From: Pavel Begunkov <[email protected]>
To: Jens Axboe <[email protected]>, [email protected]
Cc: [email protected]
Subject: [PATCH 5.15] io_uring: don't forget to clear REQ_F_ARM_LTIMEOUT
Date: Mon, 16 Aug 2021 19:16:08 +0100 [thread overview]
Message-ID: <614f650abdd5fee97aa5a6a87028a2c47d2a6c94.1629137586.git.asml.silence@gmail.com> (raw)
Even though it should be safe to poke into req->link after
io_issue_sqe() in terms of races, it may end up retiring a request, e.g.
when someone calls io_req_complete(). It'll be placed into an internal
request cache, so the memory would be valid with other guarantees, but
the request will be actually dismantled and with requests linked removed
and enqueued.
Hence, don't forget to remove REQ_F_ARM_LTIMEOUT after a linked timeout
got disarmed, otherwise following io_prep_linked_timeout() will expect
req->link to be not-zero and so fault.
Fixes: 19bfc9a0d26c5 ("io_uring: optimise io_prep_linked_timeout()")
Reported-by: [email protected]
Signed-off-by: Pavel Begunkov <[email protected]>
---
Not sure whether it fixes the syzbot report, but hopefully it'll
find a repro soon.
fs/io_uring.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 17d0125c331a..29e3ec6e9dbf 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1311,6 +1311,9 @@ static inline void io_unprep_linked_timeout(struct io_kiocb *req)
static struct io_kiocb *__io_prep_linked_timeout(struct io_kiocb *req)
{
+ if (WARN_ON_ONCE(!req->link))
+ return NULL;
+
req->flags &= ~REQ_F_ARM_LTIMEOUT;
req->flags |= REQ_F_LINK_TIMEOUT;
@@ -1935,6 +1938,7 @@ static bool io_disarm_next(struct io_kiocb *req)
if (req->flags & REQ_F_ARM_LTIMEOUT) {
struct io_kiocb *link = req->link;
+ req->flags &= ~REQ_F_ARM_LTIMEOUT;
if (link && link->opcode == IORING_OP_LINK_TIMEOUT) {
io_remove_next_linked(req);
io_cqring_fill_event(link->ctx, link->user_data,
--
2.32.0
next reply other threads:[~2021-08-16 18:16 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-16 18:16 Pavel Begunkov [this message]
2021-08-16 18:49 ` [PATCH 5.15] io_uring: don't forget to clear REQ_F_ARM_LTIMEOUT Jens Axboe
2021-08-16 22:51 ` Pavel Begunkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=614f650abdd5fee97aa5a6a87028a2c47d2a6c94.1629137586.git.asml.silence@gmail.com \
[email protected] \
[email protected] \
[email protected] \
[email protected] \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox