From: Pavel Begunkov <asml.silence@gmail.com>
Date: Fri, 25 Oct 2019 09:31:31 +0000 (+0300)
Subject: io_uring: Fix race for sqes with userspace
X-Git-Tag: Ubuntu-5.13.0-19.19~7422^2~6
X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=935d1e45908afb8853c497f2c2bbbb685dec51dc;p=mirror_ubuntu-jammy-kernel.git

io_uring: Fix race for sqes with userspace

io_ring_submit() finalises with
1. io_commit_sqring(), which releases sqes to the userspace
2. Then calls to io_queue_link_head(), accessing released head's sqe

Reorder them.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 949c82a40d16..32f6598ecae9 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2795,13 +2795,14 @@ out:
 		submit++;
 		io_submit_sqe(ctx, &s, statep, &link);
 	}
-	io_commit_sqring(ctx);
 
 	if (link)
 		io_queue_link_head(ctx, link, &link->submit, shadow_req);
 	if (statep)
 		io_submit_state_end(statep);
 
+	io_commit_sqring(ctx);
+
 	return submit;
 }