Hi Linus, A few differerent things in here. Seems like syzbot got some more io_uring bits wired up, and we got a handful of reports and the associated fixes are in here. General fixes too, and a lot of them marked for stable. Lastly, a bit of fallout from the async buffered reads, where we now more easily trigger short reads. Some applications don't really like that, so the io_read() code now handles short reads internally, and got a cleanup along the way so that it's now easier to read (and documented). We're now passing tests that failed with current -git. In detail: - Fail read/writes if no ->read/write or iter based versions exist. (Guoyu) - Cleanups based on the wait_on_page_bit_common() rewrite - Add comments explaining the task_work based flow - Use TWA_SIGNAL for everything. This comes with a fix from Oleg that ensures that repeated task_work_add(..., TWA_SIGNAL) isn't overly expensive. The 5.8 eventfd fix that drove the addition of TWA_SIGNAL has counterparts that can trigger without eventfd, so this removes the eventfd check and just does it unconditionally. Thanks to Peter Zijlstra, Oleg Nesterov, and Jann Horn for helping get this done. - syzbot related fixes: - Recursive locking for overflows with links - File table dropping fix - Hold 'ctx' ref around task_work - Double poll issue - Netty implementation found two bugs, fixes: - Enable cancellation of 'head' link of file table grabbing requests - TWA_SIGNAL change - Fix a regression with RWF_NOWAIT now triggering read-ahead, whereas before it did not. - Handling of short page cache reads, by cleaning up io_read() and having the iov_iter be persistent across retries. As a nice side effect, this is also more efficient internally, and now io_read() has a codeflow that is actually readable. Similarly, having a persistent struct iov_iter instead of maintaining separate state is a lot less error prone too, and eliminates magic storing/restoring of said state. Thanks a lot to Andres Freund for diligently testing this change. Please pull! The following changes since commit e4cbce4d131753eca271d9d67f58c6377f27ad21: Merge tag 'sched-core-2020-08-03' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip (2020-08-03 14:58:38 -0700) are available in the Git repository at: git://git.kernel.dk/linux-block.git tags/io_uring-5.9-2020-08-15 for you to fetch changes up to f91daf565b0e272a33bd3fcd19eaebd331c5cffd: io_uring: short circuit -EAGAIN for blocking read attempt (2020-08-15 15:58:42 -0700) ---------------------------------------------------------------- io_uring-5.9-2020-08-15 ---------------------------------------------------------------- Guoyu Huang (1): io_uring: Fix NULL pointer dereference in loop_rw_iter() Jens Axboe (17): io_uring: io_async_buf_func() need not test page bit io_uring: add comments on how the async buffered read retry works io_uring: set ctx sq/cq entry count earlier io_uring: account locked memory before potential error case io_uring: use TWA_SIGNAL for task_work uncondtionally io_uring: fix recursive completion locking on oveflow flush io_uring: add missing REQ_F_COMP_LOCKED for nested requests io_uring: defer file table grabbing request cleanup for locked requests fs: RWF_NOWAIT should imply IOCB_NOIO io_uring: hold 'ctx' reference around task_work queue + execute io_uring: fail poll arm on queue proc failure io_uring: enable lookup of links holding inflight files task_work: only grab task signal lock when needed io_uring: retain iov_iter state over io_read/io_write calls io_uring: internally retry short reads io_uring: sanitize double poll handling io_uring: short circuit -EAGAIN for blocking read attempt fs/io_uring.c | 539 ++++++++++++++++++++++++++++++++++++++--------------- include/linux/fs.h | 2 +- kernel/signal.c | 16 +- kernel/task_work.c | 8 +- 4 files changed, 409 insertions(+), 156 deletions(-) -- Jens Axboe