| From 22db1513d525ced9455ae94f661d37338ff558fc Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Thu, 30 Jul 2020 18:43:47 +0300 |
| Subject: io_uring: fix racy overflow count reporting |
| |
| From: Pavel Begunkov <asml.silence@gmail.com> |
| |
| [ Upstream commit b2bd1cf99f3e7c8fbf12ea07af2c6998e1209e25 ] |
| |
| All ->cq_overflow modifications should be under completion_lock, |
| otherwise it can report a wrong number to the userspace. Fix it in |
| io_uring_cancel_files(). |
| |
| Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> |
| Signed-off-by: Jens Axboe <axboe@kernel.dk> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| fs/io_uring.c | 3 +-- |
| 1 file changed, 1 insertion(+), 2 deletions(-) |
| |
| diff --git a/fs/io_uring.c b/fs/io_uring.c |
| index 159338b5f8263..c212af69c15b4 100644 |
| --- a/fs/io_uring.c |
| +++ b/fs/io_uring.c |
| @@ -7579,10 +7579,9 @@ static void io_uring_cancel_files(struct io_ring_ctx *ctx, |
| clear_bit(0, &ctx->sq_check_overflow); |
| clear_bit(0, &ctx->cq_check_overflow); |
| } |
| - spin_unlock_irq(&ctx->completion_lock); |
| - |
| WRITE_ONCE(ctx->rings->cq_overflow, |
| atomic_inc_return(&ctx->cached_cq_overflow)); |
| + spin_unlock_irq(&ctx->completion_lock); |
| |
| /* |
| * Put inflight ref and overflow ref. If that's |
| -- |
| 2.25.1 |
| |