--- /dev/null
+From 72bd80252feeb3bef8724230ee15d9f7ab541c6e Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 1 Feb 2024 06:42:36 -0700
+Subject: io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 72bd80252feeb3bef8724230ee15d9f7ab541c6e upstream.
+
+If we use IORING_OP_RECV with provided buffers and pass in '0' as the
+length of the request, the length is retrieved from the selected buffer.
+If MSG_WAITALL is also set and we get a short receive, then we may hit
+the retry path which decrements sr->len and increments the buffer for
+a retry. However, the length is still zero at this point, which means
+that sr->len now becomes huge and import_ubuf() will cap it to
+MAX_RW_COUNT and subsequently return -EFAULT for the range as a whole.
+
+Fix this by always assigning sr->len once the buffer has been selected.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ba89d2af17a ("io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -902,6 +902,7 @@ retry_multishot:
+ if (!buf)
+ return -ENOBUFS;
+ sr->buf = buf;
++ sr->len = len;
+ }
+
+ ret = import_ubuf(ITER_DEST, sr->buf, len, &msg.msg_iter);
--- /dev/null
+From 91e5d765a82fb2c9d0b7ad930d8953208081ddf1 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 29 Jan 2024 11:54:18 -0700
+Subject: io_uring/net: un-indent mshot retry path in io_recv_finish()
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 91e5d765a82fb2c9d0b7ad930d8953208081ddf1 upstream.
+
+In preparation for putting some retry logic in there, have the done
+path just skip straight to the end rather than have too much nesting
+in here.
+
+No functional changes in this patch.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c | 36 ++++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -645,23 +645,27 @@ static inline bool io_recv_finish(struct
+ return true;
+ }
+
+- if (!mshot_finished) {
+- if (io_fill_cqe_req_aux(req, issue_flags & IO_URING_F_COMPLETE_DEFER,
+- *ret, cflags | IORING_CQE_F_MORE)) {
+- io_recv_prep_retry(req);
+- /* Known not-empty or unknown state, retry */
+- if (cflags & IORING_CQE_F_SOCK_NONEMPTY ||
+- msg->msg_inq == -1)
+- return false;
+- if (issue_flags & IO_URING_F_MULTISHOT)
+- *ret = IOU_ISSUE_SKIP_COMPLETE;
+- else
+- *ret = -EAGAIN;
+- return true;
+- }
+- /* Otherwise stop multishot but use the current result. */
+- }
++ if (mshot_finished)
++ goto finish;
+
++ /*
++ * Fill CQE for this receive and see if we should keep trying to
++ * receive from this socket.
++ */
++ if (io_fill_cqe_req_aux(req, issue_flags & IO_URING_F_COMPLETE_DEFER,
++ *ret, cflags | IORING_CQE_F_MORE)) {
++ io_recv_prep_retry(req);
++ /* Known not-empty or unknown state, retry */
++ if (cflags & IORING_CQE_F_SOCK_NONEMPTY || msg->msg_inq == -1)
++ return false;
++ if (issue_flags & IO_URING_F_MULTISHOT)
++ *ret = IOU_ISSUE_SKIP_COMPLETE;
++ else
++ *ret = -EAGAIN;
++ return true;
++ }
++ /* Otherwise stop multishot but use the current result. */
++finish:
+ io_req_set_res(req, *ret, cflags);
+
+ if (issue_flags & IO_URING_F_MULTISHOT)
projects / thirdparty / kernel / stable-queue.git / commitdiff
