{"id":2215658,"url":"http://patchwork.ozlabs.org/api/patches/2215658/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260325013743.429342-2-tim.whisonant@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260325013743.429342-2-tim.whisonant@canonical.com>","list_archive_url":null,"date":"2026-03-25T01:37:34","name":"[SRU,J,1/1] io_uring: check if we need to reschedule during overflow flush","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"732bb4e12f9b872cbbb5e18080bad4b2e8d28836","submitter":{"id":89903,"url":"http://patchwork.ozlabs.org/api/people/89903/?format=json","name":"Tim Whisonant","email":"tim.whisonant@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20260325013743.429342-2-tim.whisonant@canonical.com/mbox/","series":[{"id":497372,"url":"http://patchwork.ozlabs.org/api/series/497372/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=497372","date":"2026-03-25T01:37:33","name":"CVE-2024-50060","version":1,"mbox":"http://patchwork.ozlabs.org/series/497372/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2215658/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2215658/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=PbgZsgNZ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fgV0W0sVmz1yG1\n\tfor ; Wed, 25 Mar 2026 12:38:03 +1100 (AEDT)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from )\n\tid 1w5DBz-0000W5-10; Wed, 25 Mar 2026 01:37:55 +0000","from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from )\n id 1w5DBx-0000Vl-Kv\n for kernel-team@lists.ubuntu.com; Wed, 25 Mar 2026 01:37:53 +0000","from mail-yw1-f199.google.com (mail-yw1-f199.google.com\n [209.85.128.199])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 7A86B3F293\n for ; Wed, 25 Mar 2026 01:37:53 +0000 (UTC)","by mail-yw1-f199.google.com with SMTP id\n 00721157ae682-79895ffb315so109935697b3.2\n for ; Tue, 24 Mar 2026 18:37:53 -0700 (PDT)","from localhost (104-6-108-11.lightspeed.frokca.sbcglobal.net.\n [104.6.108.11]) by smtp.gmail.com with ESMTPSA id\n 00721157ae682-79a905a2eb5sm80989077b3.42.2026.03.24.18.37.50\n for \n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Tue, 24 Mar 2026 18:37:50 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1774402673;\n bh=DJbcgl9uVnGVfyrJ+4wuoWjhjKzERJv15qcK1yV9Dus=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=PbgZsgNZLAqECofAU8ANFf3R7HAWGyN7/2MqfQp4Q/y1segAdVfog8AersBFmB2zT\n XZ32IIj2YGsSQPniuPtS9ZcenVuZPH0FvOgncQabiVPYSy+B9NlXbtPQ7pldP9bc3m\n /UbmGznLtrDI7v/53ANp8lzUnO7KQ1qKB3spFk1X9ne7Y/bah0EXRHPiJLriJhfXYb\n 0EsAAkuW49ppZM/0eeI1Bat9E+Yn0HfuKGt1Iv1rAPbpT3pvQ+M5TmPDKTZsWXtZP8\n ALDGRQiFsRpQzfjBN7HrutPPgRROAoVMd1UtkvEWDxKEx7mMdZxJ1tEiobmhuM+Y5e\n Nth9xySoP79FvFTDZvsLoCtL7ye2qdsd/sGzNjI/PvdgSJHp+cQcMueJXEozL/DI2q\n AOBhYXRSU2UoG2WeWgxIdmdWmRXI9qCHmWtBtkko2PTKXH+qzyavRup+jbDyJRBuoZ\n r/zLXomrcRhh3KxjZ4UKSNA76yh+QczoisZ/Q6ceof9HeO6Mc5bhD43g7gC32wQwJp\n ZvWzzU6DHM0x0QOjMtGYhXx82vVYIPnLp6djmfmd15BD/VOudHqQUXJIyY13HqNnLi\n YTE6hUt7DI+foR0US1NHfCyAOq1QSqeiWvoCq2EEXX6ZcFKgshDvypJBKxWXJ4EbHU\n DnZLEpR7BxsNonLwHBZUmdj4=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1774402672; x=1775007472;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=DJbcgl9uVnGVfyrJ+4wuoWjhjKzERJv15qcK1yV9Dus=;\n b=f46VaK2PThwI+Ar/IzhLPBCAf5SBlEsJyff9295FeF9ilFHUP2ZSnRFyfs7B4wX8T1\n vY9e3jZsgQ7l84zcY5cY7ys/qymKaHGjOkx5Rx9QVqOP7Mt8jtyTJgSwmFfUH4pL7Zwh\n bxE/AO3Th04Wz8Zmai+sN6MQvOwGEwrhK3/G9AIh0cq/ONiKqBADkVQLJwQkEHLI7YnI\n p+c1OMzUTu7ghVroeSBtBJq5hRb7gmPRyQKUflqvSoyd+BEhXwSf2jMPv/nR3q8wrkCu\n iuyUMvti2FAwe1MmyRGfG0YjaXE+tF+BiQ/yfMnB2HLr3qk8RvnJ6HT3r+RghbVXM6bl\n Vb6g==","X-Gm-Message-State":"AOJu0YwmTkPe22x58uW362EyH13lfmG0mEDRUABodQjZDFq0U694mKfK\n kHtbIOrnTUCUrvkdCgu2URkKE1WUcBS98qOfDLL1JQSq5OX2qIpTgEhErM31oW5G0MAUJGMllgI\n 0ihy36cMmS1pM9brxOYVyAdRaZH38Phd5XSV3y092e/SxXxX7c5fFGTciZnePQdQTDga5dIDKhy\n UehOU1s1Qg07FK1A==","X-Gm-Gg":"ATEYQzw1NlUl8b2fTSPYsi9QRYFAwT6xXXdKle+EKsvchmVgm0/NBgR1Qh8g6NfwbkE\n 9mzb3ViJWhThm+rUqHMvchLH9Luhgj9eQpOZTY5htaYOsPZkdJPK14ktqyGwDMBugrHvEs0JLbs\n U+u021AT+OgTDRLRe4RadtCN0n8slDOnvKOOB7wTtCsw4bWAJGF1CtwipQGk/o3H8f/W6Op3PSK\n KQxOl6Zf+VqpEjNd+bxbHQS/Cv6Yq+QgSLxDKY0rYRjh9MITMKklFeNvmMG4CFVv+5zlkUfPdhX\n Yh3dwhYfi1qkkMcaFIIUvnG5D+OqND0pUpv+if0Jy2Ub7nIn0Xmu6Q3ODwaqfCfb/XMdCGoOm7U\n EzIztirI5v9GKfL2OPlqynwifNVGz4XqURqCzHQfnN3//4ZFrhwQCO5PTp8tj+IgjRg/sicjVxP\n lBhQ==","X-Received":["by 2002:a05:690c:60c1:b0:79a:7cf4:1a47 with SMTP id\n 00721157ae682-79acf6ac43amr19516667b3.42.1774402671798;\n Tue, 24 Mar 2026 18:37:51 -0700 (PDT)","by 2002:a05:690c:60c1:b0:79a:7cf4:1a47 with SMTP id\n 00721157ae682-79acf6ac43amr19516457b3.42.1774402671420;\n Tue, 24 Mar 2026 18:37:51 -0700 (PDT)"],"From":"Tim Whisonant ","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J][PATCH 1/1] io_uring: check if we need to reschedule during\n overflow flush","Date":"Tue, 24 Mar 2026 18:37:34 -0700","Message-ID":"<20260325013743.429342-2-tim.whisonant@canonical.com>","X-Mailer":"git-send-email 2.43.0","In-Reply-To":"<20260325013743.429342-1-tim.whisonant@canonical.com>","References":"<20260325013743.429342-1-tim.whisonant@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" "},"content":"From: Jens Axboe \n\nIn terms of normal application usage, this list will always be empty.\nAnd if an application does overflow a bit, it'll have a few entries.\nHowever, nothing obviously prevents syzbot from running a test case\nthat generates a ton of overflow entries, and then flushing them can\ntake quite a while.\n\nCheck for needing to reschedule while flushing, and drop our locks and\ndo so if necessary. There's no state to maintain here as overflows\nalways prune from head-of-list, hence it's fine to drop and reacquire\nthe locks at the end of the loop.\n\nLink: https://lore.kernel.org/io-uring/66ed061d.050a0220.29194.0053.GAE@google.com/\nReported-by: syzbot+5fca234bd7eb378ff78e@syzkaller.appspotmail.com\nSigned-off-by: Jens Axboe \n(backported from commit eac2ca2d682f94f46b1973bdf5e77d85d77b8e53)\n[tswhison: context adjustment due to missing commits\n253993210bd (\"io_uring: introduce locking helpers for CQE posting\")\n6971253f078 (\"io_uring: revise completion_lock locking\")]\nCVE-2024-50060\nSigned-off-by: Tim Whisonant \n---\n io_uring/io_uring.c | 17 +++++++++++++++++\n 1 file changed, 17 insertions(+)","diff":"diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c\nindex eaed0fc05e934..9e1e5272c96d2 100644\n--- a/io_uring/io_uring.c\n+++ b/io_uring/io_uring.c\n@@ -1718,6 +1718,23 @@ static bool __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)\n \t\tposted = true;\n \t\tlist_del(&ocqe->list);\n \t\tkfree(ocqe);\n+\n+\t\t/*\n+\t\t * For silly syzbot cases that deliberately overflow by huge\n+\t\t * amounts, check if we need to resched and drop and\n+\t\t * reacquire the locks if so. Nothing real would ever hit this.\n+\t\t * Ideally we'd have a non-posting unlock for this, but hard\n+\t\t * to care for a non-real case.\n+\t\t */\n+\t\tif (need_resched()) {\n+\t\t\tio_commit_cqring(ctx);\n+\t\t\tspin_unlock(&ctx->completion_lock);\n+\t\t\tio_cqring_ev_posted(ctx);\n+\t\t\tmutex_unlock(&ctx->uring_lock);\n+\t\t\tcond_resched();\n+\t\t\tmutex_lock(&ctx->uring_lock);\n+\t\t\tspin_lock(&ctx->completion_lock);\n+\t\t}\n \t}\n \n \tall_flushed = list_empty(&ctx->cq_overflow_list);\n","prefixes":["SRU","J","1/1"]}