From: Greg Kroah-Hartman Date: Mon, 29 Dec 2025 15:32:00 +0000 (+0100) Subject: 6.12-stable patches X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=969651b0cdc791af75cf2ccd8a96b70db5243132;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: io_uring-fix-min_wait-wakeups-for-sqpoll.patch io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch --- diff --git a/queue-6.12/io_uring-fix-min_wait-wakeups-for-sqpoll.patch b/queue-6.12/io_uring-fix-min_wait-wakeups-for-sqpoll.patch new file mode 100644 index 0000000000..e20de51312 --- /dev/null +++ b/queue-6.12/io_uring-fix-min_wait-wakeups-for-sqpoll.patch @@ -0,0 +1,65 @@ +From d6c35491cdc6df56fe1ab749c17048b23f1ccf39 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 9 Dec 2025 13:25:23 -0700 +Subject: io_uring: fix min_wait wakeups for SQPOLL + +From: Jens Axboe + +Commit e15cb2200b934e507273510ba6bc747d5cde24a3 upstream. + +Using min_wait, two timeouts are given: + +1) The min_wait timeout, within which up to 'wait_nr' events are + waited for. +2) The overall long timeout, which is entered if no events are generated + in the min_wait window. + +If the min_wait has expired, any event being posted must wake the task. +For SQPOLL, that isn't the case, as it won't trigger the io_has_work() +condition, as it will have already processed the task_work that happened +when an event was posted. This causes any event to trigger post the +min_wait to not always cause the waiting application to wakeup, and +instead it will wait until the overall timeout has expired. This can be +shown in a test case that has a 1 second min_wait, with a 5 second +overall wait, even if an event triggers after 1.5 seconds: + +axboe@m2max-kvm /d/iouring-mre (master)> zig-out/bin/iouring +info: MIN_TIMEOUT supported: true, features: 0x3ffff +info: Testing: min_wait=1000ms, timeout=5s, wait_nr=4 +info: 1 cqes in 5000.2ms + +where the expected result should be: + +axboe@m2max-kvm /d/iouring-mre (master)> zig-out/bin/iouring +info: MIN_TIMEOUT supported: true, features: 0x3ffff +info: Testing: min_wait=1000ms, timeout=5s, wait_nr=4 +info: 1 cqes in 1500.3ms + +When the min_wait timeout triggers, reset the number of completions +needed to wake the task. This should ensure that any future events will +wake the task, regardless of how many events it originally wanted to +wait for. + +Reported-by: Tip ten Brink +Cc: stable@vger.kernel.org +Fixes: 1100c4a2656d ("io_uring: add support for batch wait timeout") +Link: https://github.com/axboe/liburing/issues/1477 +Signed-off-by: Jens Axboe +(cherry picked from commit e15cb2200b934e507273510ba6bc747d5cde24a3) +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/io_uring.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/io_uring/io_uring.c ++++ b/io_uring/io_uring.c +@@ -2421,6 +2421,9 @@ static enum hrtimer_restart io_cqring_mi + goto out_wake; + } + ++ /* any generated CQE posted past this time should wake us up */ ++ iowq->cq_tail = iowq->cq_min_tail; ++ + iowq->t.function = io_cqring_timer_wakeup; + hrtimer_set_expires(timer, iowq->timeout); + return HRTIMER_RESTART; diff --git a/queue-6.12/io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch b/queue-6.12/io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch new file mode 100644 index 0000000000..dd271fa3e5 --- /dev/null +++ b/queue-6.12/io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch @@ -0,0 +1,53 @@ +From a40f5a12d62f20ce2f9c3687b880218c09e0cd74 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 1 Dec 2025 13:25:22 -0700 +Subject: io_uring/poll: correctly handle io_poll_add() return value on update + +From: Jens Axboe + +Commit 84230ad2d2afbf0c44c32967e525c0ad92e26b4e upstream. + +When the core of io_uring was updated to handle completions +consistently and with fixed return codes, the POLL_REMOVE opcode +with updates got slightly broken. If a POLL_ADD is pending and +then POLL_REMOVE is used to update the events of that request, if that +update causes the POLL_ADD to now trigger, then that completion is lost +and a CQE is never posted. + +Additionally, ensure that if an update does cause an existing POLL_ADD +to complete, that the completion value isn't always overwritten with +-ECANCELED. For that case, whatever io_poll_add() set the value to +should just be retained. + +Cc: stable@vger.kernel.org +Fixes: 97b388d70b53 ("io_uring: handle completions in the core") +Reported-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com +Tested-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + io_uring/poll.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/io_uring/poll.c ++++ b/io_uring/poll.c +@@ -1038,12 +1038,17 @@ found: + + ret2 = io_poll_add(preq, issue_flags & ~IO_URING_F_UNLOCKED); + /* successfully updated, don't complete poll request */ +- if (!ret2 || ret2 == -EIOCBQUEUED) ++ if (ret2 == IOU_ISSUE_SKIP_COMPLETE) + goto out; ++ /* request completed as part of the update, complete it */ ++ else if (ret2 == IOU_OK) ++ goto complete; + } + +- req_set_fail(preq); + io_req_set_res(preq, -ECANCELED, 0); ++complete: ++ if (preq->cqe.res < 0) ++ req_set_fail(preq); + preq->io_task_work.func = io_req_task_complete; + io_req_task_work_add(preq); + out: diff --git a/queue-6.12/series b/queue-6.12/series index 130e723c73..4098c181dd 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -246,3 +246,5 @@ powerpc-kexec-enable-smt-before-waking-offline-cpus.patch btrfs-don-t-log-conflicting-inode-if-it-s-a-dir-moved-in-the-current-transaction.patch s390-ipl-clear-sbp-flag-when-bootprog-is-set.patch gpio-regmap-fix-memleak-in-error-path-in-gpio_regmap_register.patch +io_uring-poll-correctly-handle-io_poll_add-return-value-on-update.patch +io_uring-fix-min_wait-wakeups-for-sqpoll.patch