* [PATCH v2 0/2] fix failing request submission
@ 2021-08-31 13:13 Pavel Begunkov
2021-08-31 13:13 ` [PATCH v2 1/2] io_uring: fix queueing half-created requests Pavel Begunkov
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Pavel Begunkov @ 2021-08-31 13:13 UTC (permalink / raw)
To: Jens Axboe, io-uring; +Cc: Hao Xu
Fix small problems with new link fail logic
v2: set REQ_F_LINK after clearing HARDLINK, leaking reqs otherwise (Hao)
Pavel Begunkov (2):
io_uring: fix queueing half-created requests
io_uring: don't submit half-prepared drain request
fs/io_uring.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--
2.33.0
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH v2 1/2] io_uring: fix queueing half-created requests 2021-08-31 13:13 [PATCH v2 0/2] fix failing request submission Pavel Begunkov @ 2021-08-31 13:13 ` Pavel Begunkov 2021-08-31 13:13 ` [PATCH v2 2/2] io_uring: don't submit half-prepared drain request Pavel Begunkov 2021-08-31 16:57 ` [PATCH v2 0/2] fix failing request submission Jens Axboe 2 siblings, 0 replies; 4+ messages in thread From: Pavel Begunkov @ 2021-08-31 13:13 UTC (permalink / raw) To: Jens Axboe, io-uring; +Cc: Hao Xu, syzbot+f9704d1878e290eddf73 [ 27.259845] general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI [ 27.261043] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] [ 27.263730] RIP: 0010:sock_from_file+0x20/0x90 [ 27.272444] Call Trace: [ 27.272736] io_sendmsg+0x98/0x600 [ 27.279216] io_issue_sqe+0x498/0x68d0 [ 27.281142] __io_queue_sqe+0xab/0xb50 [ 27.285830] io_req_task_submit+0xbf/0x1b0 [ 27.286306] tctx_task_work+0x178/0xad0 [ 27.288211] task_work_run+0xe2/0x190 [ 27.288571] exit_to_user_mode_prepare+0x1a1/0x1b0 [ 27.289041] syscall_exit_to_user_mode+0x19/0x50 [ 27.289521] do_syscall_64+0x48/0x90 [ 27.289871] entry_SYSCALL_64_after_hwframe+0x44/0xae io_req_complete_failed() -> io_req_complete_post() -> io_req_task_queue() still would try to enqueue hard linked request, which can be half prepared (e.g. failed init), so we can't allow that to happen. Fixes: a8295b982c46d ("io_uring: fix failed linkchain code logic") Reported-by: [email protected] Signed-off-by: Pavel Begunkov <[email protected]> --- fs/io_uring.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 473a977c7979..6e07456d9842 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -1823,6 +1823,17 @@ static void io_req_complete_failed(struct io_kiocb *req, long res) io_req_complete_post(req, res, 0); } +static void io_req_complete_fail_submit(struct io_kiocb *req) +{ + /* + * We don't submit, fail them all, for that replace hardlinks with + * normal links. Extra REQ_F_LINK is tolerated. + */ + req->flags &= ~REQ_F_HARDLINK; + req->flags |= REQ_F_LINK; + io_req_complete_failed(req, req->result); +} + /* * Don't initialise the fields below on every allocation, but do that in * advance and keep them valid across allocations. @@ -6717,7 +6728,7 @@ static inline void io_queue_sqe(struct io_kiocb *req) if (likely(!(req->flags & (REQ_F_FORCE_ASYNC | REQ_F_FAIL)))) { __io_queue_sqe(req); } else if (req->flags & REQ_F_FAIL) { - io_req_complete_failed(req, req->result); + io_req_complete_fail_submit(req); } else { int ret = io_req_prep_async(req); -- 2.33.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2 2/2] io_uring: don't submit half-prepared drain request 2021-08-31 13:13 [PATCH v2 0/2] fix failing request submission Pavel Begunkov 2021-08-31 13:13 ` [PATCH v2 1/2] io_uring: fix queueing half-created requests Pavel Begunkov @ 2021-08-31 13:13 ` Pavel Begunkov 2021-08-31 16:57 ` [PATCH v2 0/2] fix failing request submission Jens Axboe 2 siblings, 0 replies; 4+ messages in thread From: Pavel Begunkov @ 2021-08-31 13:13 UTC (permalink / raw) To: Jens Axboe, io-uring; +Cc: Hao Xu [ 3784.910888] BUG: kernel NULL pointer dereference, address: 0000000000000020 [ 3784.910904] RIP: 0010:__io_file_supports_nowait+0x5/0xc0 [ 3784.910926] Call Trace: [ 3784.910928] ? io_read+0x17c/0x480 [ 3784.910945] io_issue_sqe+0xcb/0x1840 [ 3784.910953] __io_queue_sqe+0x44/0x300 [ 3784.910959] io_req_task_submit+0x27/0x70 [ 3784.910962] tctx_task_work+0xeb/0x1d0 [ 3784.910966] task_work_run+0x61/0xa0 [ 3784.910968] io_run_task_work_sig+0x53/0xa0 [ 3784.910975] __x64_sys_io_uring_enter+0x22/0x30 [ 3784.910977] do_syscall_64+0x3d/0x90 [ 3784.910981] entry_SYSCALL_64_after_hwframe+0x44/0xae io_drain_req() goes before checks for REQ_F_FAIL, which protect us from submitting under-prepared request (e.g. failed in io_init_req(). Fail such drained requests as well. Fixes: a8295b982c46d ("io_uring: fix failed linkchain code logic") Signed-off-by: Pavel Begunkov <[email protected]> --- fs/io_uring.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/fs/io_uring.c b/fs/io_uring.c index 6e07456d9842..2514adced460 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -6232,6 +6232,11 @@ static bool io_drain_req(struct io_kiocb *req) int ret; u32 seq; + if (req->flags & REQ_F_FAIL) { + io_req_complete_fail_submit(req); + return true; + } + /* * If we need to drain a request in the middle of a link, drain the * head request and the next request/link after the current link. -- 2.33.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2 0/2] fix failing request submission 2021-08-31 13:13 [PATCH v2 0/2] fix failing request submission Pavel Begunkov 2021-08-31 13:13 ` [PATCH v2 1/2] io_uring: fix queueing half-created requests Pavel Begunkov 2021-08-31 13:13 ` [PATCH v2 2/2] io_uring: don't submit half-prepared drain request Pavel Begunkov @ 2021-08-31 16:57 ` Jens Axboe 2 siblings, 0 replies; 4+ messages in thread From: Jens Axboe @ 2021-08-31 16:57 UTC (permalink / raw) To: Pavel Begunkov, io-uring; +Cc: Hao Xu On 8/31/21 7:13 AM, Pavel Begunkov wrote: > Fix small problems with new link fail logic > > v2: set REQ_F_LINK after clearing HARDLINK, leaking reqs otherwise (Hao) > > Pavel Begunkov (2): > io_uring: fix queueing half-created requests > io_uring: don't submit half-prepared drain request > > fs/io_uring.c | 18 +++++++++++++++++- > 1 file changed, 17 insertions(+), 1 deletion(-) Applied, thanks. -- Jens Axboe ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-08-31 16:57 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2021-08-31 13:13 [PATCH v2 0/2] fix failing request submission Pavel Begunkov 2021-08-31 13:13 ` [PATCH v2 1/2] io_uring: fix queueing half-created requests Pavel Begunkov 2021-08-31 13:13 ` [PATCH v2 2/2] io_uring: don't submit half-prepared drain request Pavel Begunkov 2021-08-31 16:57 ` [PATCH v2 0/2] fix failing request submission Jens Axboe
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox