Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
io_uring: fix iowq_limits data race in tctx node addition
__io_uring_add_tctx_node() reads ctx->int_flags and
ctx->iowq_limits[0..1] without holding ctx->uring_lock, while
io_register_iowq_max_workers() writes these same fields under the lock.
Mostly an application problem if you try and make these race, but let's
silence KCSAN by just grabbing the ->uring_lock around the operation.
This is a slow path operation anyway, and ->uring_lock will be grabbed
by submission right after anyway.
Fixes: 2e480058ddc2 ("io-wq: provide a way to limit max number of workers")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
+7
-3
+7
-3
io_uring/tctx.c
+7
-3
io_uring/tctx.c
···
146
146
if (IS_ERR(tctx))
147
147
return PTR_ERR(tctx);
148
148
149
-
if (ctx->int_flags & IO_RING_F_IOWQ_LIMITS_SET) {
150
-
unsigned int limits[2] = { ctx->iowq_limits[0],
151
-
ctx->iowq_limits[1], };
149
+
if (data_race(ctx->int_flags) & IO_RING_F_IOWQ_LIMITS_SET) {
150
+
unsigned int limits[2];
151
+
152
+
mutex_lock(&ctx->uring_lock);
153
+
limits[0] = ctx->iowq_limits[0];
154
+
limits[1] = ctx->iowq_limits[1];
155
+
mutex_unlock(&ctx->uring_lock);
152
156
153
157
ret = io_wq_max_workers(tctx->io_wq, limits);
154
158
if (ret)