io_uring/query: prevent infinite loops

isilence · axboe · commit 2408d1783204 · 2025-09-19T07:06:43.000-06:00
If the query chain forms a cycle, the interface will loop indefinitely. Make sure it handles fatal signals, so the user can kill the process and hence break out of the infinite loop. Fixes: c265ae7 ("io_uring: introduce io_uring querying") Reported-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
diff --git a/io_uring/query.c b/io_uring/query.c
@@ -88,6 +88,10 @@ int io_query(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
 		if (ret)
 			return ret;
 		uhdr = u64_to_user_ptr(next_hdr);
+
+		if (fatal_signal_pending(current))
+			return -EINTR;
+		cond_resched();
 	}
 	return 0;
 }

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,10 @@ int io_query(struct io_ring_ctx ctx, void __user arg, unsigned nr_args)`
`88`	`88`	`if (ret)`
`89`	`89`	`return ret;`
`90`	`90`	`uhdr = u64_to_user_ptr(next_hdr);`
	`91`	`+`
	`92`	`+ if (fatal_signal_pending(current))`
	`93`	`+ return -EINTR;`
	`94`	`+ cond_resched();`
`91`	`95`	`}`
`92`	`96`	`return 0;`
`93`	`97`	`}`