Commit ad246d9f authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'io_uring-6.11-20240830' of git://git.kernel.dk/linux 

Pull io_uring fixes from Jens Axboe:

 - A fix for a regression that happened in 6.11 merge window, where the
   copying of iovecs for compat mode applications got broken for certain
   cases.

 - Fix for a bug introduced in 6.10, where if using recv/send bundles
   with classic provided buffers, the recv/send would fail to set the
   right iovec count. This caused 0 byte send/recv results. Found via
   code coverage testing and writing a test case to exercise it.

* tag 'io_uring-6.11-20240830' of git://git.kernel.dk/linux:
  io_uring/kbuf: return correct iovec count from classic buffer peek
  io_uring/rsrc: ensure compat iovecs are copied correctly
parents fb24560f f274495a

io_uring/kbuf.c

+1 −1
Original line number Diff line number Diff line
@@ -129,7 +129,7 @@ static int io_provided_buffers_select(struct io_kiocb *req, size_t *len, 


	iov[0].iov_base = buf;

	iov[0].iov_len = *len;

	return 0;

	return 1;

}



static struct io_uring_buf *io_ring_head_to_buf(struct io_uring_buf_ring *br,

io_uring/rsrc.c

+15 −4
Original line number Diff line number Diff line
@@ -394,10 +394,11 @@ static int __io_sqe_buffers_update(struct io_ring_ctx *ctx, 
				   struct io_uring_rsrc_update2 *up,

				   unsigned int nr_args)

{

	struct iovec __user *uvec = u64_to_user_ptr(up->data);

	u64 __user *tags = u64_to_user_ptr(up->tags);

	struct iovec fast_iov, *iov;

	struct page *last_hpage = NULL;

	struct iovec __user *uvec;

	u64 user_data = up->data;

	__u32 done;

	int i, err;
@@ -410,7 +411,8 @@ static int __io_sqe_buffers_update(struct io_ring_ctx *ctx, 
		struct io_mapped_ubuf *imu;

		u64 tag = 0;



		iov = iovec_from_user(&uvec[done], 1, 1, &fast_iov, ctx->compat);

		uvec = u64_to_user_ptr(user_data);

		iov = iovec_from_user(uvec, 1, 1, &fast_iov, ctx->compat);

		if (IS_ERR(iov)) {

			err = PTR_ERR(iov);

			break;
@@ -443,6 +445,10 @@ static int __io_sqe_buffers_update(struct io_ring_ctx *ctx, 


		ctx->user_bufs[i] = imu;

		*io_get_tag_slot(ctx->buf_data, i) = tag;

		if (ctx->compat)

			user_data += sizeof(struct compat_iovec);

		else

			user_data += sizeof(struct iovec);

	}

	return done ? done : err;

}
@@ -949,7 +955,7 @@ int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg, 
	struct page *last_hpage = NULL;

	struct io_rsrc_data *data;

	struct iovec fast_iov, *iov = &fast_iov;

	const struct iovec __user *uvec = (struct iovec * __user) arg;

	const struct iovec __user *uvec;

	int i, ret;



	BUILD_BUG_ON(IORING_MAX_REG_BUFFERS >= (1u << 16));
@@ -972,7 +978,8 @@ int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg, 


	for (i = 0; i < nr_args; i++, ctx->nr_user_bufs++) {

		if (arg) {

			iov = iovec_from_user(&uvec[i], 1, 1, &fast_iov, ctx->compat);

			uvec = (struct iovec __user *) arg;

			iov = iovec_from_user(uvec, 1, 1, &fast_iov, ctx->compat);

			if (IS_ERR(iov)) {

				ret = PTR_ERR(iov);

				break;
@@ -980,6 +987,10 @@ int io_sqe_buffers_register(struct io_ring_ctx *ctx, void __user *arg, 
			ret = io_buffer_validate(iov);

			if (ret)

				break;

			if (ctx->compat)

				arg += sizeof(struct compat_iovec);

			else

				arg += sizeof(struct iovec);

		}



		if (!iov->iov_base && *io_get_tag_slot(data, i)) {