Re: [BUG] About "io_uring: add more uring info to fdinfo for debug"
From: Jens Axboe
Date: Thu Oct 28 2021 - 17:40:13 EST
On 10/28/21 3:24 PM, Eric Dumazet wrote:
> Hi
>
> I was looking at commit 83f84356bc8f2d
> ("io_uring: add more uring info to fdinfo for debug") after receiving
> syzbot reports.
>
> I suspect that the following :
>
> + for (i = cached_sq_head; i < sq_tail; i++) {
> + unsigned int sq_idx = READ_ONCE(ctx->sq_array[i & sq_mask]);
> +
> + if (likely(sq_idx <= sq_mask)) {
> + struct io_uring_sqe *sqe = &ctx->sq_sqes[sq_idx];
> +
> + seq_printf(m, "%5u: opcode:%d, fd:%d, flags:%x, user_data:%llu\n",
> + sq_idx, sqe->opcode, sqe->fd, sqe->flags, sqe->user_data);
> + }
> + }
>
>
> Can loop around ~2^32 times if sq_tail is close to ~0U
>
> I see various READ_ONCE(), which are probably not good enough.
>
> At very minimum I would handling wrapping...
Thanks for reporting this. I think on top of wrapping, the loop should
just be capped at sq_entries as well. There's no point dumping more than
that, ever.
I'll take a stab at this.
--
Jens Axboe