io_uring: Fix race for sqes with userspace

io_ring_submit() finalises with
1. io_commit_sqring(), which releases sqes to the userspace
2. Then calls to io_queue_link_head(), accessing released head's sqe

Reorder them.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

1 files changed, 2 insertions, 1 deletions

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 949c82a40d16..32f6598ecae9 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2795,13 +2795,14 @@ out:
 		submit++;
 		io_submit_sqe(ctx, &s, statep, &link);
 	}
-	io_commit_sqring(ctx);
 
 	if (link)
 		io_queue_link_head(ctx, link, &link->submit, shadow_req);
 	if (statep)
 		io_submit_state_end(statep);
 
+	io_commit_sqring(ctx);
+
 	return submit;
 }