From: Pavel Begunkov <[email protected]>
To: Jens Axboe <[email protected]>, [email protected]
Cc: [email protected]
Subject: Re: [PATCH 5.11] io_uring: fix files cancellation
Date: Wed, 25 Nov 2020 02:28:29 +0000 [thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <5c8308053ac64d0fc7df3610b4b05ac4ba1c6d2b.1606270482.git.asml.silence@gmail.com>
On 25/11/2020 02:19, Pavel Begunkov wrote:
> io_uring_cancel_files()'s task check condition mistakenly got flipped.
>
> 1. There can't be a request in the inflight list without
> IO_WQ_WORK_FILES, kill this check to keep the whole condition simpler.
> 2. Also, don't call the function for files==NULL to not do such a check,
> all that staff is already handled well by its counter part,
> __io_uring_cancel_task_requests().
>
> With that just flip the task check.
>
> Also, it iowq-cancels all request of current task there, don't forget to
> set right ->files into struct io_task_cancel.>
> Reported-by: [email protected]
So, I screwed it just recently and for-5.11. Thanks to syzkaller for
catching this early.
Just to notice that the reproducer segfaults for me, so I haven't really
reproduced it and needs "syz test" to confirm
> Fixes: c1973b38bf639 ("io_uring: cancel only requests of current task")
> Signed-off-by: Pavel Begunkov <[email protected]>
> ---
> fs/io_uring.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 7c1f255807f5..f11dc25d975c 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -8725,15 +8725,14 @@ static void io_uring_cancel_files(struct io_ring_ctx *ctx,
> struct files_struct *files)
> {
> while (!list_empty_careful(&ctx->inflight_list)) {
> - struct io_task_cancel cancel = { .task = task, .files = NULL, };
> + struct io_task_cancel cancel = { .task = task, .files = files };
> struct io_kiocb *req;
> DEFINE_WAIT(wait);
> bool found = false;
>
> spin_lock_irq(&ctx->inflight_lock);
> list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
> - if (req->task == task &&
> - (req->work.flags & IO_WQ_WORK_FILES) &&
> + if (req->task != task ||
> req->work.identity->files != files)
> continue;
> found = true;
> @@ -8805,10 +8804,11 @@ static void io_uring_cancel_task_requests(struct io_ring_ctx *ctx,
>
> io_cancel_defer_files(ctx, task, files);
> io_cqring_overflow_flush(ctx, true, task, files);
> - io_uring_cancel_files(ctx, task, files);
>
> if (!files)
> __io_uring_cancel_task_requests(ctx, task);
> + else
> + io_uring_cancel_files(ctx, task, files);
>
> if ((ctx->flags & IORING_SETUP_SQPOLL) && ctx->sq_data) {
> atomic_dec(&task->io_uring->in_idle);
>
--
Pavel Begunkov
next prev parent reply other threads:[~2020-11-25 2:31 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-25 2:19 [PATCH 5.11] io_uring: fix files cancellation Pavel Begunkov
2020-11-25 2:28 ` Pavel Begunkov [this message]
2020-11-25 18:11 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox