Commit e344eb7b authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'io_uring-6.3-2023-03-24' of git://git.kernel.dk/linux 

Pull io_uring fixes from Jens Axboe:

 - Fix an issue with repeated -ECONNREFUSED on a socket (me)

 - Fix a NULL pointer deference due to a stale lookup cache for
   allocating direct descriptors (Savino)

* tag 'io_uring-6.3-2023-03-24' of git://git.kernel.dk/linux:
  io_uring/rsrc: fix null-ptr-deref in io_file_bitmap_get()
  io_uring/net: avoid sending -ECONNABORTED on repeated connection requests
parents fd3d06ff 02a4d923

io_uring/filetable.c

+3 −0
Original line number Diff line number Diff line
@@ -19,6 +19,9 @@ static int io_file_bitmap_get(struct io_ring_ctx *ctx) 
	unsigned long nr = ctx->file_alloc_end;

	int ret;



	if (!table->bitmap)

		return -ENFILE;



	do {

		ret = find_next_zero_bit(table->bitmap, nr, table->alloc_hint);

		if (ret != nr)

io_uring/net.c

+16 −9
Original line number Diff line number Diff line
@@ -47,6 +47,7 @@ struct io_connect { 
	struct sockaddr __user		*addr;

	int				addr_len;

	bool				in_progress;

	bool				seen_econnaborted;

};



struct io_sr_msg {
@@ -1424,7 +1425,7 @@ int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) 


	conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));

	conn->addr_len =  READ_ONCE(sqe->addr2);

	conn->in_progress = false;

	conn->in_progress = conn->seen_econnaborted = false;

	return 0;

}
@@ -1461,10 +1462,17 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags) 


	ret = __sys_connect_file(req->file, &io->address,

					connect->addr_len, file_flags);

	if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {

	if ((ret == -EAGAIN || ret == -EINPROGRESS || ret == -ECONNABORTED)

	    && force_nonblock) {

		if (ret == -EINPROGRESS) {

			connect->in_progress = true;

		} else {

			return -EAGAIN;

		}

		if (ret == -ECONNABORTED) {

			if (connect->seen_econnaborted)

				goto out;

			connect->seen_econnaborted = true;

		}

		if (req_has_async_data(req))

			return -EAGAIN;

		if (io_alloc_async_data(req)) {
@@ -1472,7 +1480,6 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags) 
			goto out;

		}

		memcpy(req->async_data, &__io, sizeof(__io));

		}

		return -EAGAIN;

	}

	if (ret == -ERESTARTSYS)

io_uring/rsrc.c

+1 −0
Original line number Diff line number Diff line
@@ -794,6 +794,7 @@ void __io_sqe_files_unregister(struct io_ring_ctx *ctx) 
	}

#endif

	io_free_file_tables(&ctx->file_table);

	io_file_table_set_alloc_range(ctx, 0, 0);

	io_rsrc_data_free(ctx->file_data);

	ctx->file_data = NULL;

	ctx->nr_user_files = 0;