From: Jens Axboe <axboe@kernel.dk>
To: Pavel Begunkov <asml.silence@gmail.com>,
io-uring <io-uring@vger.kernel.org>
Cc: Caleb Sander Mateos <csander@purestorage.com>
Subject: Re: [PATCH] io_uring/uring_cmd: be smarter about SQE copying
Date: Mon, 2 Jun 2025 05:55:11 -0600 [thread overview]
Message-ID: <546c11ec-25af-4f98-b805-1cb9e672c80b@kernel.dk> (raw)
In-Reply-To: <6659c8b0-dff2-4b5c-b4bd-00a8110e8358@gmail.com>
On 6/2/25 4:24 AM, Pavel Begunkov wrote:
> On 5/31/25 21:52, Jens Axboe wrote:
>> uring_cmd currently copies the SQE unconditionally, which was introduced
> ...> /*
>> - * Unconditionally cache the SQE for now - this is only needed for
>> - * requests that go async, but prep handlers must ensure that any
>> - * sqe data is stable beyond prep. Since uring_cmd is special in
>> - * that it doesn't read in per-op data, play it safe and ensure that
>> - * any SQE data is stable beyond prep. This can later get relaxed.
>> + * Copy SQE now, if we know we're going async. Drain will set
>> + * FORCE_ASYNC, and assume links may cause it to go async. If not,
>> + * copy is deferred until issue time, if the request doesn't issue
>> + * or queue inline.
>> */
>> - memcpy(ac->sqes, sqe, uring_sqe_size(req->ctx));
>> - ioucmd->sqe = ac->sqes;
>> + ioucmd->sqe = sqe;
>> + if (req->flags & (REQ_F_FORCE_ASYNC| REQ_F_LINK | REQ_F_HARDLINK) ||
>> + ctx->submit_state.link.head)
>> + io_uring_sqe_copy(req, ioucmd);
>> +
>
> It'd be great if we can't crash the kernel (or do sth more nefarious with
> that), and I'm 95% sure it's possible. The culprit is violation of
> layering by poking into io_uring core bits that opcodes should not know
> about, the flimsiness of attempts to infer the core io_uring behaviour
> from opcode handlers, and leaving a potentially stale ->sqe pointer.
Sure, it's not a pretty solution. At all. Might be worth just having a
handler for this so that the core can call it, rather than have
uring_cmd attempt to cover all the cases here. That's the most offensive
part to me, the ->sqe pointer I'm not too worried about, in terms of
anything nefarious. If that's a problem, the the uring_cmd prep side is
borken anyway and needs fixing. Getting it wrong could obviously
reintroduce potential issues with data getting lost, however.
It's somewhat annoying to need to copy this upfront for the fairly rare
case of needing it.
--
Jens Axboe
next prev parent reply other threads:[~2025-06-02 11:55 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-31 20:52 [PATCH] io_uring/uring_cmd: be smarter about SQE copying Jens Axboe
2025-06-02 10:24 ` Pavel Begunkov
2025-06-02 11:55 ` Jens Axboe [this message]
2025-06-02 12:10 ` Pavel Begunkov
2025-06-02 13:04 ` Jens Axboe
2025-06-03 15:05 ` Caleb Sander Mateos
2025-06-03 15:11 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=546c11ec-25af-4f98-b805-1cb9e672c80b@kernel.dk \
--to=axboe@kernel.dk \
--cc=asml.silence@gmail.com \
--cc=csander@purestorage.com \
--cc=io-uring@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox