From a678669511b1d3b26469ad530ba9cfc83a7159e1 Mon Sep 17 00:00:00 2001 From: Zhang Enpei Date: Wed, 2 Jul 2025 12:11:03 +0800 Subject: [PATCH 1/2] io_uring/rw: split io_read() into a helper commit 6c27fc6a783c8a77c756dd5461b15e465020d075 upstream. Commit a08d195b586a217d76b42062f88f375a3eedda4d upstream. Add __io_read() which does the grunt of the work, leaving the completion side to the new io_read(). No functional changes in this patch. Reviewed-by: Gabriel Krisman Bertazi Signed-off-by: Jens Axboe (cherry picked from commit a08d195b586a217d76b42062f88f375a3eedda4d) Signed-off-by: Greg Kroah-Hartman Fixes: CVE-2023-52926 Signed-off-by: Enpei Zhang Signed-off-by: Wenya Zhang Reviewed-by: Xuexin Jiang --- io_uring/rw.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/io_uring/rw.c b/io_uring/rw.c index 0a0c1c9db0f9..8f3a66a781dd 100644 --- a/io_uring/rw.c +++ b/io_uring/rw.c @@ -712,7 +712,7 @@ static int io_rw_init_file(struct io_kiocb *req, fmode_t mode) return 0; } -int io_read(struct io_kiocb *req, unsigned int issue_flags) +static int __io_read(struct io_kiocb *req, unsigned int issue_flags) { struct io_rw *rw = io_kiocb_to_cmd(req, struct io_rw); struct io_rw_state __s, *s = &__s; @@ -857,7 +857,18 @@ int io_read(struct io_kiocb *req, unsigned int issue_flags) /* it's faster to check here then delegate to kfree */ if (iovec) kfree(iovec); - return kiocb_done(req, ret, issue_flags); + return ret; +} + +int io_read(struct io_kiocb *req, unsigned int issue_flags) +{ + int ret; + + ret = __io_read(req, issue_flags); + if (ret >= 0) + return kiocb_done(req, ret, issue_flags); + + return ret; } int io_write(struct io_kiocb *req, unsigned int issue_flags) -- Gitee From 922c81bb2538c696be7e772b6f9941a94cb67784 Mon Sep 17 00:00:00 2001 From: Zhang Enpei Date: Wed, 2 Jul 2025 12:11:04 +0800 Subject: [PATCH 2/2] io_uring/rw: treat -EOPNOTSUPP for IOCB_NOWAIT like -EAGAIN commit 41928840172e0755509da4641955d477612f6781 upstream. Commit c0a9d496e0fece67db777bd48550376cf2960c47 upstream. Some file systems, ocfs2 in this case, will return -EOPNOTSUPP for an IOCB_NOWAIT read/write attempt. While this can be argued to be correct, the usual return value for something that requires blocking issue is -EAGAIN. A refactoring io_uring commit dropped calling kiocb_done() for negative return values, which is otherwise where we already do that transformation. To ensure we catch it in both spots, check it in __io_read() itself as well. Reported-by: Robert Sander Link: https://fosstodon.org/@gurubert@mastodon.gurubert.de/113112431889638440 Cc: stable@vger.kernel.org Fixes: a08d195b586a ("io_uring/rw: split io_read() into a helper") Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman Fixes: CVE-2023-52926 Signed-off-by: Enpei Zhang Signed-off-by: Wenya Zhang Reviewed-by: Xuexin Jiang --- io_uring/rw.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/io_uring/rw.c b/io_uring/rw.c index 8f3a66a781dd..bf0b862866ef 100644 --- a/io_uring/rw.c +++ b/io_uring/rw.c @@ -778,6 +778,14 @@ static int __io_read(struct io_kiocb *req, unsigned int issue_flags) ret = io_iter_do_read(rw, &s->iter); + /* + * Some file systems like to return -EOPNOTSUPP for an IOCB_NOWAIT + * issue, even though they should be returning -EAGAIN. To be safe, + * retry from blocking context for either. + */ + if (ret == -EOPNOTSUPP && force_nonblock) + ret = -EAGAIN; + if (ret == -EAGAIN || (req->flags & REQ_F_REISSUE)) { req->flags &= ~REQ_F_REISSUE; /* if we can poll, just do that */ -- Gitee