io_uring: Use WRITE_ONCE() when writing to sq_flags

anadav · axboe · commit 20c0b380f971 · 2021-08-08T21:21:11.000-06:00
The compiler should be forbidden from any strange optimization for async writes to user visible data-structures. Without proper protection, the compiler can cause write-tearing or invent writes that would confuse the userspace. However, there are writes to sq_flags which are not protected by WRITE_ONCE(). Use WRITE_ONCE() for these writes. This is purely a theoretical issue. Presumably, any compiler is very unlikely to do such optimizations. Fixes: 75b28af ("io_uring: allocate the two rings together") Cc: Jens Axboe <axboe@kernel.dk> Cc: Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: Nadav Amit <namit@vmware.com> Link: https://lore.kernel.org/r/20210808001342.964634-3-namit@vmware.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
diff --git a/fs/io_uring.c b/fs/io_uring.c
@@ -1500,7 +1500,8 @@ static bool __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
 	all_flushed = list_empty(&ctx->cq_overflow_list);
 	if (all_flushed) {
 		clear_bit(0, &ctx->check_cq_overflow);
-		ctx->rings->sq_flags &= ~IORING_SQ_CQ_OVERFLOW;
+		WRITE_ONCE(ctx->rings->sq_flags,
+			   ctx->rings->sq_flags & ~IORING_SQ_CQ_OVERFLOW);
 	}
 
 	if (posted)
@@ -1579,7 +1580,9 @@ static bool io_cqring_event_overflow(struct io_ring_ctx *ctx, u64 user_data,
 	}
 	if (list_empty(&ctx->cq_overflow_list)) {
 		set_bit(0, &ctx->check_cq_overflow);
-		ctx->rings->sq_flags |= IORING_SQ_CQ_OVERFLOW;
+		WRITE_ONCE(ctx->rings->sq_flags,
+			   ctx->rings->sq_flags | IORING_SQ_CQ_OVERFLOW);
+
 	}
 	ocqe->cqe.user_data = user_data;
 	ocqe->cqe.res = res;
@@ -6804,14 +6807,16 @@ static inline void io_ring_set_wakeup_flag(struct io_ring_ctx *ctx)
 {
 	/* Tell userspace we may need a wakeup call */
 	spin_lock_irq(&ctx->completion_lock);
-	ctx->rings->sq_flags |= IORING_SQ_NEED_WAKEUP;
+	WRITE_ONCE(ctx->rings->sq_flags,
+		   ctx->rings->sq_flags | IORING_SQ_NEED_WAKEUP);
 	spin_unlock_irq(&ctx->completion_lock);
 }
 
 static inline void io_ring_clear_wakeup_flag(struct io_ring_ctx *ctx)
 {
 	spin_lock_irq(&ctx->completion_lock);
-	ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;
+	WRITE_ONCE(ctx->rings->sq_flags,
+		   ctx->rings->sq_flags & ~IORING_SQ_NEED_WAKEUP);
 	spin_unlock_irq(&ctx->completion_lock);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1500,7 +1500,8 @@ static bool __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)`
`1500`	`1500`	`all_flushed = list_empty(&ctx->cq_overflow_list);`
`1501`	`1501`	`if (all_flushed) {`
`1502`	`1502`	`clear_bit(0, &ctx->check_cq_overflow);`
`1503`		`- ctx->rings->sq_flags &= ~IORING_SQ_CQ_OVERFLOW;`
	`1503`	`+ WRITE_ONCE(ctx->rings->sq_flags,`
	`1504`	`+ ctx->rings->sq_flags & ~IORING_SQ_CQ_OVERFLOW);`
`1504`	`1505`	`}`
`1505`	`1506`
`1506`	`1507`	`if (posted)`
`@@ -1579,7 +1580,9 @@ static bool io_cqring_event_overflow(struct io_ring_ctx *ctx, u64 user_data,`
`1579`	`1580`	`}`
`1580`	`1581`	`if (list_empty(&ctx->cq_overflow_list)) {`
`1581`	`1582`	`set_bit(0, &ctx->check_cq_overflow);`
`1582`		`- ctx->rings->sq_flags \|= IORING_SQ_CQ_OVERFLOW;`
	`1583`	`+ WRITE_ONCE(ctx->rings->sq_flags,`
	`1584`	`+ ctx->rings->sq_flags \| IORING_SQ_CQ_OVERFLOW);`
	`1585`	`+`
`1583`	`1586`	`}`
`1584`	`1587`	`ocqe->cqe.user_data = user_data;`
`1585`	`1588`	`ocqe->cqe.res = res;`
`@@ -6804,14 +6807,16 @@ static inline void io_ring_set_wakeup_flag(struct io_ring_ctx *ctx)`
`6804`	`6807`	`{`
`6805`	`6808`	`/* Tell userspace we may need a wakeup call */`
`6806`	`6809`	`spin_lock_irq(&ctx->completion_lock);`
`6807`		`- ctx->rings->sq_flags \|= IORING_SQ_NEED_WAKEUP;`
	`6810`	`+ WRITE_ONCE(ctx->rings->sq_flags,`
	`6811`	`+ ctx->rings->sq_flags \| IORING_SQ_NEED_WAKEUP);`
`6808`	`6812`	`spin_unlock_irq(&ctx->completion_lock);`
`6809`	`6813`	`}`
`6810`	`6814`
`6811`	`6815`	`static inline void io_ring_clear_wakeup_flag(struct io_ring_ctx *ctx)`
`6812`	`6816`	`{`
`6813`	`6817`	`spin_lock_irq(&ctx->completion_lock);`
`6814`		`- ctx->rings->sq_flags &= ~IORING_SQ_NEED_WAKEUP;`
	`6818`	`+ WRITE_ONCE(ctx->rings->sq_flags,`
	`6819`	`+ ctx->rings->sq_flags & ~IORING_SQ_NEED_WAKEUP);`
`6815`	`6820`	`spin_unlock_irq(&ctx->completion_lock);`
`6816`	`6821`	`}`
`6817`	`6822`