Commit 42b12cb5 authored Jan 20, 2026 by Jens Axboe

io_uring/timeout: annotate data race in io_flush_timeouts()



syzbot correctly reports this as a KCSAN race, as ctx->cached_cq_tail
should be read under ->uring_lock. This isn't immediately feasible in
io_flush_timeouts(), but as long as we read a stable value, that should
be good enough. If two io-wq threads compete on this value, then they
will both end up calling io_flush_timeouts() and at least one of them
will see the correct value.

Reported-by:  <syzbot+6c48db7d94402407301e@syzkaller.appspotmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent 8661d0b1

io_uring/timeout.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -130,7 +130,7 @@ __cold void io_flush_timeouts(struct io_ring_ctx *ctx)
		u32 seq;

		raw_spin_lock_irq(&ctx->timeout_lock);
		seq = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
		seq = READ_ONCE(ctx->cached_cq_tail) - atomic_read(&ctx->cq_timeouts);

		list_for_each_entry_safe(timeout, tmp, &ctx->timeout_list, list) {
		struct io_kiocb *req = cmd_to_io_kiocb(timeout);