public inbox for [email protected]
 help / color / mirror / Atom feed
From: Jens Axboe <[email protected]>
To: Pavel Begunkov <[email protected]>, [email protected]
Subject: Re: [PATCH] io_uring: Fix LINK_TIMEOUT checks
Date: Thu, 14 Nov 2019 19:36:08 -0700	[thread overview]
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>

On 11/14/19 5:12 PM, Jens Axboe wrote:
> On 11/14/19 2:25 PM, Jens Axboe wrote:
>> On 11/14/19 2:20 PM, Pavel Begunkov wrote:
>>> If IORING_OP_LINK_TIMEOUT request is a head of a link or an individual
>>> request, pass it further through the submission path, where it will
>>> eventually fail in __io_submit_sqe(). So respecting links and drains.
>>>
>>> The case, which is really need to be checked, is if a
>>> IORING_OP_LINK_TIMEOUT request is 3rd or later in a link, that is
>>> invalid from the user API perspective (judging by the code). Moreover,
>>> put/free and friends will try to io_link_cancel_timeout() such request,
>>> even though it wasn't initialised.
>>
>> Care to add a test case for these to liburings test/link-timeout.c?
> 
> Wrote some test cases, I think that io_req_link_next() is just wrong.
> The below should correct it. We shouldn't loop here at all, just find
> the first one. That'll start that guy, sequence will continue, etc.

Well that was crap, I sent an earlier unfinished version. Here's the
right one:


diff --git a/fs/io_uring.c b/fs/io_uring.c
index 5ad652fa24b8..31adee55e153 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -858,30 +858,26 @@ static void io_req_link_next(struct io_kiocb *req, struct io_kiocb **nxtptr)
 	 * safe side.
 	 */
 	nxt = list_first_entry_or_null(&req->link_list, struct io_kiocb, list);
-	while (nxt) {
+	if (nxt) {
 		list_del_init(&nxt->list);
 		if (!list_empty(&req->link_list)) {
 			INIT_LIST_HEAD(&nxt->link_list);
 			list_splice(&req->link_list, &nxt->link_list);
 			nxt->flags |= REQ_F_LINK;
+		} else if (req->flags & REQ_F_LINK_TIMEOUT) {
+			wake_ev = io_link_cancel_timeout(nxt);
+			nxt = NULL;
 		}
 
 		/*
 		 * If we're in async work, we can continue processing the chain
 		 * in this context instead of having to queue up new async work.
 		 */
-		if (req->flags & REQ_F_LINK_TIMEOUT) {
-			wake_ev = io_link_cancel_timeout(nxt);
-
-			/* we dropped this link, get next */
-			nxt = list_first_entry_or_null(&req->link_list,
-							struct io_kiocb, list);
-		} else if (nxtptr && io_wq_current_is_worker()) {
-			*nxtptr = nxt;
-			break;
-		} else {
-			io_queue_async_work(nxt);
-			break;
+		if (nxt) {
+			if (nxtptr && io_wq_current_is_worker())
+				*nxtptr = nxt;
+			else
+				io_queue_async_work(nxt);
 		}
 	}
 
@@ -2465,7 +2461,7 @@ static int io_async_cancel(struct io_kiocb *req, const struct io_uring_sqe *sqe,
 	    sqe->cancel_flags)
 		return -EINVAL;
 
-	io_async_find_and_cancel(ctx, req, READ_ONCE(sqe->addr), NULL);
+	io_async_find_and_cancel(ctx, req, READ_ONCE(sqe->addr), nxt);
 	return 0;
 }
 
@@ -2741,10 +2737,12 @@ static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
 	 */
 	if (!list_empty(&req->list)) {
 		prev = list_entry(req->list.prev, struct io_kiocb, link_list);
-		if (refcount_inc_not_zero(&prev->refs))
+		if (refcount_inc_not_zero(&prev->refs)) {
+			prev->flags &= ~REQ_F_LINK_TIMEOUT;
 			list_del_init(&req->list);
-		else
+		} else {
 			prev = NULL;
+		}
 	}
 
 	spin_unlock_irqrestore(&ctx->completion_lock, flags);

-- 
Jens Axboe


  reply	other threads:[~2019-11-15  2:36 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-14 21:20 [PATCH] io_uring: Fix LINK_TIMEOUT checks Pavel Begunkov
2019-11-14 21:25 ` Jens Axboe
2019-11-14 21:31   ` Pavel Begunkov
2019-11-15  0:12   ` Jens Axboe
2019-11-15  2:36     ` Jens Axboe [this message]
2019-11-15  3:22       ` Jens Axboe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    [email protected] \
    [email protected] \
    [email protected] \
    [email protected] \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox