* [PATCH v2] io_uring: check for user passing 0 nr_submit
@ 2025-10-16 11:20 Pavel Begunkov
2025-10-22 13:49 ` Jeff Moyer
2025-10-22 17:13 ` Jens Axboe
0 siblings, 2 replies; 5+ messages in thread
From: Pavel Begunkov @ 2025-10-16 11:20 UTC (permalink / raw)
To: io-uring; +Cc: asml.silence
io_submit_sqes() shouldn't be stepping into its main loop when there is
nothing to submit, i.e. nr=0. Fix 0 submission queue entries checks,
which should follow after all user input truncations.
Cc: stable@vger.kernel.org
Fixes: 6962980947e2b ("io_uring: restructure submit sqes to_submit checks")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
v2: split out of the series with extra tags, no functional changes
io_uring/io_uring.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 820ef0527666..ee04ab9bf968 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2422,10 +2422,11 @@ int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr)
unsigned int left;
int ret;
+ entries = min(nr, entries);
if (unlikely(!entries))
return 0;
- /* make sure SQ entry isn't read before tail */
- ret = left = min(nr, entries);
+
+ ret = left = entries;
io_get_task_refs(left);
io_submit_state_start(&ctx->submit_state, left);
--
2.49.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v2] io_uring: check for user passing 0 nr_submit
2025-10-16 11:20 [PATCH v2] io_uring: check for user passing 0 nr_submit Pavel Begunkov
@ 2025-10-22 13:49 ` Jeff Moyer
2025-10-22 16:53 ` Pavel Begunkov
2025-10-22 17:13 ` Jens Axboe
1 sibling, 1 reply; 5+ messages in thread
From: Jeff Moyer @ 2025-10-22 13:49 UTC (permalink / raw)
To: Pavel Begunkov; +Cc: io-uring
Pavel Begunkov <asml.silence@gmail.com> writes:
> io_submit_sqes() shouldn't be stepping into its main loop when there is
> nothing to submit, i.e. nr=0. Fix 0 submission queue entries checks,
> which should follow after all user input truncations.
I see two callers of io_submit_sqes, and neither of them will pass 0 for
nr. What am I missing?
-Jeff
>
> Cc: stable@vger.kernel.org
> Fixes: 6962980947e2b ("io_uring: restructure submit sqes to_submit checks")
> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> ---
>
> v2: split out of the series with extra tags, no functional changes
>
> io_uring/io_uring.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
> index 820ef0527666..ee04ab9bf968 100644
> --- a/io_uring/io_uring.c
> +++ b/io_uring/io_uring.c
> @@ -2422,10 +2422,11 @@ int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr)
> unsigned int left;
> int ret;
>
> + entries = min(nr, entries);
> if (unlikely(!entries))
> return 0;
> - /* make sure SQ entry isn't read before tail */
> - ret = left = min(nr, entries);
> +
> + ret = left = entries;
> io_get_task_refs(left);
> io_submit_state_start(&ctx->submit_state, left);
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] io_uring: check for user passing 0 nr_submit
2025-10-22 13:49 ` Jeff Moyer
@ 2025-10-22 16:53 ` Pavel Begunkov
2025-10-22 17:35 ` Jeff Moyer
0 siblings, 1 reply; 5+ messages in thread
From: Pavel Begunkov @ 2025-10-22 16:53 UTC (permalink / raw)
To: Jeff Moyer; +Cc: io-uring
On 10/22/25 14:49, Jeff Moyer wrote:
> Pavel Begunkov <asml.silence@gmail.com> writes:
>
>> io_submit_sqes() shouldn't be stepping into its main loop when there is
>> nothing to submit, i.e. nr=0. Fix 0 submission queue entries checks,
>> which should follow after all user input truncations.
>
> I see two callers of io_submit_sqes, and neither of them will pass 0 for
> nr. What am I missing?
You're right, we can drop the fixes/stable part. It's still
good to have as it's handled not in the best way.
>> Cc: stable@vger.kernel.org
>> Fixes: 6962980947e2b ("io_uring: restructure submit sqes to_submit checks")
>> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
>> ---
>>
>> v2: split out of the series with extra tags, no functional changes
>>
>> io_uring/io_uring.c | 5 +++--
>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>
>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
>> index 820ef0527666..ee04ab9bf968 100644
>> --- a/io_uring/io_uring.c
>> +++ b/io_uring/io_uring.c
>> @@ -2422,10 +2422,11 @@ int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr)
>> unsigned int left;
>> int ret;
>>
>> + entries = min(nr, entries);
>> if (unlikely(!entries))
>> return 0;
>> - /* make sure SQ entry isn't read before tail */
>> - ret = left = min(nr, entries);
>> +
>> + ret = left = entries;
>> io_get_task_refs(left);
>> io_submit_state_start(&ctx->submit_state, left);
>
--
Pavel Begunkov
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] io_uring: check for user passing 0 nr_submit
2025-10-16 11:20 [PATCH v2] io_uring: check for user passing 0 nr_submit Pavel Begunkov
2025-10-22 13:49 ` Jeff Moyer
@ 2025-10-22 17:13 ` Jens Axboe
1 sibling, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2025-10-22 17:13 UTC (permalink / raw)
To: io-uring, Pavel Begunkov
On Thu, 16 Oct 2025 12:20:31 +0100, Pavel Begunkov wrote:
> io_submit_sqes() shouldn't be stepping into its main loop when there is
> nothing to submit, i.e. nr=0. Fix 0 submission queue entries checks,
> which should follow after all user input truncations.
>
>
Applied, thanks!
[1/1] io_uring: check for user passing 0 nr_submit
commit: dde92a5026d81df1a146e9c243d09b27d1bf04bf
Best regards,
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] io_uring: check for user passing 0 nr_submit
2025-10-22 16:53 ` Pavel Begunkov
@ 2025-10-22 17:35 ` Jeff Moyer
0 siblings, 0 replies; 5+ messages in thread
From: Jeff Moyer @ 2025-10-22 17:35 UTC (permalink / raw)
To: Pavel Begunkov; +Cc: io-uring
Pavel Begunkov <asml.silence@gmail.com> writes:
> On 10/22/25 14:49, Jeff Moyer wrote:
>> Pavel Begunkov <asml.silence@gmail.com> writes:
>>
>>> io_submit_sqes() shouldn't be stepping into its main loop when there is
>>> nothing to submit, i.e. nr=0. Fix 0 submission queue entries checks,
>>> which should follow after all user input truncations.
>> I see two callers of io_submit_sqes, and neither of them will pass 0
>> for
>> nr. What am I missing?
>
> You're right, we can drop the fixes/stable part. It's still
> good to have as it's handled not in the best way.
Agreed.
Cheers,
Jeff
>
>
>>> Cc: stable@vger.kernel.org
>>> Fixes: 6962980947e2b ("io_uring: restructure submit sqes to_submit checks")
>>> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
>>> ---
>>>
>>> v2: split out of the series with extra tags, no functional changes
>>>
>>> io_uring/io_uring.c | 5 +++--
>>> 1 file changed, 3 insertions(+), 2 deletions(-)
>>>
>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
>>> index 820ef0527666..ee04ab9bf968 100644
>>> --- a/io_uring/io_uring.c
>>> +++ b/io_uring/io_uring.c
>>> @@ -2422,10 +2422,11 @@ int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr)
>>> unsigned int left;
>>> int ret;
>>> + entries = min(nr, entries);
>>> if (unlikely(!entries))
>>> return 0;
>>> - /* make sure SQ entry isn't read before tail */
>>> - ret = left = min(nr, entries);
>>> +
>>> + ret = left = entries;
>>> io_get_task_refs(left);
>>> io_submit_state_start(&ctx->submit_state, left);
>>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-10-22 17:35 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-16 11:20 [PATCH v2] io_uring: check for user passing 0 nr_submit Pavel Begunkov
2025-10-22 13:49 ` Jeff Moyer
2025-10-22 16:53 ` Pavel Begunkov
2025-10-22 17:35 ` Jeff Moyer
2025-10-22 17:13 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox