From f18ce5788730de3b6ea5eb43ee06258383efd1f7 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 13 Feb 2024 14:20:29 +0100
Subject: [PATCH] 6.6-stable patches

added patches:
	io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch
	io_uring-net-un-indent-mshot-retry-path-in-io_recv_finish.patch
---
 ...op_recv-with-msg_waitall-and-buffers.patch | 37 ++++++++++
 ...t-mshot-retry-path-in-io_recv_finish.patch | 67 +++++++++++++++++++
 queue-6.6/series                              |  2 +
 3 files changed, 106 insertions(+)
 create mode 100644 queue-6.6/io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch
 create mode 100644 queue-6.6/io_uring-net-un-indent-mshot-retry-path-in-io_recv_finish.patch

diff --git a/queue-6.6/io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch b/queue-6.6/io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch
new file mode 100644
index 00000000000..8e04daee23a
--- /dev/null
+++ b/queue-6.6/io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch
@@ -0,0 +1,37 @@
+From 72bd80252feeb3bef8724230ee15d9f7ab541c6e Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 1 Feb 2024 06:42:36 -0700
+Subject: io_uring/net: fix sr->len for IORING_OP_RECV with MSG_WAITALL and buffers
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 72bd80252feeb3bef8724230ee15d9f7ab541c6e upstream.
+
+If we use IORING_OP_RECV with provided buffers and pass in '0' as the
+length of the request, the length is retrieved from the selected buffer.
+If MSG_WAITALL is also set and we get a short receive, then we may hit
+the retry path which decrements sr->len and increments the buffer for
+a retry. However, the length is still zero at this point, which means
+that sr->len now becomes huge and import_ubuf() will cap it to
+MAX_RW_COUNT and subsequently return -EFAULT for the range as a whole.
+
+Fix this by always assigning sr->len once the buffer has been selected.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ba89d2af17a ("io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -902,6 +902,7 @@ retry_multishot:
+ 		if (!buf)
+ 			return -ENOBUFS;
+ 		sr->buf = buf;
++		sr->len = len;
+ 	}
+ 
+ 	ret = import_ubuf(ITER_DEST, sr->buf, len, &msg.msg_iter);
diff --git a/queue-6.6/io_uring-net-un-indent-mshot-retry-path-in-io_recv_finish.patch b/queue-6.6/io_uring-net-un-indent-mshot-retry-path-in-io_recv_finish.patch
new file mode 100644
index 00000000000..49e1f148923
--- /dev/null
+++ b/queue-6.6/io_uring-net-un-indent-mshot-retry-path-in-io_recv_finish.patch
@@ -0,0 +1,67 @@
+From 91e5d765a82fb2c9d0b7ad930d8953208081ddf1 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Mon, 29 Jan 2024 11:54:18 -0700
+Subject: io_uring/net: un-indent mshot retry path in io_recv_finish()
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit 91e5d765a82fb2c9d0b7ad930d8953208081ddf1 upstream.
+
+In preparation for putting some retry logic in there, have the done
+path just skip straight to the end rather than have too much nesting
+in here.
+
+No functional changes in this patch.
+
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ io_uring/net.c |   36 ++++++++++++++++++++----------------
+ 1 file changed, 20 insertions(+), 16 deletions(-)
+
+--- a/io_uring/net.c
++++ b/io_uring/net.c
+@@ -645,23 +645,27 @@ static inline bool io_recv_finish(struct
+ 		return true;
+ 	}
+ 
+-	if (!mshot_finished) {
+-		if (io_fill_cqe_req_aux(req, issue_flags & IO_URING_F_COMPLETE_DEFER,
+-					*ret, cflags | IORING_CQE_F_MORE)) {
+-			io_recv_prep_retry(req);
+-			/* Known not-empty or unknown state, retry */
+-			if (cflags & IORING_CQE_F_SOCK_NONEMPTY ||
+-			    msg->msg_inq == -1)
+-				return false;
+-			if (issue_flags & IO_URING_F_MULTISHOT)
+-				*ret = IOU_ISSUE_SKIP_COMPLETE;
+-			else
+-				*ret = -EAGAIN;
+-			return true;
+-		}
+-		/* Otherwise stop multishot but use the current result. */
+-	}
++	if (mshot_finished)
++		goto finish;
+ 
++	/*
++	 * Fill CQE for this receive and see if we should keep trying to
++	 * receive from this socket.
++	 */
++	if (io_fill_cqe_req_aux(req, issue_flags & IO_URING_F_COMPLETE_DEFER,
++				*ret, cflags | IORING_CQE_F_MORE)) {
++		io_recv_prep_retry(req);
++		/* Known not-empty or unknown state, retry */
++		if (cflags & IORING_CQE_F_SOCK_NONEMPTY || msg->msg_inq == -1)
++			return false;
++		if (issue_flags & IO_URING_F_MULTISHOT)
++			*ret = IOU_ISSUE_SKIP_COMPLETE;
++		else
++			*ret = -EAGAIN;
++		return true;
++	}
++	/* Otherwise stop multishot but use the current result. */
++finish:
+ 	io_req_set_res(req, *ret, cflags);
+ 
+ 	if (issue_flags & IO_URING_F_MULTISHOT)
diff --git a/queue-6.6/series b/queue-6.6/series
index 6f5a0c942e5..e1399db1068 100644
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -112,3 +112,5 @@ usb-dwc3-pci-add-support-for-the-intel-arrow-lake-h.patch
 hrtimer-report-offline-hrtimer-enqueue.patch
 input-i8042-fix-strange-behavior-of-touchpad-on-clevo-ns70pu.patch
 input-atkbd-skip-atkbd_cmd_setleds-when-skipping-atkbd_cmd_getid.patch
+io_uring-net-fix-sr-len-for-ioring_op_recv-with-msg_waitall-and-buffers.patch
+io_uring-net-un-indent-mshot-retry-path-in-io_recv_finish.patch
-- 
2.47.3