Re: [BUG] About "io_uring: add more uring info to fdinfo for debug"

From: Jens Axboe
Date: Thu Oct 28 2021 - 17:40:13 EST

Next message: Catalin Marinas: "Re: [PATCH v8 00/17] gfs2: Fix mmap + page fault deadlocks"
Previous message: Rob Herring: "Re: [PATCH] dt-bindings: arm-smmu: Add compatible for the SDX55 SoC"
In reply to: Eric Dumazet: "[BUG] About "io_uring: add more uring info to fdinfo for debug""
Next in thread: Jens Axboe: "Re: [BUG] About "io_uring: add more uring info to fdinfo for debug""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 10/28/21 3:24 PM, Eric Dumazet wrote:
> Hi
>
> I was looking at commit 83f84356bc8f2d
> ("io_uring: add more uring info to fdinfo for debug") after receiving
> syzbot reports.
>
> I suspect that the following :
>
> + for (i = cached_sq_head; i < sq_tail; i++) {
> + unsigned int sq_idx = READ_ONCE(ctx->sq_array[i & sq_mask]);
> +
> + if (likely(sq_idx <= sq_mask)) {
> + struct io_uring_sqe *sqe = &ctx->sq_sqes[sq_idx];
> +
> + seq_printf(m, "%5u: opcode:%d, fd:%d, flags:%x, user_data:%llu\n",
> + sq_idx, sqe->opcode, sqe->fd, sqe->flags, sqe->user_data);
> + }
> + }
>
>
> Can loop around ~2^32 times if sq_tail is close to ~0U
>
> I see various READ_ONCE(), which are probably not good enough.
>
> At very minimum I would handling wrapping...

Thanks for reporting this. I think on top of wrapping, the loop should
just be capped at sq_entries as well. There's no point dumping more than
that, ever.

I'll take a stab at this.

--
Jens Axboe

Next message: Catalin Marinas: "Re: [PATCH v8 00/17] gfs2: Fix mmap + page fault deadlocks"
Previous message: Rob Herring: "Re: [PATCH] dt-bindings: arm-smmu: Add compatible for the SDX55 SoC"
In reply to: Eric Dumazet: "[BUG] About "io_uring: add more uring info to fdinfo for debug""
Next in thread: Jens Axboe: "Re: [BUG] About "io_uring: add more uring info to fdinfo for debug""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]