io_uring: fix mixed cqe overflow handling

I started to see zcrx data corruptions. That turned out to be due to CQ tail pointing to a stale entry which happened to be from a zcrx request. I.e. the tail is incremented without the CQE memory being changed. The culprit is __io_cqring_overflow_flush() passing "cqe32=true" to io_get_cqe_overflow() for non-mixed CQE32 setups, which only expects it to be set for mixed 32B CQEs and not for SETUP_CQE32. The fix is slightly hacky, long term it's better to unify mixed and CQE32 handling. Fixes: e26dca67fde19 ("io_uring: add support for IORING_SETUP_CQE_MIXED") Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Pavel Begunkov <asml.silence@gmail.com> 2025-11-25 12:33:06 +0000
committer: Jens Axboe <axboe@kernel.dk> 2025-11-25 07:03:45 -0700
commit: f6dc5a36195d3f5be769f60d6987150192dfb099 (patch)
tree: 805eb95eb169721771e03cfd43e7e3036d23d8b2 /io_uring
parent: f6041803a831266a2a5a5b5af66f7de0845bcbf3 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 296667ba712c..02339b74ba8d 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -634,6 +634,8 @@ static void __io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool dying)
 			is_cqe32 = true;
 			cqe_size <<= 1;
 		}
+		if (ctx->flags & IORING_SETUP_CQE32)
+			is_cqe32 = false;
 
 		if (!dying) {
 			if (!io_get_cqe_overflow(ctx, &cqe, true, is_cqe32))
author	Pavel Begunkov <asml.silence@gmail.com>	2025-11-25 12:33:06 +0000
committer	Jens Axboe <axboe@kernel.dk>	2025-11-25 07:03:45 -0700
commit	f6dc5a36195d3f5be769f60d6987150192dfb099 (patch)
tree	805eb95eb169721771e03cfd43e7e3036d23d8b2 /io_uring
parent	f6041803a831266a2a5a5b5af66f7de0845bcbf3 (diff)