Skip to content

Commit 9223e74

Browse files
torvaldstorvalds
committed
Merge tag 'io_uring-5.10-2020-11-27' of git://git.kernel.dk/linux-block
Pull io_uring fixes from Jens Axboe: - Out of bounds fix for the cq size cap from earlier this release (Joseph) - iov_iter type check fix (Pavel) - Files grab + cancelation fix (Pavel) * tag 'io_uring-5.10-2020-11-27' of git://git.kernel.dk/linux-block: io_uring: fix files grab/cancel race io_uring: fix ITER_BVEC check io_uring: fix shift-out-of-bounds when round up cq size
2 parents d021c3e + af60470 commit 9223e74

1 file changed

Lines changed: 20 additions & 19 deletions

File tree

fs/io_uring.c

Lines changed: 20 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -1313,22 +1313,6 @@ static bool io_grab_identity(struct io_kiocb *req)
13131313
return false;
13141314
req->work.flags |= IO_WQ_WORK_FSIZE;
13151315
}
1316-
1317-
if (!(req->work.flags & IO_WQ_WORK_FILES) &&
1318-
(def->work_flags & IO_WQ_WORK_FILES) &&
1319-
!(req->flags & REQ_F_NO_FILE_TABLE)) {
1320-
if (id->files != current->files ||
1321-
id->nsproxy != current->nsproxy)
1322-
return false;
1323-
atomic_inc(&id->files->count);
1324-
get_nsproxy(id->nsproxy);
1325-
req->flags |= REQ_F_INFLIGHT;
1326-
1327-
spin_lock_irq(&ctx->inflight_lock);
1328-
list_add(&req->inflight_entry, &ctx->inflight_list);
1329-
spin_unlock_irq(&ctx->inflight_lock);
1330-
req->work.flags |= IO_WQ_WORK_FILES;
1331-
}
13321316
#ifdef CONFIG_BLK_CGROUP
13331317
if (!(req->work.flags & IO_WQ_WORK_BLKCG) &&
13341318
(def->work_flags & IO_WQ_WORK_BLKCG)) {
@@ -1370,6 +1354,21 @@ static bool io_grab_identity(struct io_kiocb *req)
13701354
}
13711355
spin_unlock(&current->fs->lock);
13721356
}
1357+
if (!(req->work.flags & IO_WQ_WORK_FILES) &&
1358+
(def->work_flags & IO_WQ_WORK_FILES) &&
1359+
!(req->flags & REQ_F_NO_FILE_TABLE)) {
1360+
if (id->files != current->files ||
1361+
id->nsproxy != current->nsproxy)
1362+
return false;
1363+
atomic_inc(&id->files->count);
1364+
get_nsproxy(id->nsproxy);
1365+
req->flags |= REQ_F_INFLIGHT;
1366+
1367+
spin_lock_irq(&ctx->inflight_lock);
1368+
list_add(&req->inflight_entry, &ctx->inflight_list);
1369+
spin_unlock_irq(&ctx->inflight_lock);
1370+
req->work.flags |= IO_WQ_WORK_FILES;
1371+
}
13731372

13741373
return true;
13751374
}
@@ -3193,7 +3192,7 @@ static void io_req_map_rw(struct io_kiocb *req, const struct iovec *iovec,
31933192
rw->free_iovec = iovec;
31943193
rw->bytes_done = 0;
31953194
/* can only be fixed buffers, no need to do anything */
3196-
if (iter->type == ITER_BVEC)
3195+
if (iov_iter_is_bvec(iter))
31973196
return;
31983197
if (!iovec) {
31993198
unsigned iov_off = 0;
@@ -9252,14 +9251,16 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p,
92529251
* to a power-of-two, if it isn't already. We do NOT impose
92539252
* any cq vs sq ring sizing.
92549253
*/
9255-
p->cq_entries = roundup_pow_of_two(p->cq_entries);
9256-
if (p->cq_entries < p->sq_entries)
9254+
if (!p->cq_entries)
92579255
return -EINVAL;
92589256
if (p->cq_entries > IORING_MAX_CQ_ENTRIES) {
92599257
if (!(p->flags & IORING_SETUP_CLAMP))
92609258
return -EINVAL;
92619259
p->cq_entries = IORING_MAX_CQ_ENTRIES;
92629260
}
9261+
p->cq_entries = roundup_pow_of_two(p->cq_entries);
9262+
if (p->cq_entries < p->sq_entries)
9263+
return -EINVAL;
92639264
} else {
92649265
p->cq_entries = 2 * p->sq_entries;
92659266
}

0 commit comments

Comments
 (0)