io_uring: used cached copies of sq->dropped and cq->overflow

commit 498ccd9eda49117c34e0041563d0da6ac40e52b8 upstream. We currently use the ring values directly, but that can lead to issues if the application is malicious and changes these values on our behalf. Created in-kernel cached versions of them, and just overwrite the user side when we update them. This is similar to how we treat the sq/cq ring tail/head updates. Reported-by: N Pavel Begunkov <asml.silence@gmail.com> Reviewed-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Joseph Qi <joseph.qi@linux.alibaba.com> Reviewed-by: N Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>

io_uring: used cached copies of sq->dropped and cq->overflow
commit 498ccd9eda49117c34e0041563d0da6ac40e52b8 upstream. We currently use the ring values directly, but that can lead to issues if the application is malicious and changes these values on our behalf. Created in-kernel cached versions of them, and just overwrite the user side when we update them. This is similar to how we treat the sq/cq ring tail/head updates. Reported-by: N Pavel Begunkov <asml.silence@gmail.com> Reviewed-by: N Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N Joseph Qi <joseph.qi@linux.alibaba.com> Reviewed-by: N Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
f49db8bd · Jens Axboe · Shile Zhang · b324b063 · f49db8bd
隐藏空白更改
内联并排

Showing with 8 addition and 5 deletion

fs/io_uring.c fs/io_uring.c +8 -5

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -197,6 +197,7 @@ struct io_ring_ctx {
 		unsigned		sq_entries;
 		unsigned		sq_mask;
 		unsigned		sq_thread_idle;
+		unsigned		cached_sq_dropped;
 		struct io_uring_sqe	*sq_sqes;

 		struct list_head	defer_list;
@@ -212,6 +213,7 @@ struct io_ring_ctx {

 	struct {
 		unsigned		cached_cq_tail;
+		atomic_t		cached_cq_overflow;
 		unsigned		cq_entries;
 		unsigned		cq_mask;
 		struct wait_queue_head	cq_wait;
@@ -419,7 +421,8 @@ static struct io_ring_ctx *io_ring_ctx_alloc(struct io_uring_params *p)
 static inline bool __io_sequence_defer(struct io_ring_ctx *ctx,
 				       struct io_kiocb *req)
 {
-	return req->sequence != ctx->cached_cq_tail + ctx->rings->sq_dropped;
+	return req->sequence != ctx->cached_cq_tail + ctx->cached_sq_dropped
+					+ atomic_read(&ctx->cached_cq_overflow);
 }

 static inline bool io_sequence_defer(struct io_ring_ctx *ctx,
@@ -566,9 +569,8 @@ static void io_cqring_fill_event(struct io_ring_ctx *ctx, u64 ki_user_data,
 		WRITE_ONCE(cqe->res, res);
 		WRITE_ONCE(cqe->flags, 0);
 	} else {
-		unsigned overflow = READ_ONCE(ctx->rings->cq_overflow);
-
-		WRITE_ONCE(ctx->rings->cq_overflow, overflow + 1);
+		WRITE_ONCE(ctx->rings->cq_overflow,
+				atomic_inc_return(&ctx->cached_cq_overflow));
 	}
 }

@@ -2563,7 +2565,8 @@ static bool io_get_sqring(struct io_ring_ctx *ctx, struct sqe_submit *s)

 	/* drop invalid entries */
 	ctx->cached_sq_head++;
-	rings->sq_dropped++;
+	ctx->cached_sq_dropped++;
+	WRITE_ONCE(rings->sq_dropped, ctx->cached_sq_dropped);
 	return false;
 }