[PATCH 0/2] query infinite loop prevention

[PATCH 0/2] query infinite loop prevention

[Pavel Begunkov]

Allow users to kill the task while it's processing io_uring
queries, it specifically targets cases where the chain contains
a cycle that leads to an infinite loop. Also, limit the maximum
number of queries per call.

Pavel Begunkov (2):
  io_uring/query: prevent infinite loops
  io_uring/query: cap number of queries

 io_uring/query.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

-- 
2.49.0

[PATCH 1/2] io_uring/query: prevent infinite loops

[Pavel Begunkov]

If the query chain forms a cycle, the interface will loop indefinitely.
Make sure it handles fatal signals, so the user can kill the process and
hence break out of the infinite loop.

Fixes: c265ae75f900 ("io_uring: introduce io_uring querying")
Reported-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 io_uring/query.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/io_uring/query.c b/io_uring/query.c
index 9eed0f371956..c2183daf5a46 100644
--- a/io_uring/query.c
+++ b/io_uring/query.c
@@ -88,6 +88,10 @@ int io_query(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
 		if (ret)
 			return ret;
 		uhdr = u64_to_user_ptr(next_hdr);
+
+		if (fatal_signal_pending(current))
+			return -EINTR;
+		cond_resched();
 	}
 	return 0;
 }
-- 
2.49.0

[PATCH 2/2] io_uring/query: cap number of queries

[Pavel Begunkov]

If a query chain forms a cycle, it'll be looping in the kernel until the
process is killed. It might be fine as any such mistake can be easily
uncovered during testing, but it's still nicer to let it break out of
the syscall if it executed too many queries.

Suggested-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 io_uring/query.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/io_uring/query.c b/io_uring/query.c
index c2183daf5a46..645301bd2c82 100644
--- a/io_uring/query.c
+++ b/io_uring/query.c
@@ -6,6 +6,7 @@
 #include "io_uring.h"
 
 #define IO_MAX_QUERY_SIZE		(sizeof(struct io_uring_query_opcode))
+#define IO_MAX_QUERY_ENTRIES		1000
 
 static ssize_t io_query_ops(void *data)
 {
@@ -74,7 +75,7 @@ int io_query(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
 {
 	char entry_buffer[IO_MAX_QUERY_SIZE];
 	void __user *uhdr = arg;
-	int ret;
+	int ret, nr = 0;
 
 	memset(entry_buffer, 0, sizeof(entry_buffer));
 
@@ -89,6 +90,9 @@ int io_query(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
 			return ret;
 		uhdr = u64_to_user_ptr(next_hdr);
 
+		/* Have some limit to avoid a potential cycle */
+		if (++nr >= IO_MAX_QUERY_ENTRIES)
+			return -ERANGE;
 		if (fatal_signal_pending(current))
 			return -EINTR;
 		cond_resched();
-- 
2.49.0

Re: [PATCH 0/2] query infinite loop prevention

[Jens Axboe]

On Fri, 19 Sep 2025 12:11:55 +0100, Pavel Begunkov wrote:
> Allow users to kill the task while it's processing io_uring
> queries, it specifically targets cases where the chain contains
> a cycle that leads to an infinite loop. Also, limit the maximum
> number of queries per call.
> 
> Pavel Begunkov (2):
>   io_uring/query: prevent infinite loops
>   io_uring/query: cap number of queries
> 
> [...]

Applied, thanks!

[1/2] io_uring/query: prevent infinite loops
      commit: 2408d1783204920880f929a7a3087c76f5a59c13
[2/2] io_uring/query: cap number of queries
      commit: 7ea24326e72dad7cd326bedd8442c162ae23df9d

Best regards,
-- 
Jens Axboe