[BUG] About "io_uring: add more uring info to fdinfo for debug"
From: Eric Dumazet
Date: Thu Oct 28 2021 - 17:25:09 EST
Hi
I was looking at commit 83f84356bc8f2d
("io_uring: add more uring info to fdinfo for debug") after receiving
syzbot reports.
I suspect that the following :
+ for (i = cached_sq_head; i < sq_tail; i++) {
+ unsigned int sq_idx = READ_ONCE(ctx->sq_array[i & sq_mask]);
+
+ if (likely(sq_idx <= sq_mask)) {
+ struct io_uring_sqe *sqe = &ctx->sq_sqes[sq_idx];
+
+ seq_printf(m, "%5u: opcode:%d, fd:%d, flags:%x, user_data:%llu\n",
+ sq_idx, sqe->opcode, sqe->fd, sqe->flags, sqe->user_data);
+ }
+ }
Can loop around ~2^32 times if sq_tail is close to ~0U
I see various READ_ONCE(), which are probably not good enough.
At very minimum I would handling wrapping...
diff --git a/fs/io_uring.c b/fs/io_uring.c
index f37de99254bf8e0b8364b267388d1056fce436a4..50493f5c004b70cff103e20bf4b1ba92304eddb9 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -10117,7 +10117,7 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx,
struct io_overflow_cqe *ocqe;
struct io_rings *r = ctx->rings;
unsigned int sq_mask = ctx->sq_entries - 1, cq_mask = ctx->cq_entries - 1;
- unsigned int cached_sq_head = ctx->cached_sq_head;
+ unsigned int cached_sq_head = READ_ONCE(ctx->cached_sq_head);
unsigned int cached_cq_tail = ctx->cached_cq_tail;
unsigned int sq_head = READ_ONCE(r->sq.head);
unsigned int sq_tail = READ_ONCE(r->sq.tail);
@@ -10139,7 +10139,7 @@ static __cold void __io_uring_show_fdinfo(struct io_ring_ctx *ctx,
seq_printf(m, "CqTail:\t%u\n", cq_tail & cq_mask);
seq_printf(m, "CachedCqTail:\t%u\n", cached_cq_tail & cq_mask);
seq_printf(m, "SQEs:\t%u\n", sq_tail - cached_sq_head);
- for (i = cached_sq_head; i < sq_tail; i++) {
+ for (i = cached_sq_head; (int)(i - sq_tail) < 0; i++) {
unsigned int sq_idx = READ_ONCE(ctx->sq_array[i & sq_mask]);
if (likely(sq_idx <= sq_mask)) {