From 0ca286477b5e2dc9a00ccd3ab1eaceb9fda4be06 Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Fri, 3 Oct 2025 07:22:02 -0600 Subject: [PATCH 1/5] io_uring: update liburing git URL Change the liburing git URL to point to the git.kernel.org servers, rather than my private git.kernel.dk server. Due to continued AI scraping of cgit etc, it's becoming quite the chore to maintain a private git server. Signed-off-by: Jens Axboe --- io_uring/io_uring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 49ebdeb5b2d9..820ef0527666 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -29,7 +29,7 @@ * * Also see the examples in the liburing library: * - * git://git.kernel.dk/liburing + * git://git.kernel.org/pub/scm/linux/kernel/git/axboe/liburing.git * * io_uring also uses READ/WRITE_ONCE() for _any_ store or load that happens * from data shared between the kernel and application. This is done both From 2f8229d53d984c6a05b71ac9e9583d4354e3b91f Mon Sep 17 00:00:00 2001 From: Jens Axboe Date: Tue, 7 Oct 2025 07:46:00 -0600 Subject: [PATCH 2/5] io_uring/waitid: always prune wait queue entry in io_waitid_wait() For a successful return, always remove our entry from the wait queue entry list. Previously this was skipped if a cancelation was in progress, but this can race with another invocation of the wait queue entry callback. Cc: stable@vger.kernel.org Fixes: f31ecf671ddc ("io_uring: add IORING_OP_WAITID support") Reported-by: syzbot+b9e83021d9c642a33d8c@syzkaller.appspotmail.com Tested-by: syzbot+b9e83021d9c642a33d8c@syzkaller.appspotmail.com Link: https://lore.kernel.org/io-uring/68e5195e.050a0220.256323.001f.GAE@google.com/ Signed-off-by: Jens Axboe --- io_uring/waitid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/io_uring/waitid.c b/io_uring/waitid.c index 26c118f3918d..f25110fb1b12 100644 --- a/io_uring/waitid.c +++ b/io_uring/waitid.c @@ -230,13 +230,14 @@ static int io_waitid_wait(struct wait_queue_entry *wait, unsigned mode, if (!pid_child_should_wake(wo, p)) return 0; + list_del_init(&wait->entry); + /* cancel is in progress */ if (atomic_fetch_inc(&iw->refs) & IO_WAITID_REF_MASK) return 1; req->io_task_work.func = io_waitid_cb; io_req_task_work_add(req); - list_del_init(&wait->entry); return 1; } From beb97995b97532e1f215e3295e6843e59862f94b Mon Sep 17 00:00:00 2001 From: Haiyue Wang Date: Tue, 7 Oct 2025 14:18:18 +0800 Subject: [PATCH 3/5] io_uring: use tab indentation for IORING_SEND_VECTORIZED comment Be consistent with tab style of "liburing/src/include/liburing/io_uring.h". Signed-off-by: Haiyue Wang Signed-off-by: Jens Axboe --- include/uapi/linux/io_uring.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/uapi/linux/io_uring.h b/include/uapi/linux/io_uring.h index a0cc1cc0dd01..263bed13473e 100644 --- a/include/uapi/linux/io_uring.h +++ b/include/uapi/linux/io_uring.h @@ -404,7 +404,7 @@ enum io_uring_op { * will be contiguous from the starting buffer ID. * * IORING_SEND_VECTORIZED If set, SEND[_ZC] will take a pointer to a io_vec - * to allow vectorized send operations. + * to allow vectorized send operations. */ #define IORING_RECVSEND_POLL_FIRST (1U << 0) #define IORING_RECV_MULTISHOT (1U << 1) From 09cfd3c52ea76f43b3cb15e570aeddf633d65e80 Mon Sep 17 00:00:00 2001 From: Pavel Begunkov Date: Wed, 8 Oct 2025 13:38:06 +0100 Subject: [PATCH 4/5] io_uring/zcrx: fix overshooting recv limit It's reported that sometimes a zcrx request can receive more than was requested. It's caused by io_zcrx_recv_skb() adjusting desc->count for all received buffers including frag lists, but then doing recursive calls to process frag list skbs, which leads to desc->count double accounting and underflow. Reported-and-tested-by: Matthias Jasny Fixes: 6699ec9a23f85 ("io_uring/zcrx: add a read limit to recvzc requests") Cc: stable@vger.kernel.org Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe --- io_uring/zcrx.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c index 723e4266b91f..ef73440b605a 100644 --- a/io_uring/zcrx.c +++ b/io_uring/zcrx.c @@ -1236,12 +1236,16 @@ io_zcrx_recv_skb(read_descriptor_t *desc, struct sk_buff *skb, end = start + frag_iter->len; if (offset < end) { + size_t count; + copy = end - offset; if (copy > len) copy = len; off = offset - start; + count = desc->count; ret = io_zcrx_recv_skb(desc, frag_iter, off, copy); + desc->count = count; if (ret < 0) goto out; From e9a9dcb4ccb32446165800a9d83058e95c4833d2 Mon Sep 17 00:00:00 2001 From: Pavel Begunkov Date: Wed, 8 Oct 2025 13:39:01 +0100 Subject: [PATCH 5/5] io_uring/zcrx: increment fallback loop src offset Don't forget to adjust the source offset in io_copy_page(), otherwise it'll be copying into the same location in some cases for highmem setups. Fixes: e67645bb7f3f4 ("io_uring/zcrx: prepare fallback for larger pages") Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe --- io_uring/zcrx.c | 1 + 1 file changed, 1 insertion(+) diff --git a/io_uring/zcrx.c b/io_uring/zcrx.c index ef73440b605a..a816f5902091 100644 --- a/io_uring/zcrx.c +++ b/io_uring/zcrx.c @@ -1079,6 +1079,7 @@ static ssize_t io_copy_page(struct io_copy_cache *cc, struct page *src_page, cc->size -= n; cc->offset += n; + src_offset += n; len -= n; copied += n; }