5.10 / 5.15 stable inclusion request

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* 5.10 / 5.15 stable inclusion request
@ 2026-03-13 22:00 Jens Axboe
  2026-04-13 15:06 ` Greg Kroah-Hartman
  0 siblings, 1 reply; 2+ messages in thread
From: Jens Axboe @ 2026-03-13 22:00 UTC (permalink / raw)
  To: stable; +Cc: Greg Kroah-Hartman

[-- Attachment #1: Type: text/plain, Size: 328 bytes --]

Hi,

Looks like the backport of:

Fixes: 84230ad2d2af ("io_uring/poll: correctly handle io_poll_add() return value on update")

to 5.10-stable and 5.15-stable were missed, probably by me. In any case,
here's a backport, please add to the 5.10/5.15 stable queues. No rush,
just for whatever is the next release.

-- 
Jens Axboe


[-- Attachment #2: 0001-io_uring-poll-correctly-handle-io_poll_add-return-va.patch --]
[-- Type: text/x-patch, Size: 3347 bytes --]

From 371526a85a9b24970036b10365d5b0a9c6021fb9 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@kernel.dk>
Date: Fri, 13 Mar 2026 15:50:21 -0600
Subject: [PATCH] io_uring/poll: correctly handle io_poll_add() return value on
 update

Commit 84230ad2d2afbf0c44c32967e525c0ad92e26b4e upstream.

When the core of io_uring was updated to handle completions
consistently and with fixed return codes, the POLL_REMOVE opcode
with updates got slightly broken. If a POLL_ADD is pending and
then POLL_REMOVE is used to update the events of that request, if that
update causes the POLL_ADD to now trigger, then that completion is lost
and a CQE is never posted.

Additionally, ensure that if an update does cause an existing POLL_ADD
to complete, that the completion value isn't always overwritten with
-ECANCELED. For that case, whatever io_poll_add() set the value to
should just be retained.

Cc: stable@vger.kernel.org
Fixes: 97b388d70b53 ("io_uring: handle completions in the core")
Reported-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
Tested-by: syzbot+641eec6b7af1f62f2b99@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
 io_uring/io_uring.c | 26 +++++++++++++++++++-------
 1 file changed, 19 insertions(+), 7 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index e5889ec0273f..ee4cb8742be6 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -6127,7 +6127,7 @@ static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe
 	return 0;
 }
 
-static int io_poll_add(struct io_kiocb *req, unsigned int issue_flags)
+static int __io_poll_add(struct io_kiocb *req, unsigned int issue_flags)
 {
 	struct io_poll_iocb *poll = &req->poll;
 	struct io_poll_table ipt;
@@ -6139,11 +6139,21 @@ static int io_poll_add(struct io_kiocb *req, unsigned int issue_flags)
 	if (!ret && ipt.error)
 		req_set_fail(req);
 	ret = ret ?: ipt.error;
-	if (ret)
+	if (ret > 0) {
 		__io_req_complete(req, issue_flags, ret, 0);
+		return ret;
+	}
 	return 0;
 }
 
+static int io_poll_add(struct io_kiocb *req, unsigned int issue_flags)
+{
+	int ret;
+
+	ret = __io_poll_add(req, issue_flags);
+	return ret < 0 ? ret : 0;
+}
+
 static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags)
 {
 	struct io_ring_ctx *ctx = req->ctx;
@@ -6159,6 +6169,7 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags)
 		ret = preq ? -EALREADY : -ENOENT;
 		goto out;
 	}
+	preq->result = -ECANCELED;
 	spin_unlock(&ctx->completion_lock);
 
 	if (req->poll_update.update_events || req->poll_update.update_user_data) {
@@ -6171,16 +6182,17 @@ static int io_poll_update(struct io_kiocb *req, unsigned int issue_flags)
 		if (req->poll_update.update_user_data)
 			preq->user_data = req->poll_update.new_user_data;
 
-		ret2 = io_poll_add(preq, issue_flags);
+		ret2 = __io_poll_add(preq, issue_flags);
 		/* successfully updated, don't complete poll request */
 		if (!ret2)
 			goto out;
+		preq->result = ret2;
+
 	}
-	req_set_fail(preq);
-	io_req_complete(preq, -ECANCELED);
+	if (preq->result < 0)
+		req_set_fail(preq);
+	io_req_complete(preq, preq->result);
 out:
-	if (ret < 0)
-		req_set_fail(req);
 	/* complete update request, we're done with it */
 	io_req_complete(req, ret);
 	io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK));
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: 5.10 / 5.15 stable inclusion request
  2026-03-13 22:00 5.10 / 5.15 stable inclusion request Jens Axboe
@ 2026-04-13 15:06 ` Greg Kroah-Hartman
  0 siblings, 0 replies; 2+ messages in thread
From: Greg Kroah-Hartman @ 2026-04-13 15:06 UTC (permalink / raw)
  To: Jens Axboe; +Cc: stable

On Fri, Mar 13, 2026 at 04:00:09PM -0600, Jens Axboe wrote:
> Hi,
> 
> Looks like the backport of:
> 
> Fixes: 84230ad2d2af ("io_uring/poll: correctly handle io_poll_add() return value on update")
> 
> to 5.10-stable and 5.15-stable were missed, probably by me. In any case,
> here's a backport, please add to the 5.10/5.15 stable queues. No rush,
> just for whatever is the next release.

Sorry for the delay, now queued up.

greg k-h

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-13 15:06 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-13 22:00 5.10 / 5.15 stable inclusion request Jens Axboe
2026-04-13 15:06 ` Greg Kroah-Hartman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox