kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/io_uring-fix-races-with-buffer-table-unregister.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   82fdaabdb20ae6bf14e7ba999bd9a87ebdf626c3
  2.   patches.suse
  3.   io_uring-fix-races-with-buffer-table-unregister.patch
Blob History Raw
Gabriel Krisman Bertazi 200ee3 
From d11d31fc5d8a96f707facee0babdcffaafa38de2 Mon Sep 17 00:00:00 2001
Gabriel Krisman Bertazi 200ee3 
From: Pavel Begunkov <asml.silence@gmail.com>
Gabriel Krisman Bertazi 200ee3 
Date: Mon, 13 Jun 2022 06:30:06 +0100
Gabriel Krisman Bertazi 200ee3 
Subject: [PATCH] io_uring: fix races with buffer table unregister
Gabriel Krisman Bertazi 200ee3 
Git-commit: d11d31fc5d8a96f707facee0babdcffaafa38de2
Gabriel Krisman Bertazi 200ee3 
Patch-mainline: v5.19-rc3
Gabriel Krisman Bertazi 200ee3 
References: bsc#1205205
Gabriel Krisman Bertazi 200ee3
Gabriel Krisman Bertazi 200ee3 
Fixed buffer table quiesce might unlock ->uring_lock, potentially
Gabriel Krisman Bertazi 200ee3 
letting new requests to be submitted, don't allow those requests to
Gabriel Krisman Bertazi 200ee3 
use the table as they will race with unregistration.
Gabriel Krisman Bertazi 200ee3
Gabriel Krisman Bertazi 200ee3 
Reported-and-tested-by: van fantasy <g1042620637@gmail.com>
Gabriel Krisman Bertazi 200ee3 
Fixes: bd54b6fe3316ec ("io_uring: implement fixed buffers registration similar to fixed files")
Gabriel Krisman Bertazi 200ee3 
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Gabriel Krisman Bertazi 200ee3 
Signed-off-by: Gabriel Krisman Bertazi <krisman@suse.de>
Gabriel Krisman Bertazi 200ee3 
---
Gabriel Krisman Bertazi 200ee3 
 fs/io_uring.c | 7 +++++++
Gabriel Krisman Bertazi 200ee3 
 1 file changed, 7 insertions(+)
Gabriel Krisman Bertazi 200ee3
Gabriel Krisman Bertazi 200ee3 
diff --git a/fs/io_uring.c b/fs/io_uring.c
Gabriel Krisman Bertazi 200ee3 
index 00d266746916..be05f375a776 100644
Gabriel Krisman Bertazi 200ee3 
--- a/fs/io_uring.c
Gabriel Krisman Bertazi 200ee3 
+++ b/fs/io_uring.c
Gabriel Krisman Bertazi 200ee3 
@@ -10680,12 +10680,19 @@ static void __io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
Gabriel Krisman Bertazi 200ee3
Gabriel Krisman Bertazi 200ee3 
 static int io_sqe_buffers_unregister(struct io_ring_ctx *ctx)
Gabriel Krisman Bertazi 200ee3 
 {
Gabriel Krisman Bertazi 200ee3 
+	unsigned nr = ctx->nr_user_bufs;
Gabriel Krisman Bertazi 200ee3 
 	int ret;
Gabriel Krisman Bertazi 200ee3
Gabriel Krisman Bertazi 200ee3 
 	if (!ctx->buf_data)
Gabriel Krisman Bertazi 200ee3 
 		return -ENXIO;
Gabriel Krisman Bertazi 200ee3
Gabriel Krisman Bertazi 200ee3 
+	/*
Gabriel Krisman Bertazi 200ee3 
+	 * Quiesce may unlock ->uring_lock, and while it's not held
Gabriel Krisman Bertazi 200ee3 
+	 * prevent new requests using the table.
Gabriel Krisman Bertazi 200ee3 
+	 */
Gabriel Krisman Bertazi 200ee3 
+	ctx->nr_user_bufs = 0;
Gabriel Krisman Bertazi 200ee3 
 	ret = io_rsrc_ref_quiesce(ctx->buf_data, ctx);
Gabriel Krisman Bertazi 200ee3 
+	ctx->nr_user_bufs = nr;
Gabriel Krisman Bertazi 200ee3 
 	if (!ret)
Gabriel Krisman Bertazi 200ee3 
 		__io_sqe_buffers_unregister(ctx);
Gabriel Krisman Bertazi 200ee3 
 	return ret;
Gabriel Krisman Bertazi 200ee3 
--
Gabriel Krisman Bertazi 200ee3 
2.35.3
Gabriel Krisman Bertazi 200ee3
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.