Commit e344eb7b authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'io_uring-6.3-2023-03-24' of git://git.kernel.dk/linux

Pull io_uring fixes from Jens Axboe:

 - Fix an issue with repeated -ECONNREFUSED on a socket (me)

 - Fix a NULL pointer deference due to a stale lookup cache for
   allocating direct descriptors (Savino)

* tag 'io_uring-6.3-2023-03-24' of git://git.kernel.dk/linux:
  io_uring/rsrc: fix null-ptr-deref in io_file_bitmap_get()
  io_uring/net: avoid sending -ECONNABORTED on repeated connection requests
parents fd3d06ff 02a4d923
......@@ -19,6 +19,9 @@ static int io_file_bitmap_get(struct io_ring_ctx *ctx)
unsigned long nr = ctx->file_alloc_end;
int ret;
if (!table->bitmap)
return -ENFILE;
do {
ret = find_next_zero_bit(table->bitmap, nr, table->alloc_hint);
if (ret != nr)
......
......@@ -47,6 +47,7 @@ struct io_connect {
struct sockaddr __user *addr;
int addr_len;
bool in_progress;
bool seen_econnaborted;
};
struct io_sr_msg {
......@@ -1424,7 +1425,7 @@ int io_connect_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
conn->addr_len = READ_ONCE(sqe->addr2);
conn->in_progress = false;
conn->in_progress = conn->seen_econnaborted = false;
return 0;
}
......@@ -1461,10 +1462,17 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags)
ret = __sys_connect_file(req->file, &io->address,
connect->addr_len, file_flags);
if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
if ((ret == -EAGAIN || ret == -EINPROGRESS || ret == -ECONNABORTED)
&& force_nonblock) {
if (ret == -EINPROGRESS) {
connect->in_progress = true;
} else {
return -EAGAIN;
}
if (ret == -ECONNABORTED) {
if (connect->seen_econnaborted)
goto out;
connect->seen_econnaborted = true;
}
if (req_has_async_data(req))
return -EAGAIN;
if (io_alloc_async_data(req)) {
......@@ -1472,7 +1480,6 @@ int io_connect(struct io_kiocb *req, unsigned int issue_flags)
goto out;
}
memcpy(req->async_data, &__io, sizeof(__io));
}
return -EAGAIN;
}
if (ret == -ERESTARTSYS)
......
......@@ -794,6 +794,7 @@ void __io_sqe_files_unregister(struct io_ring_ctx *ctx)
}
#endif
io_free_file_tables(&ctx->file_table);
io_file_table_set_alloc_range(ctx, 0, 0);
io_rsrc_data_free(ctx->file_data);
ctx->file_data = NULL;
ctx->nr_user_files = 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment