From nobody Fri Dec 19 21:48:40 2025 Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 621681C36 for ; Tue, 21 Jan 2025 16:10:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737475808; cv=none; b=Ly0kTmiY0lYR5lJN95iej/CqXgDfaNxtzvWmRHImvqrWOfGlUcftyeHGf2kQsq4qvq0f1A1JBhOSoPFQ7UG4wEB7ctiG944bBSjb71hjyW8ZIwWDjJa3vj9E+3YpBtUtE+2WntAs0tCXrKJ2pAAmLV5uudInuhVZmcopSTEu07A= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1737475808; c=relaxed/simple; bh=pEyoQvQWT6idVibEeyq1Yg7Ofbc/zFY8E1cz2BUMuKM=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=ng7AoCxqWH6Is6Sl/usjzZEMRaG2SJX5lwjKPBMiJCP3XEACn6vBlQ1Jk4L8OyfL011IZye0IPsrK+0UaUgw/YcOuio+ynfOe+RBxvxDNKTy+xqbzkchUfgxt/kUSy+wBbDhCR8IRIeMIj5mp490Xz8Z92tWwzu6Yy7RszHTjhc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=JQFYor58; arc=none smtp.client-ip=209.85.128.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="JQFYor58" Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-4361d5730caso130125e9.1 for ; Tue, 21 Jan 2025 08:10:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1737475805; x=1738080605; darn=vger.kernel.org; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:from:to:cc:subject:date:message-id:reply-to; bh=A5EzkxHuBI8yDHTyPXO5W+a90sGmWcj3zVI9ThOaO6g=; b=JQFYor586rYOm73fO96mCrAc/uEmFKRAvO0MQ/JiXN8UI1Qn+StZJq6LLy7j+U0tfe JQ6ZnyayitJG98t0JvLJv9rWhs3ZwDyqYc0lmwzAmOEpYxIJ2cmch6Zk+CjiRJSI1Hpw Bd9vSFjSDSSwt9JFn6d41K8eB4VZ9MYvEpTHq07p/DPjrbYnyTNXx81QbIePmvIoxU8K IkSm6lAZJAOR8eP0c8LxCD+wfVGnOK11CUmgPvT/hpIDd5On2GenxggcwluOLc32kWWe ChigpZxLaBJR6s+MQcTqMP8/P5LK4OYZksogqozgv/0wOJCdTYAXeAMJH2vWKIknLDx7 CFxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737475805; x=1738080605; h=cc:to:message-id:content-transfer-encoding:mime-version:subject :date:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=A5EzkxHuBI8yDHTyPXO5W+a90sGmWcj3zVI9ThOaO6g=; b=OLvccDtZJiWdy/thCGXJKcT5agyhEDFZIQg2b1O1I8+riHYNUyp+b97ATVuk/vADkB pHEGVqIe/qsQWI8DlHV88VsnE3M5EVA5d4SGVtuvU+ppU+WoxKplw2u87AP10JkDSYKZ rqayVA9a/I6+mNDMck+yVnFmwUKR03aqqyqdca4rVYJ9F09IPEnjU9D5OccL3NC6ekgT ad62p85ODWC4pudnvZZFXjUTLIJsAQsFGXOBlMkFP08RZyrQ7wF0oBem39XBSh1n7vfx pwibvddaRjuTbMuCTzdADeUKRM3Djf+mnZHJ11BC3l09oakVhqTYLWyjsPRfzkjl3ydP m91A== X-Forwarded-Encrypted: i=1; AJvYcCVjphU3Q06gWIBNA3a2z5QxgosSXtOg8a25fwpFK2XHdqmm8DzvSMbu4Iz0hYhfZtgJKEhY5SEaaWKt5io=@vger.kernel.org X-Gm-Message-State: AOJu0YxWXND1BSs/hZ5AOH2VJtR7SswjWn8iqE+C07d5cUPxwSL92NfC CI7YwHYv0bQc4A2+di2wP4fkekAL0a2+4hGD7sSTE/SNa719IVlw+ISGPElOLw== X-Gm-Gg: ASbGncu9R+WCB/IHfUReInk4WguX9luNd6qptgVm/p2ok1tSRRkW2U760jyK92Vd6ZH wcx7/Xmwl1Pz276rNq6S5g8YZy3ZLp4LxMKwQ+6qj5irkwOf12e7F3ibItrJFhtg3aWCO0JoNXt VCHmgUoZR3+/67Zhi6brofgssHQvh0EexVnENM/Hg6DByzjJDRqJcNyZy87oJ1ewGbc/tnVBU+n HVzD/wspCi05rw1IRrY7cuECVJ4YzHKEmMyHycMPwMy3MUf+3iwXLaUAAg= X-Google-Smtp-Source: AGHT+IEnqGlP0mkhPSeKjo/LbQpcR7eQ4ujkEkN21jV24Yk8ZD1wCZ8hhCkkpGuo0nw96gn/DYUFCA== X-Received: by 2002:a05:600c:564a:b0:434:9fac:3408 with SMTP id 5b1f17b1804b1-438a08f5d3amr3963895e9.2.1737475804237; Tue, 21 Jan 2025 08:10:04 -0800 (PST) Received: from localhost ([2a00:79e0:9d:4:690e:31d2:955f:4757]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4389041f61bsm182804475e9.17.2025.01.21.08.10.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Jan 2025 08:10:03 -0800 (PST) From: Jann Horn Date: Tue, 21 Jan 2025 17:09:59 +0100 Subject: [PATCH] io_uring/uring_cmd: add missing READ_ONCE() on shared memory read Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20250121-uring-sockcmd-fix-v1-1-add742802a29@google.com> X-B4-Tracking: v=1; b=H4sIANfGj2cC/x2MQQqAIBAAvxJ7bkENkfpKdCjbaok0lCKQ/t7Sc QZmCmRKTBm6qkCimzPHIKDrCvw2hpWQZ2EwyliljcYrcVgxR7/7Y8aFH3R2cg3ZqXVWgXRnItH /sx/e9wNNkA6LYwAAAA== X-Change-ID: 20250121-uring-sockcmd-fix-75b73e5b9750 To: Jens Axboe , Pavel Begunkov Cc: io-uring@vger.kernel.org, linux-kernel@vger.kernel.org, Jann Horn X-Mailer: b4 0.15-dev X-Developer-Signature: v=1; a=ed25519-sha256; t=1737475800; l=1131; i=jannh@google.com; s=20240730; h=from:subject:message-id; bh=pEyoQvQWT6idVibEeyq1Yg7Ofbc/zFY8E1cz2BUMuKM=; b=VGKDcbuKJt9SxaTs68JubYzt2aCYSgWvTQYq38OChjFMCucq9gOfro/KxuUHhylrmAClv7058 /Z0pFDEi5ttD+RlbGww3HQGEDjHhb4okleQguxFrqrM7TEVo7OgSfrU X-Developer-Key: i=jannh@google.com; a=ed25519; pk=AljNtGOzXeF6khBXDJVVvwSEkVDGnnZZYqfWhP1V+C8= cmd->sqe seems to point to shared memory here; so values should only be read from it with READ_ONCE(). To ensure that the compiler won't generate code that assumes the value in memory will stay constant, add a READ_ONCE(). The callees io_uring_cmd_getsockopt() and io_uring_cmd_setsockopt() already do this correctly. Signed-off-by: Jann Horn --- io_uring/uring_cmd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c index fc94c465a9850d4ed9df0cd26fcd6523657a2854..f4397bd66283d5939b60e7fa0a1= 2bd7426322b9f 100644 --- a/io_uring/uring_cmd.c +++ b/io_uring/uring_cmd.c @@ -350,7 +350,7 @@ int io_uring_cmd_sock(struct io_uring_cmd *cmd, unsigne= d int issue_flags) if (!prot || !prot->ioctl) return -EOPNOTSUPP; =20 - switch (cmd->sqe->cmd_op) { + switch (READ_ONCE(cmd->sqe->cmd_op)) { case SOCKET_URING_OP_SIOCINQ: ret =3D prot->ioctl(sk, SIOCINQ, &arg); if (ret) --- base-commit: 95ec54a420b8f445e04a7ca0ea8deb72c51fe1d3 change-id: 20250121-uring-sockcmd-fix-75b73e5b9750 --=20 Jann Horn