tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'io_uring-6.18-20251016' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux

Pull io_uring fixes from Jens Axboe:

- Revert of a change that went into an older kernel, and which has been
reported to cause a regression for some write workloads on LVM while
a snapshop is being created

- Fix a regression from this merge window, where some compilers (and/or
certain .config options) would cause an earlier evaluations of a
dereference which would then cause a NULL pointer dereference.

I was only able to reproduce this with OPTIMIZE_FOR_SIZE=y, but David
Howells hit it with just KASAN enabled. Depending on how things
inlined, this makes sense

- Fix for a missing lock around a mem region unregistration

- Fix for ring resizing with the same placement after resize

* tag 'io_uring-6.18-20251016' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
io_uring/rw: check for NULL io_br_sel when putting a buffer
io_uring: fix unexpected placement on same size resizing
io_uring: protect mem region deregistration
Revert "io_uring/rw: drop -EOPNOTSUPP check in __io_complete_rw_common()"

Linus Torvalds 6f3b6e91 0c8df15f

+7 -9
+1 -7
io_uring/register.c
··· 421 421 if (unlikely(ret)) 422 422 return ret; 423 423 424 - /* nothing to do, but copy params back */ 425 - if (p.sq_entries == ctx->sq_entries && p.cq_entries == ctx->cq_entries) { 426 - if (copy_to_user(arg, &p, sizeof(p))) 427 - return -EFAULT; 428 - return 0; 429 - } 430 - 431 424 size = rings_size(p.flags, p.sq_entries, p.cq_entries, 432 425 &sq_array_offset); 433 426 if (size == SIZE_MAX) ··· 606 613 if (ret) 607 614 return ret; 608 615 if (copy_to_user(rd_uptr, &rd, sizeof(rd))) { 616 + guard(mutex)(&ctx->mmap_lock); 609 617 io_free_region(ctx, &ctx->param_region); 610 618 return -EFAULT; 611 619 }
+6 -2
io_uring/rw.c
··· 542 542 { 543 543 if (res == req->cqe.res) 544 544 return; 545 - if (res == -EAGAIN && io_rw_should_reissue(req)) { 545 + if ((res == -EOPNOTSUPP || res == -EAGAIN) && io_rw_should_reissue(req)) { 546 546 req->flags |= REQ_F_REISSUE | REQ_F_BL_NO_RECYCLE; 547 547 } else { 548 548 req_set_fail(req); ··· 655 655 if (ret >= 0 && req->flags & REQ_F_CUR_POS) 656 656 req->file->f_pos = rw->kiocb.ki_pos; 657 657 if (ret >= 0 && !(req->ctx->flags & IORING_SETUP_IOPOLL)) { 658 + u32 cflags = 0; 659 + 658 660 __io_complete_rw_common(req, ret); 659 661 /* 660 662 * Safe to call io_end from here as we're inline 661 663 * from the submission path. 662 664 */ 663 665 io_req_io_end(req); 664 - io_req_set_res(req, final_ret, io_put_kbuf(req, ret, sel->buf_list)); 666 + if (sel) 667 + cflags = io_put_kbuf(req, ret, sel->buf_list); 668 + io_req_set_res(req, final_ret, cflags); 665 669 io_req_rw_cleanup(req, issue_flags); 666 670 return IOU_COMPLETE; 667 671 } else {