tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

io_uring/fdinfo: cap SQ iteration at max SQ entries

A previous commit changed the logic around how SQ entries are iterated,
and as a result, had a few bugs. One is that it fully trusts the SQ
head and tail, which are user exposed. Another is that it fails to
increment the SQ head if the SQ index is out of range.

Fix both of those up, reverting to the previous logic of how to
iterate SQ entries.

Link: https://lore.kernel.org/io-uring/68ffdf18.050a0220.3344a1.039e.GAE@google.com/
Fixes: 1cba30bf9fdd ("io_uring: add support for IORING_SETUP_SQE_MIXED")
Reported-by: syzbot+10a9b495f54a17b607a6@syzkaller.appspotmail.com
Tested-by: syzbot+10a9b495f54a17b607a6@syzkaller.appspotmail.com
Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

Jens Axboe 101e596e 0ecf0e67

+6 -5
+6 -5
io_uring/fdinfo.c
··· 67 67 unsigned int cq_head = READ_ONCE(r->cq.head); 68 68 unsigned int cq_tail = READ_ONCE(r->cq.tail); 69 69 unsigned int sq_shift = 0; 70 + unsigned int sq_entries; 70 71 int sq_pid = -1, sq_cpu = -1; 71 72 u64 sq_total_time = 0, sq_work_time = 0; 72 73 unsigned int i; ··· 90 89 seq_printf(m, "CqTail:\t%u\n", cq_tail); 91 90 seq_printf(m, "CachedCqTail:\t%u\n", data_race(ctx->cached_cq_tail)); 92 91 seq_printf(m, "SQEs:\t%u\n", sq_tail - sq_head); 93 - while (sq_head < sq_tail) { 92 + sq_entries = min(sq_tail - sq_head, ctx->sq_entries); 93 + for (i = 0; i < sq_entries; i++) { 94 + unsigned int entry = i + sq_head; 94 95 struct io_uring_sqe *sqe; 95 96 unsigned int sq_idx; 96 97 bool sqe128 = false; 97 98 u8 opcode; 98 99 99 100 if (ctx->flags & IORING_SETUP_NO_SQARRAY) 100 - sq_idx = sq_head & sq_mask; 101 + sq_idx = entry & sq_mask; 101 102 else 102 - sq_idx = READ_ONCE(ctx->sq_array[sq_head & sq_mask]); 103 - 103 + sq_idx = READ_ONCE(ctx->sq_array[entry & sq_mask]); 104 104 if (sq_idx > sq_mask) 105 105 continue; 106 106 ··· 143 141 } 144 142 } 145 143 seq_printf(m, "\n"); 146 - sq_head++; 147 144 } 148 145 seq_printf(m, "CQEs:\t%u\n", cq_tail - cq_head); 149 146 while (cq_head < cq_tail) {