Skip to content

Commit

Permalink
io_uring: fix drain stalls by invalid SQE
Browse files Browse the repository at this point in the history 
[ Upstream commit cfdbaa3 ]

cq_extra is protected by ->completion_lock, which io_get_sqe() misses.
The bug is harmless as it doesn't happen in real life, requires invalid
SQ index array and racing with submission, and only messes up the
userspace, i.e. stall requests execution but will be cleaned up on
ring destruction.

Fixes: 15641e4 ("io_uring: don't cache number of dropped SQEs")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/66096d54651b1a60534bb2023f2947f09f50ef73.1691538547.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
@isilence @gregkh
isilence authored and gregkh committed Sep 13, 2023
1 parent 9183c4f commit 0c32343
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions io_uring/io_uring.c
View file
Expand Up @@ -2240,7 +2240,9 @@ static const struct io_uring_sqe *io_get_sqe(struct io_ring_ctx *ctx)
}

/* drop invalid entries */
spin_lock(&ctx->completion_lock);
ctx->cq_extra--;
spin_unlock(&ctx->completion_lock);
WRITE_ONCE(ctx->rings->sq_dropped,
READ_ONCE(ctx->rings->sq_dropped) + 1);
return NULL;
Expand Down

0 comments on commit 0c32343

Please sign in to comment.