io_uring: use WRITE_ONCE for user shared memory

[ Upstream commit 93e197e524b14d185d011813b72773a1a49d932d ]

IORING_SETUP_NO_MMAP rings remain user accessible even before the ctx
setup is finalised, so use WRITE_ONCE consistently when initialising
rings.

Fixes: 03d89a2de25bb ("io_uring: support for user allocated memory for rings/sqes")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 02339b74ba8d4e86b43638123444ca2bb5e58331..765abec2571f03b45deef33c27750c8d0ca5a817 100644 (file)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -3623,10 +3623,6 @@ static __cold int io_allocate_scq_urings(struct io_ring_ctx *ctx,
 
        if (!(ctx->flags & IORING_SETUP_NO_SQARRAY))
                ctx->sq_array = (u32 *)((char *)rings + sq_array_offset);
-       rings->sq_ring_mask = p->sq_entries - 1;
-       rings->cq_ring_mask = p->cq_entries - 1;
-       rings->sq_ring_entries = p->sq_entries;
-       rings->cq_ring_entries = p->cq_entries;
 
        if (p->flags & IORING_SETUP_SQE128)
                size = array_size(2 * sizeof(struct io_uring_sqe), p->sq_entries);
@@ -3649,6 +3645,12 @@ static __cold int io_allocate_scq_urings(struct io_ring_ctx *ctx,
                return ret;
        }
        ctx->sq_sqes = io_region_get_ptr(&ctx->sq_region);
+
+       memset(rings, 0, sizeof(*rings));
+       WRITE_ONCE(rings->sq_ring_mask, ctx->sq_entries - 1);
+       WRITE_ONCE(rings->cq_ring_mask, ctx->cq_entries - 1);
+       WRITE_ONCE(rings->sq_ring_entries, ctx->sq_entries);
+       WRITE_ONCE(rings->cq_ring_entries, ctx->cq_entries);
        return 0;
 }