From: Pavel Begunkov <asml.silence@gmail.com>
Date: Fri, 19 Sep 2025 11:11:56 +0000 (+0100)
Subject: io_uring/query: prevent infinite loops
X-Git-Tag: v6.18-rc1~137^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2408d1783204920880f929a7a3087c76f5a59c13;p=thirdparty%2Fkernel%2Flinux.git

io_uring/query: prevent infinite loops

If the query chain forms a cycle, the interface will loop indefinitely.
Make sure it handles fatal signals, so the user can kill the process and
hence break out of the infinite loop.

Fixes: c265ae75f900 ("io_uring: introduce io_uring querying")
Reported-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/io_uring/query.c b/io_uring/query.c
index 9eed0f371956a..c2183daf5a468 100644
--- a/io_uring/query.c
+++ b/io_uring/query.c
@@ -88,6 +88,10 @@ int io_query(struct io_ring_ctx *ctx, void __user *arg, unsigned nr_args)
 		if (ret)
 			return ret;
 		uhdr = u64_to_user_ptr(next_hdr);
+
+		if (fatal_signal_pending(current))
+			return -EINTR;
+		cond_resched();
 	}
 	return 0;
 }