Commit e67bf352 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'io_uring-7.0-20260312' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux 

Pull io_uring fixes from Jens Axboe:

 - Fix an inverted true/false comment on task_no_new_privs, from the
   BPF filtering changes merged in this release

 - Use the migration disabling way of running the BPF filters, as the
   io_uring side doesn't do that already

 - Fix an issue with ->rings stability under resize, both for local
   task_work additions and for eventfd signaling

 - Fix an issue with SQE mixed mode, where a bounds check wasn't correct
   for having a 128b SQE

 - Fix an issue where a legacy provided buffer group is changed to to
   ring mapped one while legacy buffers from that group are in flight

* tag 'io_uring-7.0-20260312' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
  io_uring/kbuf: check if target buffer list is still legacy on recycle
  io_uring: fix physical SQE bounds check for SQE_MIXED 128-byte ops
  io_uring/eventfd: use ctx->rings_rcu for flags checking
  io_uring: ensure ctx->rings is stable for task work flags manipulation
  io_uring/bpf_filter: use bpf_prog_run_pin_on_cpu() to prevent migration
  io_uring/register: fix comment about task_no_new_privs
parents 8174dafb c2c185be

include/linux/io_uring_types.h

+1 −0
Original line number Diff line number Diff line
@@ -388,6 +388,7 @@ struct io_ring_ctx { 
	 * regularly bounce b/w CPUs.

	 */

	struct {

		struct io_rings	__rcu	*rings_rcu;

		struct llist_head	work_llist;

		struct llist_head	retry_llist;

		unsigned long		check_cq;

io_uring/bpf_filter.c

+1 −1
Original line number Diff line number Diff line
@@ -85,7 +85,7 @@ int __io_uring_run_bpf_filters(struct io_bpf_filter __rcu **filters, 
	do {

		if (filter == &dummy_filter)

			return -EACCES;

		ret = bpf_prog_run(filter->prog, &bpf_ctx);

		ret = bpf_prog_run_pin_on_cpu(filter->prog, &bpf_ctx);

		if (!ret)

			return -EACCES;

		filter = filter->next;

io_uring/eventfd.c

+7 −3
Original line number Diff line number Diff line
@@ -76,11 +76,15 @@ void io_eventfd_signal(struct io_ring_ctx *ctx, bool cqe_event) 
{

	bool skip = false;

	struct io_ev_fd *ev_fd;



	if (READ_ONCE(ctx->rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)

		return;

	struct io_rings *rings;



	guard(rcu)();



	rings = rcu_dereference(ctx->rings_rcu);

	if (!rings)

		return;

	if (READ_ONCE(rings->cq_flags) & IORING_CQ_EVENTFD_DISABLED)

		return;

	ev_fd = rcu_dereference(ctx->io_ev_fd);

	/*

	 * Check again if ev_fd exists in case an io_eventfd_unregister call

io_uring/io_uring.c

+3 −1
Original line number Diff line number Diff line
@@ -1745,7 +1745,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, 
		 * well as 2 contiguous entries.

		 */

		if (!(ctx->flags & IORING_SETUP_SQE_MIXED) || *left < 2 ||

		    !(ctx->cached_sq_head & (ctx->sq_entries - 1)))

		    (unsigned)(sqe - ctx->sq_sqes) >= ctx->sq_entries - 1)

			return io_init_fail_req(req, -EINVAL);

		/*

		 * A 128b operation on a mixed SQ uses two entries, so we have
@@ -2066,6 +2066,7 @@ static void io_rings_free(struct io_ring_ctx *ctx) 
	io_free_region(ctx->user, &ctx->sq_region);

	io_free_region(ctx->user, &ctx->ring_region);

	ctx->rings = NULL;

	RCU_INIT_POINTER(ctx->rings_rcu, NULL);

	ctx->sq_sqes = NULL;

}
@@ -2703,6 +2704,7 @@ static __cold int io_allocate_scq_urings(struct io_ring_ctx *ctx, 
	if (ret)

		return ret;

	ctx->rings = rings = io_region_get_ptr(&ctx->ring_region);

	rcu_assign_pointer(ctx->rings_rcu, rings);

	if (!(ctx->flags & IORING_SETUP_NO_SQARRAY))

		ctx->sq_array = (u32 *)((char *)rings + rl->sq_array_offset);

io_uring/kbuf.c

+11 −2
Original line number Diff line number Diff line
@@ -111,9 +111,18 @@ bool io_kbuf_recycle_legacy(struct io_kiocb *req, unsigned issue_flags) 


	buf = req->kbuf;

	bl = io_buffer_get_list(ctx, buf->bgid);

	/*

	 * If the buffer list was upgraded to a ring-based one, or removed,

	 * while the request was in-flight in io-wq, drop it.

	 */

	if (bl && !(bl->flags & IOBL_BUF_RING)) {

		list_add(&buf->list, &bl->buf_list);

		bl->nbufs++;

	} else {

		kfree(buf);

	}

	req->flags &= ~REQ_F_BUFFER_SELECTED;

	req->kbuf = NULL;



	io_ring_submit_unlock(ctx, issue_flags);

	return true;