io_uring: Fix race for sqes with userspace
authorPavel Begunkov <asml.silence@gmail.com>
Fri, 25 Oct 2019 09:31:31 +0000 (12:31 +0300)
committerJens Axboe <axboe@kernel.dk>
Fri, 25 Oct 2019 15:02:01 +0000 (09:02 -0600)
io_ring_submit() finalises with
1. io_commit_sqring(), which releases sqes to the userspace
2. Then calls to io_queue_link_head(), accessing released head's sqe

Reorder them.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
fs/io_uring.c

index 949c82a40d167a314dbe223cd5fe2dcc8a2d920d..32f6598ecae9f5e5ecb2a82d88a438fe59b30586 100644 (file)
@@ -2795,13 +2795,14 @@ out:
                submit++;
                io_submit_sqe(ctx, &s, statep, &link);
        }
-       io_commit_sqring(ctx);
 
        if (link)
                io_queue_link_head(ctx, link, &link->submit, shadow_req);
        if (statep)
                io_submit_state_end(statep);
 
+       io_commit_sqring(ctx);
+
        return submit;
 }