From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 13 Feb 2024 13:20:17 +0000 (+0100)
Subject: 6.1-stable patches
X-Git-Tag: v6.1.78~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=61e1400eda7bf31a46c0845541a37dce9fc5b91f;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch
---

diff --git a/queue-6.1/io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch b/queue-6.1/io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch
new file mode 100644
index 00000000000..f8800d8c7f0
--- /dev/null
+++ b/queue-6.1/io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch
@@ -0,0 +1,37 @@
+From 72bd80252feeb3bef8724230ee15d9f7ab541c6e Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 1 Feb 2024 06:42:36 -0700
+Subject: io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 72bd80252feeb3bef8724230ee15d9f7ab541c6e upstream.
+
+If we use IORING_OP_RECV with provided buffers and pass in '0' as the
+length of the request, the length is retrieved from the selected buffer.
+If MSG_WAITALL is also set and we get a short receive, then we may hit
+the retry path which decrements sr->len and increments the buffer for
+a retry. However, the length is still zero at this point, which means
+that sr->len now becomes huge and import_ubuf() will cap it to
+MAX_RW_COUNT and subsequently return -EFAULT for the range as a whole.
+
+Fix this by always assigning sr->len once the buffer has been selected.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ba89d2af17a ("io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -875,6 +875,7 @@ retry_multishot:
+ 		if (!buf)
+ 			return -ENOBUFS;
+ 		sr->buf = buf;
++		sr->len = len;
+ 	}
+ 
+ 	ret = import_single_range(ITER_DEST, sr->buf, len, &iov, &msg.msg_iter);
diff --git a/queue-6.1/series b/queue-6.1/series
index f4b0c85814d..50619e2624a 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -55,3 +55,4 @@ xhci-handle-isoc-babble-and-buffer-overrun-events-properly.patch
 hrtimer-report-offline-hrtimer-enqueue.patch
 input-i8042-fix-strange-behavior-of-touchpad-on-clevo-ns70pu.patch
 input-atkbd-skip-atkbd_cmd_setleds-when-skipping-atkbd_cmd_getid.patch
+io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch