From: Zhengyuan Liu <liuzhengyuan@kylinos.cn>
Date: Sat, 13 Jul 2019 03:58:26 +0000 (+0800)
Subject: io_uring: fix the sequence comparison in io_sequence_defer
X-Git-Tag: v5.2.5~15
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=654da1b1f0260a3bcce6bac651a59ba52f357209;p=users%2Fdwmw2%2Flinux.git

io_uring: fix the sequence comparison in io_sequence_defer

commit dbd0f6d6c2a11eb9c31ca9cd454f95bb5713e92e upstream.

sq->cached_sq_head and cq->cached_cq_tail are both unsigned int. If
cached_sq_head overflows before cached_cq_tail, then we may miss a
barrier req. As cached_cq_tail always follows cached_sq_head, the NQ
should be enough.

Cc: stable@vger.kernel.org
Fixes: de0617e46717 ("io_uring: add support for marking commands as draining")
Signed-off-by: Zhengyuan Liu <liuzhengyuan@kylinos.cn>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index fef2cd44b2ac0..4a6ca35abda00 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -425,7 +425,7 @@ static inline bool io_sequence_defer(struct io_ring_ctx *ctx,
 	if ((req->flags & (REQ_F_IO_DRAIN|REQ_F_IO_DRAINED)) != REQ_F_IO_DRAIN)
 		return false;
 
-	return req->sequence > ctx->cached_cq_tail + ctx->sq_ring->dropped;
+	return req->sequence != ctx->cached_cq_tail + ctx->sq_ring->dropped;
 }
 
 static struct io_kiocb *io_get_deferred_req(struct io_ring_ctx *ctx)