This is a note to let you know that I've just added the patch titled io_uring: annotate offset timeout races to the 6.1-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: io_uring-annotate-offset-timeout-races.patch and it can be found in the queue-6.1 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 5498bf28d8f2bd63a46ad40f4427518615fb793f Mon Sep 17 00:00:00 2001 From: Pavel Begunkov <asml.silence@xxxxxxxxx> Date: Fri, 19 May 2023 15:21:16 +0100 Subject: io_uring: annotate offset timeout races From: Pavel Begunkov <asml.silence@xxxxxxxxx> commit 5498bf28d8f2bd63a46ad40f4427518615fb793f upstream. It's racy to read ->cached_cq_tail without taking proper measures (usually grabbing ->completion_lock) as timeout requests with CQE offsets do, however they have never had a good semantics for from when they start counting. Annotate racy reads with data_race(). Reported-by: syzbot+cb265db2f3f3468ef436@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx> Link: https://lore.kernel.org/r/4de3685e185832a92a572df2be2c735d2e21a83d.1684506056.git.asml.silence@xxxxxxxxx Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- io_uring/timeout.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/io_uring/timeout.c +++ b/io_uring/timeout.c @@ -545,7 +545,7 @@ int io_timeout(struct io_kiocb *req, uns goto add; } - tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts); + tail = data_race(ctx->cached_cq_tail) - atomic_read(&ctx->cq_timeouts); timeout->target_seq = tail + off; /* Update the last seq here in case io_flush_timeouts() hasn't. Patches currently in stable-queue which might be from asml.silence@xxxxxxxxx are queue-6.1/io_uring-annotate-offset-timeout-races.patch