Fixes for all trees

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-6.18/io_uring-net-avoid-msghdr-on-op_connect-op_bind-asyn.patch b/queue-6.18/io_uring-net-avoid-msghdr-on-op_connect-op_bind-asyn.patch
new file mode 100644 (file)
index 0000000..51dc10f
--- /dev/null
+++ b/queue-6.18/io_uring-net-avoid-msghdr-on-op_connect-op_bind-asyn.patch
@@ -0,0 +1,174 @@
+From 3ecfc4f6161dffc3bba300d5e4f9e58f2bf3e4e9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 17 Jun 2026 15:27:22 -0400
+Subject: io_uring/net: Avoid msghdr on op_connect/op_bind async data
+
+From: Gabriel Krisman Bertazi <krisman@suse.de>
+
+[ Upstream commit 3979840cd858f30f43ea9f4e7f7f1f56de82d698 ]
+This fixes a memory leak due to the lack of the cleanup hook for the
+iovec.  The stable backport differs from upstream by dropping the
+io_connect_bpf_populate hunk, which didn't exist at the time and by
+fixing the merge conflict due to the introduction of
+io_bind_file_create.
+
+Both IORING_OP_CONNECT and IORING_OP_BIND reuse the msghdr object just
+to store the sockaddr. Beyond allocating a much larger object than
+needed, msghdr can also wrap an iovec, which will be recycled
+unnecessarily. This uses the sockaddr directly.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
+Link: https://patch.msgid.link/20260602215327.1885109-2-krisman@suse.de
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ io_uring/net.c   | 36 ++++++++++++++++++------------------
+ io_uring/opdef.c |  4 ++--
+ 2 files changed, 20 insertions(+), 20 deletions(-)
+
+diff --git a/io_uring/net.c b/io_uring/net.c
+index a46c7e81704024..3ab2bfca1bd5dd 100644
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -1771,7 +1771,7 @@ int io_socket(struct io_kiocb *req, unsigned int issue_flags)
+ int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
+ {
+       struct io_connect *conn = io_kiocb_to_cmd(req, struct io_connect);
+-      struct io_async_msghdr *io;
++      struct sockaddr_storage *addr;
+ 
+       if (sqe->len || sqe->buf_index || sqe->rw_flags || sqe->splice_fd_in)
+               return -EINVAL;
+@@ -1780,17 +1780,17 @@ int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
+       conn->addr_len =  READ_ONCE(sqe->addr2);
+       conn->in_progress = conn->seen_econnaborted = false;
+ 
+-      io = io_msg_alloc_async(req);
+-      if (unlikely(!io))
++      addr = io_uring_alloc_async_data(NULL, req);
++      if (unlikely(!addr))
+               return -ENOMEM;
+ 
+-      return move_addr_to_kernel(conn->addr, conn->addr_len, &io->addr);
++      return move_addr_to_kernel(conn->addr, conn->addr_len, addr);
+ }
+ 
+ int io_connect(struct io_kiocb *req, unsigned int issue_flags)
+ {
+       struct io_connect *connect = io_kiocb_to_cmd(req, struct io_connect);
+-      struct io_async_msghdr *io = req->async_data;
++      struct sockaddr_storage *addr = req->async_data;
+       unsigned file_flags;
+       int ret;
+       bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
+@@ -1804,8 +1804,7 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags)
+ 
+       file_flags = force_nonblock ? O_NONBLOCK : 0;
+ 
+-      ret = __sys_connect_file(req->file, &io->addr, connect->addr_len,
+-                               file_flags);
++      ret = __sys_connect_file(req->file, addr, connect->addr_len, file_flags);
+       if ((ret == -EAGAIN || ret == -EINPROGRESS || ret == -ECONNABORTED)
+           && force_nonblock) {
+               if (ret == -EINPROGRESS) {
+@@ -1834,7 +1833,6 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags)
+ out:
+       if (ret < 0)
+               req_set_fail(req);
+-      io_req_msg_cleanup(req, issue_flags);
+       io_req_set_res(req, ret, 0);
+       return IOU_COMPLETE;
+ }
+@@ -1844,15 +1842,15 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags)
+  * which in turn end up in mnt_want_write() which will grab the fs
+  * percpu start write sem. This can trigger a lockdep warning.
+  */
+-static int io_bind_file_create(const struct io_async_msghdr *io, int addr_len)
++static int io_bind_file_create(const struct sockaddr_storage *addr, int addr_len)
+ {
+       const struct sockaddr_un *sun;
+ 
+-      if (io->addr.ss_family != AF_UNIX)
++      if (addr->ss_family != AF_UNIX)
+               return 0;
+       if (addr_len <= offsetof(struct sockaddr_un, sun_path))
+               return 0;
+-      sun = (const struct sockaddr_un *) &io->addr;
++      sun = (const struct sockaddr_un *) addr;
+       return sun->sun_path[0] != '\0';
+ }
+ 
+@@ -1860,7 +1858,7 @@ int io_bind_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
+ {
+       struct io_bind *bind = io_kiocb_to_cmd(req, struct io_bind);
+       struct sockaddr __user *uaddr;
+-      struct io_async_msghdr *io;
++      struct sockaddr_storage *addr;
+       int ret;
+ 
+       if (sqe->len || sqe->buf_index || sqe->rw_flags || sqe->splice_fd_in)
+@@ -1869,21 +1867,23 @@ int io_bind_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
+       uaddr = u64_to_user_ptr(READ_ONCE(sqe->addr));
+       bind->addr_len =  READ_ONCE(sqe->addr2);
+ 
+-      io = io_msg_alloc_async(req);
+-      if (unlikely(!io))
++      addr = io_uring_alloc_async_data(NULL, req);
++      if (unlikely(!addr))
+               return -ENOMEM;
+-      ret = move_addr_to_kernel(uaddr, bind->addr_len, &io->addr);
++
++      ret = move_addr_to_kernel(uaddr, bind->addr_len, addr);
+       if (unlikely(ret))
+               return ret;
+-      if (io_bind_file_create(io, bind->addr_len))
++      if (io_bind_file_create(addr, bind->addr_len))
+               req->flags |= REQ_F_FORCE_ASYNC;
+       return 0;
+ }
+ 
++
+ int io_bind(struct io_kiocb *req, unsigned int issue_flags)
+ {
+       struct io_bind *bind = io_kiocb_to_cmd(req, struct io_bind);
+-      struct io_async_msghdr *io = req->async_data;
++      struct sockaddr_storage *addr = req->async_data;
+       struct socket *sock;
+       int ret;
+ 
+@@ -1891,7 +1891,7 @@ int io_bind(struct io_kiocb *req, unsigned int issue_flags)
+       if (unlikely(!sock))
+               return -ENOTSOCK;
+ 
+-      ret = __sys_bind_socket(sock, &io->addr, bind->addr_len);
++      ret = __sys_bind_socket(sock, addr, bind->addr_len);
+       if (ret < 0)
+               req_set_fail(req);
+       io_req_set_res(req, ret, 0);
+diff --git a/io_uring/opdef.c b/io_uring/opdef.c
+index 932319633eac20..a57c820567f772 100644
+--- a/io_uring/opdef.c
++++ b/io_uring/opdef.c
+@@ -207,7 +207,7 @@ const struct io_issue_def io_issue_defs[] = {
+               .unbound_nonreg_file    = 1,
+               .pollout                = 1,
+ #if defined(CONFIG_NET)
+-              .async_size             = sizeof(struct io_async_msghdr),
++              .async_size             = sizeof(struct sockaddr_storage),
+               .prep                   = io_connect_prep,
+               .issue                  = io_connect,
+ #else
+@@ -504,7 +504,7 @@ const struct io_issue_def io_issue_defs[] = {
+               .needs_file             = 1,
+               .prep                   = io_bind_prep,
+               .issue                  = io_bind,
+-              .async_size             = sizeof(struct io_async_msghdr),
++              .async_size             = sizeof(struct sockaddr_storage),
+ #else
+               .prep                   = io_eopnotsupp_prep,
+ #endif
+-- 
+2.53.0
+

diff --git a/queue-6.18/series b/queue-6.18/series
new file mode 100644 (file)
index 0000000..7dd13f0
--- /dev/null
+++ b/queue-6.18/series
@@ -0,0 +1 @@
+io_uring-net-avoid-msghdr-on-op_connect-op_bind-asyn.patch