io_uring/uring_cmd: use cached cmd_op in io_uring_cmd_sock()

io_uring_cmd_sock() does a normal read of cmd->sqe->cmd_op, where it
really should be using a READ_ONCE() as ->sqe may still be pointing to
the original SQE. Since the prep side already does this READ_ONCE() and
stores it locally, use that value rather than re-read it.

Fixes: 8e9fad0e70b7b ("io_uring: Add io_uring command support for sockets")
Link: https://lore.kernel.org/r/20250121-uring-sockcmd-fix-v1-1-add742802a29@google.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/uring_cmd.c b/io_uring/uring_cmd.c
index fc94c465a9850d4ed9df0cd26fcd6523657a2854..3993c9339ac7612981b6edf4fa4b0a72abb21d59 100644 (file)
--- a/io_uring/uring_cmd.c
+++ b/io_uring/uring_cmd.c
@@ -350,7 +350,7 @@ int io_uring_cmd_sock(struct io_uring_cmd *cmd, unsigned int issue_flags)
        if (!prot || !prot->ioctl)
                return -EOPNOTSUPP;
 
-       switch (cmd->sqe->cmd_op) {
+       switch (cmd->cmd_op) {
        case SOCKET_URING_OP_SIOCINQ:
                ret = prot->ioctl(sk, SIOCINQ, &arg);
                if (ret)