public inbox for [email protected]
 help / color / mirror / Atom feed
* [PATCH 1/1] io_uring: fix drain stalls by invalid SQE
@ 2023-08-09 12:21 Pavel Begunkov
  2023-08-09 15:36 ` Jens Axboe
  0 siblings, 1 reply; 2+ messages in thread
From: Pavel Begunkov @ 2023-08-09 12:21 UTC (permalink / raw)
  To: io-uring; +Cc: Jens Axboe, asml.silence

cq_extra is protected by ->completion_lock, which io_get_sqe() misses.
The bug is harmless as it doesn't happen in real life, requires invalid
SQ index array and racing with submission, and only messes up the
userspace, i.e. stall requests execution but will be cleaned up on
ring destruction.

Fixes: 15641e427070f ("io_uring: don't cache number of dropped SQEs")
Signed-off-by: Pavel Begunkov <[email protected]>
---
 io_uring/io_uring.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index e70cf5c2dc7f..0eed797ef270 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2390,7 +2390,9 @@ static bool io_get_sqe(struct io_ring_ctx *ctx, const struct io_uring_sqe **sqe)
 	}
 
 	/* drop invalid entries */
+	spin_lock(&ctx->completion_lock);
 	ctx->cq_extra--;
+	spin_unlock(&ctx->completion_lock);
 	WRITE_ONCE(ctx->rings->sq_dropped,
 		   READ_ONCE(ctx->rings->sq_dropped) + 1);
 	return false;
-- 
2.41.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2023-08-09 15:37 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-08-09 12:21 [PATCH 1/1] io_uring: fix drain stalls by invalid SQE Pavel Begunkov
2023-08-09 15:36 ` Jens Axboe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox