Re: [PATCH] io_uring: Fix LINK_TIMEOUT checks

[Jens Axboe <axboe@kernel.dk>]

On 11/14/19 5:12 PM, Jens Axboe wrote:
> On 11/14/19 2:25 PM, Jens Axboe wrote:
>> On 11/14/19 2:20 PM, Pavel Begunkov wrote:
>>> If IORING_OP_LINK_TIMEOUT request is a head of a link or an individual
>>> request, pass it further through the submission path, where it will
>>> eventually fail in __io_submit_sqe(). So respecting links and drains.
>>>
>>> The case, which is really need to be checked, is if a
>>> IORING_OP_LINK_TIMEOUT request is 3rd or later in a link, that is
>>> invalid from the user API perspective (judging by the code). Moreover,
>>> put/free and friends will try to io_link_cancel_timeout() such request,
>>> even though it wasn't initialised.
>>
>> Care to add a test case for these to liburings test/link-timeout.c?
> 
> Wrote some test cases, I think that io_req_link_next() is just wrong.
> The below should correct it. We shouldn't loop here at all, just find
> the first one. That'll start that guy, sequence will continue, etc.

Well that was crap, I sent an earlier unfinished version. Here's the
right one:


diff --git a/fs/io_uring.c b/fs/io_uring.c
index 5ad652fa24b8..31adee55e153 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -858,30 +858,26 @@ static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
 	 * safe side.
 	 */
 	nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb, list);
-	while (nxt) {
+	if (nxt) {
 		list_del_init(&nxt->list);
 		if (!list_empty(&req->link_list)) {
 			INIT_LIST_HEAD(&nxt->link_list);
 			list_splice(&req->link_list, &nxt->link_list);
 			nxt->flags |= REQ_F_LINK;
+		} else if (req->flags & REQ_F_LINK_TIMEOUT) {
+			wake_ev = io_link_cancel_timeout(nxt);
+			nxt = NULL;
 		}
 
 		/*
 		 * If we're in async work, we can continue processing the chain
 		 * in this context instead of having to queue up new async work.
 		 */
-		if (req->flags & REQ_F_LINK_TIMEOUT) {
-			wake_ev = io_link_cancel_timeout(nxt);
-
-			/* we dropped this link, get next */
-			nxt = list_first_entry_or_null(&req->link_list,
-							struct io_kiocb, list);
-		} else if (nxtptr && io_wq_current_is_worker()) {
-			*nxtptr = nxt;
-			break;
-		} else {
-			io_queue_async_work(nxt);
-			break;
+		if (nxt) {
+			if (nxtptr && io_wq_current_is_worker())
+				*nxtptr = nxt;
+			else
+				io_queue_async_work(nxt);
 		}
 	}
 
@@ -2465,7 +2461,7 @@ static int io_async_cancel(struct io_kiocb *req, const struct io_uring_sqe *sqe,
 	    sqe->cancel_flags)
 		return -EINVAL;
 
-	io_async_find_and_cancel(ctx, req, READ_ONCE(sqe->addr), NULL);
+	io_async_find_and_cancel(ctx, req, READ_ONCE(sqe->addr), nxt);
 	return 0;
 }
 
@@ -2741,10 +2737,12 @@ static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
 	 */
 	if (!list_empty(&req->list)) {
 		prev = list_entry(req->list.prev, struct io_kiocb, link_list);
-		if (refcount_inc_not_zero(&prev->refs))
+		if (refcount_inc_not_zero(&prev->refs)) {
+			prev->flags &= ~REQ_F_LINK_TIMEOUT;
 			list_del_init(&req->list);
-		else
+		} else {
 			prev = NULL;
+		}
 	}
 
 	spin_unlock_irqrestore(&ctx->completion_lock, flags);

-- 
Jens Axboe