| Message ID | 66096d54651b1a60534bb2023f2947f09f50ef73.1691538547.git.asml.silence@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [1/1] io_uring: fix drain stalls by invalid SQE | expand |
On Wed, 09 Aug 2023 13:21:41 +0100, Pavel Begunkov wrote: > cq_extra is protected by ->completion_lock, which io_get_sqe() misses. > The bug is harmless as it doesn't happen in real life, requires invalid > SQ index array and racing with submission, and only messes up the > userspace, i.e. stall requests execution but will be cleaned up on > ring destruction. > > > [...] Applied, thanks! [1/1] io_uring: fix drain stalls by invalid SQE commit: 5e7d637400a25141e330c3c3b0a73440d58e194d Best regards,
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index e70cf5c2dc7f..0eed797ef270 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -2390,7 +2390,9 @@ static bool io_get_sqe(struct io_ring_ctx *ctx, const struct io_uring_sqe **sqe) } /* drop invalid entries */ + spin_lock(&ctx->completion_lock); ctx->cq_extra--; + spin_unlock(&ctx->completion_lock); WRITE_ONCE(ctx->rings->sq_dropped, READ_ONCE(ctx->rings->sq_dropped) + 1); return false;
cq_extra is protected by ->completion_lock, which io_get_sqe() misses. The bug is harmless as it doesn't happen in real life, requires invalid SQ index array and racing with submission, and only messes up the userspace, i.e. stall requests execution but will be cleaned up on ring destruction. Fixes: 15641e427070f ("io_uring: don't cache number of dropped SQEs") Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> --- io_uring/io_uring.c | 2 ++ 1 file changed, 2 insertions(+)