<feed xmlns='http://www.w3.org/2005/Atom'>
<title>kernel/git/next/linux-next.git/io_uring, branch master</title>
<subtitle>The linux-next integration testing tree</subtitle>
<id>https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/atom?h=master</id>
<link rel='self' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/atom?h=master'/>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/'/>
<updated>2026-07-07T00:50:19+00:00</updated>
<entry>
<title>Merge branch 'io_uring-7.2' into for-next</title>
<updated>2026-07-07T00:50:19+00:00</updated>
<author>
<name>Jens Axboe</name>
<email>axboe@kernel.dk</email>
</author>
<published>2026-07-07T00:50:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=54740e4c8c19f79156f228fb51e222ffc2a94ee0'/>
<id>urn:sha1:54740e4c8c19f79156f228fb51e222ffc2a94ee0</id>
<content type='text'>
* io_uring-7.2:
  io_uring: fix dangling iovec after provided-buffer bundle grow failure
</content>
</entry>
<entry>
<title>io_uring: fix dangling iovec after provided-buffer bundle grow failure</title>
<updated>2026-07-07T00:49:37+00:00</updated>
<author>
<name>Hao-Yu Yang</name>
<email>naup96721@gmail.com</email>
</author>
<published>2026-07-06T18:33:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=cd053d788c3f13b3eaf16672d427ee828fda16ed'/>
<id>urn:sha1:cd053d788c3f13b3eaf16672d427ee828fda16ed</id>
<content type='text'>
When growing a provided-buffer bundle, the old cached iovec is freed
before the new buffers have all been validated. If validation fails, the
request still points at the freed iovec, which can be freed again during
completion cleanup.

Fix this by deferring the free of the old cached iovec until validation
has succeeded. On failure, free the newly allocated iovec and leave the
request pointing at the original one.

Fixes: 46800585ae04 ("io_uring/kbuf: validate ring provided buffer addresses with access_ok()")
Signed-off-by: Hao-Yu Yang &lt;naup96721@gmail.com&gt;
Link: https://patch.msgid.link/20260706183304.919275-1-naup96721@gmail.com
Suggested-by: Jens Axboe &lt;axboe@kernel.dk&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
</content>
</entry>
<entry>
<title>Merge branch 'io_uring-7.2' into for-next</title>
<updated>2026-07-02T20:15:31+00:00</updated>
<author>
<name>Jens Axboe</name>
<email>axboe@kernel.dk</email>
</author>
<published>2026-07-02T20:15:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=39dffa2bee1ba8ed84b6befed3678a1040764ff2'/>
<id>urn:sha1:39dffa2bee1ba8ed84b6befed3678a1040764ff2</id>
<content type='text'>
* io_uring-7.2:
  io_uring/uring_cmd: fix uring_cmd.c comments
</content>
</entry>
<entry>
<title>io_uring/uring_cmd: fix uring_cmd.c comments</title>
<updated>2026-07-02T20:15:19+00:00</updated>
<author>
<name>Yang Xiuwei</name>
<email>yangxiuwei@kylinos.cn</email>
</author>
<published>2026-07-02T08:29:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=58481c749c976e81bef9a540e2225ddb021daaa6'/>
<id>urn:sha1:58481c749c976e81bef9a540e2225ddb021daaa6</id>
<content type='text'>
Fix "concelable" -&gt; "cancelable" in the comment above
io_uring_cmd_mark_cancelable(), and fix the memory ordering comment
in __io_uring_cmd_done() to reference io_do_iopoll() and
-&gt;iopoll_completed.

Signed-off-by: Yang Xiuwei &lt;yangxiuwei@kylinos.cn&gt;
Link: https://patch.msgid.link/20260702082937.3707134-3-yangxiuwei@kylinos.cn
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
</content>
</entry>
<entry>
<title>Merge branch 'io_uring-7.2' into for-next</title>
<updated>2026-07-01T11:42:17+00:00</updated>
<author>
<name>Jens Axboe</name>
<email>axboe@kernel.dk</email>
</author>
<published>2026-07-01T11:42:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=013b702bcb0d9c5a1dc679b5938860fe1d1dfaa7'/>
<id>urn:sha1:013b702bcb0d9c5a1dc679b5938860fe1d1dfaa7</id>
<content type='text'>
* io_uring-7.2:
  io_uring/msg_ring: reject CQE32 flag pass-through to normal rings
  io_uring/memmap: return -EINVAL from get_unmapped_area() on bad mmap
</content>
</entry>
<entry>
<title>io_uring/msg_ring: reject CQE32 flag pass-through to normal rings</title>
<updated>2026-07-01T11:39:26+00:00</updated>
<author>
<name>Melbin K Mathew</name>
<email>mlbnkm1@gmail.com</email>
</author>
<published>2026-07-01T08:11:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=15cd3ccf9b179f0f76948d0901be3b15028bc768'/>
<id>urn:sha1:15cd3ccf9b179f0f76948d0901be3b15028bc768</id>
<content type='text'>
IORING_OP_MSG_RING with IORING_MSG_RING_FLAGS_PASS allows a sender to
pass completion flags through sqe-&gt;file_index. If the sender sets
IORING_CQE_F_32 in file_index, the target-side completion path treats it
as a 32b CQE and writes big_cqe[0] and big_cqe[1] into the CQ ring
regardless of whether the target ring was created with
IORING_SETUP_CQE32 or IORING_SETUP_CQE_MIXED.

On a normal 16b CQE ring, this writes 16 extra bytes (two u64 big_cqe
fields) into the next CQE slot in the ring buffer. As the receiving ring
doesn't understand 32b CQEs, this is incorrect and they should be
rejected.

Fixes: cbeb47a7b5f0 ("io_uring/msg_ring: Pass custom flags to the cqe")
Signed-off-by: Melbin K Mathew &lt;mlbnkm1@gmail.com&gt;
Link: https://patch.msgid.link/20260701081145.196730-1-mlbnkm1@gmail.com
[axboe: edit commit message]
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
</content>
</entry>
<entry>
<title>io_uring/memmap: return -EINVAL from get_unmapped_area() on bad mmap</title>
<updated>2026-07-01T11:37:07+00:00</updated>
<author>
<name>Yi Xie</name>
<email>xieyi@kylinos.cn</email>
</author>
<published>2026-06-30T09:12:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=df645b745941ea829b39134ac342f730f4d9d978'/>
<id>urn:sha1:df645b745941ea829b39134ac342f730f4d9d978</id>
<content type='text'>
get_unmapped_area() returns -ENOMEM when io_uring_validate_mmap_request()
fails, but validation errors are -EINVAL. Propagate that errno to
userspace, like io_uring_mmap() already does.

Signed-off-by: Yi Xie &lt;xieyi@kylinos.cn&gt;
Link: https://patch.msgid.link/20260630091206.126206-1-xieyi@kylinos.cn
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
</content>
</entry>
<entry>
<title>io_uring: annotate remote tasks for kcoverage</title>
<updated>2026-06-30T23:32:26+00:00</updated>
<author>
<name>Robert Femmer</name>
<email>robert@fmmr.tech</email>
</author>
<published>2026-06-24T09:01:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=c905736a46892e4776efc7f50888d67715d6ec08'/>
<id>urn:sha1:c905736a46892e4776efc7f50888d67715d6ec08</id>
<content type='text'>
Fuzzers use coverage information to guide generation of test cases
towards new or interesting code paths. Syzkaller, specifically, makes
use kcoverage (CONFIG_KCOV). Coverage information is not collected for
kernel tasks unless annotated by kcov_remote_start and kcov_remote_stop.
This patch annotates io-uring's work queue and sqpoll tasks.

Depends-On: 20260430-kcov-refactor-common-handle-v1-1-23a0c7a0ba38@google.com
Signed-off-by: Robert Femmer &lt;robert@fmmr.tech&gt;
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
</content>
</entry>
<entry>
<title>Merge tag 'io_uring-7.2-20260625' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux</title>
<updated>2026-06-25T16:53:31+00:00</updated>
<author>
<name>Linus Torvalds</name>
<email>torvalds@linux-foundation.org</email>
</author>
<published>2026-06-25T16:53:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=c58ddac1aa507b71cb5a95a95c641bdd73a3f075'/>
<id>urn:sha1:c58ddac1aa507b71cb5a95a95c641bdd73a3f075</id>
<content type='text'>
Pull io_uring fixes from Jens Axboe:

 - Fix a file reference leak in the nop opcode when used with
   IOSQE_FIXED_FILE

 - Preserve the SQ array entries when resizing the ring via the register
   path

 - Preserve the partial result for an iopoll request rather than
   overwriting it

 - Don't audit log IORING_OP_RECV_ZC

 - Bound io_pin_pages() by the page array byte size in the memmap path

 - Follow-up cleanup to the task_work mpscq conversion, getting rid of
   the now-unnecessary tw_pending tracking for the !DEFER_TASKRUN path

 - Switch a system_unbound_wq user over to system_dfl_wq

* tag 'io_uring-7.2-20260625' of git://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux:
  io_uring/memmap: bound io_pin_pages() by page array byte size
  io_uring: Use system_dfl_wq instead of system_unbound_wq
  io_uring/register: preserve SQ array entries on resize
  io_uring, audit: don't log IORING_OP_RECV_ZC
  io_uring: get rid of tw_pending for !DEFER task work
  io_uring/rw: preserve partial result for iopoll
  io_uring/nop: fix file reference leak with IOSQE_FIXED_FILE
</content>
</entry>
<entry>
<title>io_uring/memmap: bound io_pin_pages() by page array byte size</title>
<updated>2026-06-22T21:12:54+00:00</updated>
<author>
<name>Deepanshu Kartikey</name>
<email>kartikey406@gmail.com</email>
</author>
<published>2026-06-21T01:29:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.rulkc.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=3996771b8f759729cba0a28007438c085f814d61'/>
<id>urn:sha1:3996771b8f759729cba0a28007438c085f814d61</id>
<content type='text'>
io_pin_pages() checks that nr_pages does not exceed INT_MAX, then
allocates a struct page * array of nr_pages entries. kvmalloc() limits
allocations to INT_MAX bytes, but the check counts pages, not bytes.
On 64-bit each entry is 8 bytes, so the array hits the INT_MAX byte
limit at INT_MAX / sizeof(struct page *) pages, well before the page
count check fires.

Since commit b4e41050b212 ("io_uring/rsrc: raise registered buffer 1GB
limit") raised the per-buffer cap to 1TB, a buffer near that cap maps
~2^28 pages, making the array allocation exceed INT_MAX bytes. This
passes the page count check, reaches kvmalloc(), and triggers the
WARN_ON_ONCE() for oversized allocations in __kvmalloc_node_noprof().

Check nr_pages against INT_MAX / sizeof(struct page *) so the buffer is
rejected with -EOVERFLOW before the allocation is attempted.

Reported-by: syzbot+f99b00a963915b6b52c6@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=f99b00a963915b6b52c6
Fixes: b4e41050b212 ("io_uring/rsrc: raise registered buffer 1GB limit")
Tested-by: syzbot+f99b00a963915b6b52c6@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey &lt;kartikey406@gmail.com&gt;
Reviewed-by: Gabriel Krisman Bertazi &lt;krisman@suse.de&gt;
Link: https://patch.msgid.link/20260621012933.50571-1-kartikey406@gmail.com
Signed-off-by: Jens Axboe &lt;axboe@kernel.dk&gt;
</content>
</entry>
</feed>
