Skip to content

Commit e663da6

Browse files
calebsanderaxboe
calebsander
authored and
axboe
committed
io_uring/uring_cmd: switch sqe to async_data on EAGAIN
5eff57f ("io_uring/uring_cmd: defer SQE copying until it's needed") moved the unconditional memcpy() of the uring_cmd SQE to async_data to 2 cases when the request goes async: - If REQ_F_FORCE_ASYNC is set to force the initial issue to go async - If ->uring_cmd() returns -EAGAIN in the initial non-blocking issue Unlike the REQ_F_FORCE_ASYNC case, in the EAGAIN case, io_uring_cmd() copies the SQE to async_data but neglects to update the io_uring_cmd's sqe field to point to async_data. As a result, sqe still points to the slot in the userspace-mapped SQ. At the end of io_submit_sqes(), the kernel advances the SQ head index, allowing userspace to reuse the slot for a new SQE. If userspace reuses the slot before the io_uring worker reissues the original SQE, the io_uring_cmd's SQE will be corrupted. Introduce a helper io_uring_cmd_cache_sqes() to copy the original SQE to the io_uring_cmd's async_data and point sqe there. Use it for both the REQ_F_FORCE_ASYNC and EAGAIN cases. This ensures the uring_cmd doesn't read from the SQ slot after it has been returned to userspace. Signed-off-by: Caleb Sander Mateos <csander@purestorage.com> Fixes: 5eff57f ("io_uring/uring_cmd: defer SQE copying until it's needed") Link: https://lore.kernel.org/r/20250212204546.3751645-3-csander@purestorage.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
1 parent 34cae91 commit e663da6

File tree

1 file changed

+14
-9
lines changed

1 file changed

+14
-9
lines changed

io_uring/uring_cmd.c

Lines changed: 14 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,15 @@ void io_uring_cmd_done(struct io_uring_cmd *ioucmd, ssize_t ret, u64 res2,
168168
}
169169
EXPORT_SYMBOL_GPL(io_uring_cmd_done);
170170

171+
static void io_uring_cmd_cache_sqes(struct io_kiocb *req)
172+
{
173+
struct io_uring_cmd *ioucmd = io_kiocb_to_cmd(req, struct io_uring_cmd);
174+
struct io_uring_cmd_data *cache = req->async_data;
175+
176+
memcpy(cache->sqes, ioucmd->sqe, uring_sqe_size(req->ctx));
177+
ioucmd->sqe = cache->sqes;
178+
}
179+
171180
static int io_uring_cmd_prep_setup(struct io_kiocb *req,
172181
const struct io_uring_sqe *sqe)
173182
{
@@ -179,14 +188,10 @@ static int io_uring_cmd_prep_setup(struct io_kiocb *req,
179188
return -ENOMEM;
180189
cache->op_data = NULL;
181190

182-
if (!(req->flags & REQ_F_FORCE_ASYNC)) {
183-
/* defer memcpy until we need it */
184-
ioucmd->sqe = sqe;
185-
return 0;
186-
}
187-
188-
memcpy(cache->sqes, sqe, uring_sqe_size(req->ctx));
189-
ioucmd->sqe = cache->sqes;
191+
ioucmd->sqe = sqe;
192+
/* defer memcpy until we need it */
193+
if (unlikely(req->flags & REQ_F_FORCE_ASYNC))
194+
io_uring_cmd_cache_sqes(req);
190195
return 0;
191196
}
192197

@@ -253,7 +258,7 @@ int io_uring_cmd(struct io_kiocb *req, unsigned int issue_flags)
253258
struct io_uring_cmd_data *cache = req->async_data;
254259

255260
if (ioucmd->sqe != cache->sqes)
256-
memcpy(cache->sqes, ioucmd->sqe, uring_sqe_size(req->ctx));
261+
io_uring_cmd_cache_sqes(req);
257262
return -EAGAIN;
258263
} else if (ret == -EIOCBQUEUED) {
259264
return -EIOCBQUEUED;

0 commit comments

Comments
 (0)