From: Greg Kroah-Hartman Date: Mon, 18 Apr 2022 13:05:37 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v4.9.311~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e8024f6de73a6275bc333cd598073b0aa6d04922;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: io_uring-fix-poll-error-reporting.patch io_uring-fix-poll-file-assign-deadlock.patch io_uring-use-right-issue_flags-for-splice-tee.patch --- diff --git a/queue-5.17/io_uring-fix-poll-error-reporting.patch b/queue-5.17/io_uring-fix-poll-error-reporting.patch new file mode 100644 index 00000000000..849cb272ae5 --- /dev/null +++ b/queue-5.17/io_uring-fix-poll-error-reporting.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Apr 18 03:05:20 PM CEST 2022 +From: Pavel Begunkov +Date: Mon, 18 Apr 2022 06:41:20 -0600 +Subject: io_uring: fix poll error reporting + +From: Pavel Begunkov + +commit 7179c3ce3dbff646c55f7cd664a895f462f049e5 upstream. + +We should not return an error code in req->result in +io_poll_check_events(), because it may get mangled and returned as +success. Just return the error code directly, the callers will fail the +request or proceed accordingly. + +Fixes: 6bf9c47a3989 ("io_uring: defer file assignment") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/5f03514ee33324dc811fb93df84aee0f695fb044.1649862516.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -5513,9 +5513,8 @@ static int io_poll_check_events(struct i + unsigned flags = locked ? 0 : IO_URING_F_UNLOCKED; + + if (unlikely(!io_assign_file(req, flags))) +- req->result = -EBADF; +- else +- req->result = vfs_poll(req->file, &pt) & poll->events; ++ return -EBADF; ++ req->result = vfs_poll(req->file, &pt) & poll->events; + } + + /* multishot, just fill an CQE and proceed */ diff --git a/queue-5.17/io_uring-fix-poll-file-assign-deadlock.patch b/queue-5.17/io_uring-fix-poll-file-assign-deadlock.patch new file mode 100644 index 00000000000..c306d87e001 --- /dev/null +++ b/queue-5.17/io_uring-fix-poll-file-assign-deadlock.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Apr 18 03:05:20 PM CEST 2022 +From: Pavel Begunkov +Date: Mon, 18 Apr 2022 06:40:30 -0600 +Subject: io_uring: fix poll file assign deadlock + +From: Pavel Begunkov + +commit cce64ef01308b677a687d90927fc2b2e0e1cba67 upstream. + +We pass "unlocked" into io_assign_file() in io_poll_check_events(), +which can lead to double locking. + +Fixes: 6bf9c47a3989 ("io_uring: defer file assignment") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/2476d4ae46554324b599ee4055447b105f20a75a.1649862516.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -5510,8 +5510,9 @@ static int io_poll_check_events(struct i + + if (!req->result) { + struct poll_table_struct pt = { ._key = poll->events }; ++ unsigned flags = locked ? 0 : IO_URING_F_UNLOCKED; + +- if (unlikely(!io_assign_file(req, IO_URING_F_UNLOCKED))) ++ if (unlikely(!io_assign_file(req, flags))) + req->result = -EBADF; + else + req->result = vfs_poll(req->file, &pt) & poll->events; diff --git a/queue-5.17/io_uring-use-right-issue_flags-for-splice-tee.patch b/queue-5.17/io_uring-use-right-issue_flags-for-splice-tee.patch new file mode 100644 index 00000000000..e1a4dcc83bb --- /dev/null +++ b/queue-5.17/io_uring-use-right-issue_flags-for-splice-tee.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 18 03:05:20 PM CEST 2022 +From: Pavel Begunkov +Date: Wed, 13 Apr 2022 16:10:33 +0100 +Subject: io_uring: use right issue_flags for splice/tee + +From: Pavel Begunkov + +commit e941976659f1f6834077a1596bf53e6bdb10e90b upstream. + +Pass right issue_flags into into io_file_get_fixed() instead of +IO_URING_F_UNLOCKED. It's probably not a problem at the moment but let's +do it safer. + +Fixes: 6bf9c47a3989 ("io_uring: defer file assignment") +Signed-off-by: Pavel Begunkov +Link: https://lore.kernel.org/r/7d242daa9df5d776907686977cd29fbceb4a2d8d.1649862516.git.asml.silence@gmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -4140,7 +4140,7 @@ static int io_tee(struct io_kiocb *req, + return -EAGAIN; + + if (sp->flags & SPLICE_F_FD_IN_FIXED) +- in = io_file_get_fixed(req, sp->splice_fd_in, IO_URING_F_UNLOCKED); ++ in = io_file_get_fixed(req, sp->splice_fd_in, issue_flags); + else + in = io_file_get_normal(req, sp->splice_fd_in); + if (!in) { +@@ -4182,7 +4182,7 @@ static int io_splice(struct io_kiocb *re + return -EAGAIN; + + if (sp->flags & SPLICE_F_FD_IN_FIXED) +- in = io_file_get_fixed(req, sp->splice_fd_in, IO_URING_F_UNLOCKED); ++ in = io_file_get_fixed(req, sp->splice_fd_in, issue_flags); + else + in = io_file_get_normal(req, sp->splice_fd_in); + if (!in) { diff --git a/queue-5.17/series b/queue-5.17/series index 6753d313a26..06c1006994d 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -217,3 +217,6 @@ mm-kfence-support-kmem_dump_obj-for-kfence-objects.patch drm-i915-sunset-igpu-legacy-mmap-support-based-on-graphics_ver_full.patch cpu-hotplug-remove-the-cpu-member-of-cpuhp_cpu_state.patch ax25-fix-uaf-bugs-in-ax25-timers.patch +io_uring-use-right-issue_flags-for-splice-tee.patch +io_uring-fix-poll-file-assign-deadlock.patch +io_uring-fix-poll-error-reporting.patch