[PATCH 1/1] io_uring: fix drain stalls by invalid SQE

[PATCH 1/1] io_uring: fix drain stalls by invalid SQE

[Pavel Begunkov]

cq_extra is protected by ->completion_lock, which io_get_sqe() misses.
The bug is harmless as it doesn't happen in real life, requires invalid
SQ index array and racing with submission, and only messes up the
userspace, i.e. stall requests execution but will be cleaned up on
ring destruction.

Fixes: 15641e427070f ("io_uring: don't cache number of dropped SQEs")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 io_uring/io_uring.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index e70cf5c2dc7f..0eed797ef270 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2390,7 +2390,9 @@ static bool io_get_sqe(struct io_ring_ctx *ctx, const struct io_uring_sqe **sqe)
 	}
 
 	/* drop invalid entries */
+	spin_lock(&ctx->completion_lock);
 	ctx->cq_extra--;
+	spin_unlock(&ctx->completion_lock);
 	WRITE_ONCE(ctx->rings->sq_dropped,
 		   READ_ONCE(ctx->rings->sq_dropped) + 1);
 	return false;
-- 
2.41.0

Re: [PATCH 1/1] io_uring: fix drain stalls by invalid SQE

[Jens Axboe]

On Wed, 09 Aug 2023 13:21:41 +0100, Pavel Begunkov wrote:
> cq_extra is protected by ->completion_lock, which io_get_sqe() misses.
> The bug is harmless as it doesn't happen in real life, requires invalid
> SQ index array and racing with submission, and only messes up the
> userspace, i.e. stall requests execution but will be cleaned up on
> ring destruction.
> 
> 
> [...]

Applied, thanks!

[1/1] io_uring: fix drain stalls by invalid SQE
      commit: 5e7d637400a25141e330c3c3b0a73440d58e194d

Best regards,
-- 
Jens Axboe