Commit d60b76d2 authored Jan 22, 2025 by Jens Axboe Committed by Wentao Guan Mar 25, 2025

io_uring/uring_cmd: use cached cmd_op in io_uring_cmd_sock()

stable inclusion
from stable-v6.6.76
commit 563ba1701bc1a87085de2d4d451c8435d061f6db
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IBW08Q

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=563ba1701bc1a87085de2d4d451c8435d061f6db

--------------------------------

[ Upstream commit d58d82bd0efd6c8edd452fc2f6c6dd052ec57cb2 ]

io_uring_cmd_sock() does a normal read of cmd->sqe->cmd_op, where it
really should be using a READ_ONCE() as ->sqe may still be pointing to
the original SQE. Since the prep side already does this READ_ONCE() and
stores it locally, use that value rather than re-read it.

Fixes: 8e9fad0e ("io_uring: Add io_uring command support for sockets")
Link: https://lore.kernel.org/r/20250121-uring-sockcmd-fix-v1-1-add742802a29@google.com


Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 563ba1701bc1a87085de2d4d451c8435d061f6db)
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>

parent 6bd0d979

io_uring/uring_cmd.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -175,7 +175,7 @@ int io_uring_cmd_sock(struct io_uring_cmd *cmd, unsigned int issue_flags)
		if (!prot \|\| !prot->ioctl)
		return -EOPNOTSUPP;

		switch (cmd->sqe->cmd_op) {
		switch (cmd->cmd_op) {
		case SOCKET_URING_OP_SIOCINQ:
		ret = prot->ioctl(sk, SIOCINQ, &arg);
		if (ret)