Commit ebc60fa3 authored Nov 02, 2024 by Pavel Begunkov Committed by Baokun Li Nov 02, 2024

io_uring: always lock __io_cqring_overflow_flush

mainline inclusion
from mainline-v6.10-rc1
commit 8d09a88ef9d3cb7d21d45c39b7b7c31298d23998
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRF9
CVE: CVE-2024-50060

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8d09a88ef9d3cb7d21d45c39b7b7c31298d23998



--------------------------------

Conditional locking is never great, in case of
__io_cqring_overflow_flush(), which is a slow path, it's not justified.
Don't handle IOPOLL separately, always grab uring_lock for overflow
flushing.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/162947df299aa12693ac4b305dacedab32ec7976.1712708261.git.asml.silence@gmail.com


Signed-off-by: Jens Axboe <axboe@kernel.dk>

Conflicts:
	io_uring/io_uring.c
[Context conflicts because there are no commits:
 408024b95927 ("io_uring: open code io_cqring_overflow_flush()")
 a85381d8 ("io_uring: skip overflow CQE posting for dying ring")
 52ea806a ("io_uring: finish waiting before flushing overflow entries")
 etc.]
Signed-off-by: Baokun Li <libaokun1@huawei.com>

parent cc5e1415

io_uring/io_uring.c

+4 −5

Original line number	Diff line number	Diff line
		@@ -1663,6 +1663,8 @@ static bool __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
		{
		bool all_flushed, posted;

		lockdep_assert_held(&ctx->uring_lock);

		if (!force && __io_cqring_events(ctx) == ctx->cq_entries)
		return false;

		@@ -1706,11 +1708,8 @@ static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx)
		bool ret = true;

		if (test_bit(0, &ctx->check_cq_overflow)) {
		/* iopoll syncs against uring_lock, not completion_lock */
		if (ctx->flags & IORING_SETUP_IOPOLL)
		mutex_lock(&ctx->uring_lock);
		ret = __io_cqring_overflow_flush(ctx, false);
		if (ctx->flags & IORING_SETUP_IOPOLL)
		mutex_unlock(&ctx->uring_lock);
		}