io_uring: annotate offset timeout races

isilence · gregkh · commit 88b1958fb57d · 2023-08-11T12:08:24.000+02:00
commit 5498bf2 upstream. It's racy to read ->cached_cq_tail without taking proper measures (usually grabbing ->completion_lock) as timeout requests with CQE offsets do, however they have never had a good semantics for from when they start counting. Annotate racy reads with data_race(). Reported-by: syzbot+cb265db2f3f3468ef436@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/4de3685e185832a92a572df2be2c735d2e21a83d.1684506056.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/io_uring/timeout.c b/io_uring/timeout.c
@@ -545,7 +545,7 @@ int io_timeout(struct io_kiocb *req, unsigned int issue_flags)
 		goto add;
 	}
 
-	tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
+	tail = data_race(ctx->cached_cq_tail) - atomic_read(&ctx->cq_timeouts);
 	timeout->target_seq = tail + off;
 
 	/* Update the last seq here in case io_flush_timeouts() hasn't.

Original file line number	Diff line number	Diff line change
`@@ -545,7 +545,7 @@ int io_timeout(struct io_kiocb *req, unsigned int issue_flags)`
`545`	`545`	`goto add;`
`546`	`546`	`}`
`547`	`547`
`548`		`- tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);`
	`548`	`+ tail = data_race(ctx->cached_cq_tail) - atomic_read(&ctx->cq_timeouts);`
`549`	`549`	`timeout->target_seq = tail + off;`
`550`	`550`
`551`	`551`	`/* Update the last seq here in case io_flush_timeouts() hasn't.`