Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'io_uring-6.16-20250619' of git://git.kernel.dk/linux

Pull io_uring fixes from Jens Axboe:

- Two fixes for error injection failures. One fixes a task leak issue
introduced in this merge window, the other an older issue with
handling allocation of a mapped buffer.

- Fix for a syzbot issue that triggers a kmalloc warning on attempting
an allocation that's too large

- Fix for an error injection failure causing a double put of a task,
introduced in this merge window

* tag 'io_uring-6.16-20250619' of git://git.kernel.dk/linux:
io_uring: fix potential page leak in io_sqe_buffer_register()
io_uring/sqpoll: don't put task_struct on tctx setup failure
io_uring: remove duplicate io_uring_alloc_task_context() definition
io_uring: fix task leak issue in io_wq_create()
io_uring/rsrc: validate buffer count with offset for cloning

+10 -10
+3 -1
io_uring/io-wq.c
··· 1259 1259 atomic_set(&wq->worker_refs, 1); 1260 1260 init_completion(&wq->worker_done); 1261 1261 ret = cpuhp_state_add_instance_nocalls(io_wq_online, &wq->cpuhp_node); 1262 - if (ret) 1262 + if (ret) { 1263 + put_task_struct(wq->task); 1263 1264 goto err; 1265 + } 1264 1266 1265 1267 return wq; 1266 1268 err:
-2
io_uring/io_uring.h
··· 98 98 struct llist_node *tctx_task_work_run(struct io_uring_task *tctx, unsigned int max_entries, unsigned int *count); 99 99 void tctx_task_work(struct callback_head *cb); 100 100 __cold void io_uring_cancel_generic(bool cancel_all, struct io_sq_data *sqd); 101 - int io_uring_alloc_task_context(struct task_struct *task, 102 - struct io_ring_ctx *ctx); 103 101 104 102 int io_ring_add_registered_file(struct io_uring_task *tctx, struct file *file, 105 103 int start, int end);
+5 -3
io_uring/rsrc.c
··· 809 809 810 810 imu->nr_bvecs = nr_pages; 811 811 ret = io_buffer_account_pin(ctx, pages, nr_pages, imu, last_hpage); 812 - if (ret) { 813 - unpin_user_pages(pages, nr_pages); 812 + if (ret) 814 813 goto done; 815 - } 816 814 817 815 size = iov->iov_len; 818 816 /* store original address for later verification */ ··· 840 842 if (ret) { 841 843 if (imu) 842 844 io_free_imu(ctx, imu); 845 + if (pages) 846 + unpin_user_pages(pages, nr_pages); 843 847 io_cache_free(&ctx->node_cache, node); 844 848 node = ERR_PTR(ret); 845 849 } ··· 1177 1177 return -EINVAL; 1178 1178 if (check_add_overflow(arg->nr, arg->dst_off, &nbufs)) 1179 1179 return -EOVERFLOW; 1180 + if (nbufs > IORING_MAX_REG_BUFFERS) 1181 + return -EINVAL; 1180 1182 1181 1183 ret = io_rsrc_data_alloc(&data, max(nbufs, ctx->buf_table.nr)); 1182 1184 if (ret)
+2 -4
io_uring/sqpoll.c
··· 16 16 #include <uapi/linux/io_uring.h> 17 17 18 18 #include "io_uring.h" 19 + #include "tctx.h" 19 20 #include "napi.h" 20 21 #include "sqpoll.h" 21 22 ··· 420 419 __cold int io_sq_offload_create(struct io_ring_ctx *ctx, 421 420 struct io_uring_params *p) 422 421 { 423 - struct task_struct *task_to_put = NULL; 424 422 int ret; 425 423 426 424 /* Retain compatibility with failing for an invalid attach attempt */ ··· 498 498 rcu_assign_pointer(sqd->thread, tsk); 499 499 mutex_unlock(&sqd->lock); 500 500 501 - task_to_put = get_task_struct(tsk); 501 + get_task_struct(tsk); 502 502 ret = io_uring_alloc_task_context(tsk, ctx); 503 503 wake_up_new_task(tsk); 504 504 if (ret) ··· 513 513 complete(&ctx->sq_data->exited); 514 514 err: 515 515 io_sq_thread_finish(ctx); 516 - if (task_to_put) 517 - put_task_struct(task_to_put); 518 516 return ret; 519 517 } 520 518