From: Pavel Begunkov Date: Mon, 13 Jun 2022 05:30:06 +0000 (+0100) Subject: io_uring: fix races with buffer table unregister X-Git-Tag: v5.15.73~2919 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=91f5a60a8398fd2183309eb8aaad11d524fe4957;p=platform%2Fkernel%2Flinux-rpi.git io_uring: fix races with buffer table unregister [ Upstream commit d11d31fc5d8a96f707facee0babdcffaafa38de2 ] Fixed buffer table quiesce might unlock ->uring_lock, potentially letting new requests to be submitted, don't allow those requests to use the table as they will race with unregistration. Reported-and-tested-by: van fantasy Fixes: bd54b6fe3316ec ("io_uring: implement fixed buffers registration similar to fixed files") Signed-off-by: Pavel Begunkov Signed-off-by: Sasha Levin --- diff --git a/fs/io_uring.c b/fs/io_uring.c index 5f111a6..be21765 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -8905,12 +8905,19 @@ static void __io_sqe_buffers_unregister(struct io_ring_ctx *ctx) static int io_sqe_buffers_unregister(struct io_ring_ctx *ctx) { + unsigned nr = ctx->nr_user_bufs; int ret; if (!ctx->buf_data) return -ENXIO; + /* + * Quiesce may unlock ->uring_lock, and while it's not held + * prevent new requests using the table. + */ + ctx->nr_user_bufs = 0; ret = io_rsrc_ref_quiesce(ctx->buf_data, ctx); + ctx->nr_user_bufs = nr; if (!ret) __io_sqe_buffers_unregister(ctx); return ret;