectors.patch