Hi Greg,
As mentioned, two of them could be discarded. Here are the 4 that should
indeed get applied, ported to 5.10/15 stable and tested. The series
applies cleanly to both trees, so just sending one set rather than applying
to the individual "failed to apply" emails.
--
Jens Axboe
From 847059841bf49921adc58c31b910b52e46568e3e Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@xxxxxxxxx>
Date: Sun, 22 Jan 2023 10:36:37 -0700
Subject: [PATCH 3/4] io_uring/rw: ensure kiocb_end_write() is always called
commit 2ec33a6c3cca9fe2465e82050c81f5ffdc508b36 upstream.
A previous commit moved the notifications and end-write handling, but
it is now missing a few spots where we also want to call both of those.
Without that, we can potentially be missing file notifications, and
more importantly, have an imbalance in the super_block writers sem
accounting.
Fixes: b000145e9907 ("io_uring/rw: defer fsnotify calls to task context")
Reported-by: Dave Chinner <david@xxxxxxxxxxxxx>
Link: https://lore.kernel.org/all/20221010050319.GC2703033@xxxxxxxxxxxxxxxxxxx/
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
---
io_uring/io_uring.c | 57 +++++++++++++++++++++++++++++----------------
1 file changed, 37 insertions(+), 20 deletions(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 15d9d9288d27..2e2559c82507 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2703,11 +2703,34 @@ static bool io_rw_should_reissue(struct io_kiocb *req)
}
#endif
+/*
+ * Trigger the notifications after having done some IO, and finish the write
+ * accounting, if any.
+ */
+static void io_req_io_end(struct io_kiocb *req)
+{
+ struct io_rw *rw = &req->rw;
+
+ WARN_ON(!in_task());
+
+ if (rw->kiocb.ki_flags & IOCB_WRITE) {
+ kiocb_end_write(req);
+ fsnotify_modify(req->file);
+ } else {
+ fsnotify_access(req->file);
+ }
+}
+
static bool __io_complete_rw_common(struct io_kiocb *req, long res)
{
if (res != req->result) {
if ((res == -EAGAIN || res == -EOPNOTSUPP) &&
io_rw_should_reissue(req)) {
+ /*
+ * Reissue will start accounting again, finish the
+ * current cycle.
+ */
+ io_req_io_end(req);
req->flags |= REQ_F_REISSUE;
return true;
}
@@ -2749,25 +2772,9 @@ static void io_req_task_complete(struct io_kiocb *req, bool *locked)
}
}
-static void __io_complete_rw(struct io_kiocb *req, long res, long res2,
- unsigned int issue_flags)
-{
- if (__io_complete_rw_common(req, res))
- return;
- __io_req_complete(req, issue_flags, io_fixup_rw_res(req, res), io_put_rw_kbuf(req));
-}
-
static void io_req_rw_complete(struct io_kiocb *req, bool *locked)
{
- struct io_rw *rw = &req->rw;
-
- if (rw->kiocb.ki_flags & IOCB_WRITE) {
- kiocb_end_write(req);
- fsnotify_modify(req->file);
- } else {
- fsnotify_access(req->file);
- }
-
+ io_req_io_end(req);
io_req_task_complete(req, locked);
}
@@ -3036,10 +3043,20 @@ static void kiocb_done(struct kiocb *kiocb, ssize_t ret,
if (req->flags & REQ_F_CUR_POS)
req->file->f_pos = kiocb->ki_pos;
- if (ret >= 0 && (kiocb->ki_complete == io_complete_rw))
- __io_complete_rw(req, ret, 0, issue_flags);
- else
+ if (ret >= 0 && (kiocb->ki_complete == io_complete_rw)) {
+ if (!__io_complete_rw_common(req, ret)) {
+ /*
+ * Safe to call io_end from here as we're inline
+ * from the submission path.
+ */
+ io_req_io_end(req);
+ __io_req_complete(req, issue_flags,
+ io_fixup_rw_res(req, ret),
+ io_put_rw_kbuf(req));
+ }
+ } else {
io_rw_done(kiocb, ret);
+ }
if (req->flags & REQ_F_REISSUE) {
req->flags &= ~REQ_F_REISSUE;
--
2.39.0
From 25143ba20b82094e275abe38b44b7e1ade886a92 Mon Sep 17 00:00:00 2001
From: Pavel Begunkov <asml.silence@xxxxxxxxx>
Date: Sun, 22 Jan 2023 10:24:20 -0700
Subject: [PATCH 2/4] io_uring: fix double poll leak on repolling
commit c0737fa9a5a5cf5a053bcc983f72d58919b997c6 upstream.
We have re-polling for partial IO, so a request can be polled twice. If
it used two poll entries the first time then on the second
io_arm_poll_handler() it will find the old apoll entry and NULL
kmalloc()'ed second entry, i.e. apoll->double_poll, so leaking it.
Fixes: 10c873334feba ("io_uring: allow re-poll if we made progress")
Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx>
Link: https://lore.kernel.org/r/fee2452494222ecc7f1f88c8fb659baef971414a.1655852245.git.asml.silence@xxxxxxxxx
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
---
io_uring/io_uring.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 24639c4fa538..15d9d9288d27 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -5895,10 +5895,12 @@ static int io_arm_poll_handler(struct io_kiocb *req)
mask |= POLLOUT | POLLWRNORM;
}
- if (req->flags & REQ_F_POLLED)
+ if (req->flags & REQ_F_POLLED) {
apoll = req->apoll;
- else
+ kfree(apoll->double_poll);
+ } else {
apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
+ }
if (unlikely(!apoll))
return IO_APOLL_ABORTED;
apoll->double_poll = NULL;
--
2.39.0
From f79aabb5fcef594b03b9c7d790640833d95b0604 Mon Sep 17 00:00:00 2001
From: Alviro Iskandar Setiawan <alviro.iskandar@xxxxxxxxx>
Date: Mon, 7 Feb 2022 21:05:33 +0700
Subject: [PATCH 1/4] io_uring: Clean up a false-positive warning from GCC
9.3.0
commit 0d7c1153d9291197c1dc473cfaade77acb874b4b upstream.
In io_recv(), if import_single_range() fails, the @flags variable is
uninitialized, then it will goto out_free.
After the goto, the compiler doesn't know that (ret < min_ret) is
always true, so it thinks the "if ((flags & MSG_WAITALL) ..." path
could be taken.
The complaint comes from gcc-9 (Debian 9.3.0-22) 9.3.0:
```
fs/io_uring.c:5238 io_recvfrom() error: uninitialized symbol 'flags'
```
Fix this by bypassing the @ret and @flags check when
import_single_range() fails.
Reasons:
1. import_single_range() only returns -EFAULT when it fails.
2. At that point, @flags is uninitialized and shouldn't be read.
Reported-by: kernel test robot <lkp@xxxxxxxxx>
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Reported-by: "Chen, Rong A" <rong.a.chen@xxxxxxxxx>
Link: https://lore.gnuweeb.org/timl/d33bb5a9-8173-f65b-f653-51fc0681c6d6@xxxxxxxxx/
Cc: Pavel Begunkov <asml.silence@xxxxxxxxx>
Suggested-by: Ammar Faizi <ammarfaizi2@xxxxxxxxxxx>
Fixes: 7297ce3d59449de49d3c9e1f64ae25488750a1fc ("io_uring: improve send/recv error handling")
Signed-off-by: Alviro Iskandar Setiawan <alviro.iskandar@xxxxxxxxx>
Signed-off-by: Ammar Faizi <ammarfaizi2@xxxxxxxxxxx>
Link: https://lore.kernel.org/r/20220207140533.565411-1-ammarfaizi2@xxxxxxxxxxx
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
---
io_uring/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 78ed38d778f8..24639c4fa538 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -5239,7 +5239,6 @@ static int io_recv(struct io_kiocb *req, unsigned int issue_flags)
min_ret = iov_iter_count(&msg.msg_iter);
ret = sock_recvmsg(sock, &msg, flags);
-out_free:
if (ret < min_ret) {
if (ret == -EAGAIN && force_nonblock)
return -EAGAIN;
@@ -5254,6 +5253,7 @@ static int io_recv(struct io_kiocb *req, unsigned int issue_flags)
}
req_set_fail(req);
} else if ((flags & MSG_WAITALL) && (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC))) {
+out_free:
req_set_fail(req);
}
if (req->flags & REQ_F_BUFFER_SELECTED)
--
2.39.0
From e07a8781fe8045af3b8b277aaae735a8f4011b09 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@xxxxxxxxx>
Date: Sun, 16 Oct 2022 17:24:10 -0600
Subject: [PATCH 4/4] io_uring/rw: remove leftover debug statement
commit 5c61795ea97c170347c5c4af0c159bd877b8af71 upstream.
This debug statement was never meant to go into the upstream release,
kill it off before it ends up in a release. It was just part of the
testing for the initial version of the patch.
Fixes: 2ec33a6c3cca ("io_uring/rw: ensure kiocb_end_write() is always called")
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
---
io_uring/io_uring.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 2e2559c82507..a866111aef3f 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2711,8 +2711,6 @@ static void io_req_io_end(struct io_kiocb *req)
{
struct io_rw *rw = &req->rw;
- WARN_ON(!in_task());
-
if (rw->kiocb.ki_flags & IOCB_WRITE) {
kiocb_end_write(req);
fsnotify_modify(req->file);
--
2.39.0
