tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'io_uring-6.7-2023-12-08' of git://git.kernel.dk/linux

Pull io_uring fixes from Jens Axboe:
"Two minor fixes for issues introduced in this release cycle, and two
fixes for issues or potential issues that are heading to stable.

One of these ends up disabling passing io_uring file descriptors via
SCM_RIGHTS. There really shouldn't be an overlap between that kind of
historic use case and modern usage of io_uring, which is why this was
deemed appropriate"

* tag 'io_uring-6.7-2023-12-08' of git://git.kernel.dk/linux:
io_uring/af_unix: disable sending io_uring over sockets
io_uring/kbuf: check for buffer list readiness after NULL check
io_uring/kbuf: Fix an NULL vs IS_ERR() bug in io_alloc_pbuf_ring()
io_uring: fix mutex_unlock with unreferenced ctx

Linus Torvalds 689659c9 8aa74869

+13 -17
+3 -6
io_uring/io_uring.c
··· 271 271 struct io_kiocb *req, *tmp; 272 272 struct io_tw_state ts = { .locked = true, }; 273 273 274 + percpu_ref_get(&ctx->refs); 274 275 mutex_lock(&ctx->uring_lock); 275 276 llist_for_each_entry_safe(req, tmp, node, io_task_work.node) 276 277 req->io_task_work.func(req, &ts); ··· 279 278 return; 280 279 io_submit_flush_completions(ctx); 281 280 mutex_unlock(&ctx->uring_lock); 281 + percpu_ref_put(&ctx->refs); 282 282 } 283 283 284 284 static int io_alloc_hash_table(struct io_hash_table *table, unsigned bits) ··· 3148 3146 init_completion(&exit.completion); 3149 3147 init_task_work(&exit.task_work, io_tctx_exit_cb); 3150 3148 exit.ctx = ctx; 3151 - /* 3152 - * Some may use context even when all refs and requests have been put, 3153 - * and they are free to do so while still holding uring_lock or 3154 - * completion_lock, see io_req_task_submit(). Apart from other work, 3155 - * this lock/unlock section also waits them to finish. 3156 - */ 3149 + 3157 3150 mutex_lock(&ctx->uring_lock); 3158 3151 while (!list_empty(&ctx->tctx_list)) { 3159 3152 WARN_ON_ONCE(time_after(jiffies, timeout));
+4 -4
io_uring/kbuf.c
··· 636 636 ibf = io_lookup_buf_free_entry(ctx, ring_size); 637 637 if (!ibf) { 638 638 ptr = io_mem_alloc(ring_size); 639 - if (!ptr) 640 - return -ENOMEM; 639 + if (IS_ERR(ptr)) 640 + return PTR_ERR(ptr); 641 641 642 642 /* Allocate and store deferred free entry */ 643 643 ibf = kmalloc(sizeof(*ibf), GFP_KERNEL_ACCOUNT); ··· 756 756 757 757 bl = __io_buffer_get_list(ctx, smp_load_acquire(&ctx->io_bl), bgid); 758 758 759 + if (!bl || !bl->is_mmap) 760 + return NULL; 759 761 /* 760 762 * Ensure the list is fully setup. Only strictly needed for RCU lookup 761 763 * via mmap, and in that case only for the array indexed groups. For 762 764 * the xarray lookups, it's either visible and ready, or not at all. 763 765 */ 764 766 if (!smp_load_acquire(&bl->is_ready)) 765 - return NULL; 766 - if (!bl || !bl->is_mmap) 767 767 return NULL; 768 768 769 769 return bl->buf_ring;
-7
io_uring/rsrc.h
··· 77 77 78 78 int __io_scm_file_account(struct io_ring_ctx *ctx, struct file *file); 79 79 80 - #if defined(CONFIG_UNIX) 81 - static inline bool io_file_need_scm(struct file *filp) 82 - { 83 - return !!unix_get_socket(filp); 84 - } 85 - #else 86 80 static inline bool io_file_need_scm(struct file *filp) 87 81 { 88 82 return false; 89 83 } 90 - #endif 91 84 92 85 static inline int io_scm_file_account(struct io_ring_ctx *ctx, 93 86 struct file *file)
+6
net/core/scm.c
··· 26 26 #include <linux/nsproxy.h> 27 27 #include <linux/slab.h> 28 28 #include <linux/errqueue.h> 29 + #include <linux/io_uring.h> 29 30 30 31 #include <linux/uaccess.h> 31 32 ··· 104 103 105 104 if (fd < 0 || !(file = fget_raw(fd))) 106 105 return -EBADF; 106 + /* don't allow io_uring files */ 107 + if (io_uring_get_socket(file)) { 108 + fput(file); 109 + return -EINVAL; 110 + } 107 111 *fpp++ = file; 108 112 fpl->count++; 109 113 }