Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

io_uring: use release-acquire ordering for IORING_SETUP_R_DISABLED

io_uring_enter(), __io_msg_ring_data(), and io_msg_send_fd() read
ctx->flags and ctx->submitter_task without holding the ctx's uring_lock.
This means they may race with the assignment to ctx->submitter_task and
the clearing of IORING_SETUP_R_DISABLED from ctx->flags in
io_register_enable_rings(). Ensure the correct ordering of the
ctx->flags and ctx->submitter_task memory accesses by storing to
ctx->flags using release ordering and loading it using acquire ordering.

Signed-off-by: Caleb Sander Mateos <csander@purestorage.com>
Fixes: 4add705e4eeb ("io_uring: remove io_register_submitter")
Reviewed-by: Joanne Koong <joannelkoong@gmail.com>
Reviewed-by: Gabriel Krisman Bertazi <krisman@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Caleb Sander Mateos and committed by
Jens Axboe
7a8737e1 48ed7013

+17 -4
+5 -1
io_uring/io_uring.c
··· 3228 3228 3229 3229 ctx = file->private_data; 3230 3230 ret = -EBADFD; 3231 - if (unlikely(ctx->flags & IORING_SETUP_R_DISABLED)) 3231 + /* 3232 + * Keep IORING_SETUP_R_DISABLED check before submitter_task load 3233 + * in io_uring_add_tctx_node() -> __io_uring_add_tctx_node_from_submit() 3234 + */ 3235 + if (unlikely(smp_load_acquire(&ctx->flags) & IORING_SETUP_R_DISABLED)) 3232 3236 goto out; 3233 3237 3234 3238 /*
+10 -2
io_uring/msg_ring.c
··· 125 125 return -EINVAL; 126 126 if (!(msg->flags & IORING_MSG_RING_FLAGS_PASS) && msg->dst_fd) 127 127 return -EINVAL; 128 - if (target_ctx->flags & IORING_SETUP_R_DISABLED) 128 + /* 129 + * Keep IORING_SETUP_R_DISABLED check before submitter_task load 130 + * in io_msg_data_remote() -> io_msg_remote_post() 131 + */ 132 + if (smp_load_acquire(&target_ctx->flags) & IORING_SETUP_R_DISABLED) 129 133 return -EBADFD; 130 134 131 135 if (io_msg_need_remote(target_ctx)) ··· 249 245 return -EINVAL; 250 246 if (target_ctx == ctx) 251 247 return -EINVAL; 252 - if (target_ctx->flags & IORING_SETUP_R_DISABLED) 248 + /* 249 + * Keep IORING_SETUP_R_DISABLED check before submitter_task load 250 + * in io_msg_fd_remote() 251 + */ 252 + if (smp_load_acquire(&target_ctx->flags) & IORING_SETUP_R_DISABLED) 253 253 return -EBADFD; 254 254 if (!msg->src_file) { 255 255 int ret = io_msg_grab_file(req, issue_flags);
+2 -1
io_uring/register.c
··· 193 193 if (ctx->restrictions.registered) 194 194 ctx->restricted = 1; 195 195 196 - ctx->flags &= ~IORING_SETUP_R_DISABLED; 196 + /* Keep submitter_task store before clearing IORING_SETUP_R_DISABLED */ 197 + smp_store_release(&ctx->flags, ctx->flags & ~IORING_SETUP_R_DISABLED); 197 198 if (ctx->sq_data && wq_has_sleeper(&ctx->sq_data->wait)) 198 199 wake_up(&ctx->sq_data->wait); 199 200 return 0;