iov_iter_revert() doesn't go well with iov_iter_truncate() in all cases, see 2/2 for the bug description. As mentioned there the current problems is because of generic_write_checks(), but there was also a similar case fixed in 5.12, which should have been triggerable by normal write(2)/read(2) and others. It may be better to enforce reexpands as a long term solution, but for now this patchset is quickier and easier to backport. v2: don't fail if it was justly fully reverted v3: use truncated size + reexapand based approach Pavel Begunkov (2): iov_iter: track truncated size io_uring: reexpand under-reexpanded iters fs/io_uring.c | 2 ++ include/linux/uio.h | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) -- 2.32.0
