On 13/03/2020 22:29, Pavel Begunkov wrote:
> Processing links, io_submit_sqe() prepares requests, drops sqes, and
> passes them with sqe=NULL to io_queue_sqe(). There IOSQE_DRAIN and/or
> IOSQE_ASYNC requests will go through the same prep, which doesn't expect
> sqe=NULL and fail with NULL pointer deference.
> 
> Always do full prepare including io_alloc_async_ctx() for linked
> requests, and then it can skip the second preparation.

BTW, linked_timeout test fails for a good reason. The test passes NULL buffer to
writev and expects it to -EFAULT in io_req_defer_prep(). However,
io_submit_sqe() catches this case (see head of a link case), sets
REQ_F_FAIL_LINK and allows it to fail with -ECANCELED in io_queue_link_head().


> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> ---
>  fs/io_uring.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 55afae6f0cf4..9d43efbec960 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -4813,6 +4813,9 @@ static int io_req_defer_prep(struct io_kiocb *req,
>  {
>  	ssize_t ret = 0;
>  
> +	if (!sqe)
> +		return 0;
> +
>  	if (io_op_defs[req->opcode].file_table) {
>  		ret = io_grab_files(req);
>  		if (unlikely(ret))
> @@ -5655,6 +5658,11 @@ static bool io_submit_sqe(struct io_kiocb *req, const struct io_uring_sqe *sqe,
>  		if (sqe_flags & (IOSQE_IO_LINK|IOSQE_IO_HARDLINK)) {
>  			req->flags |= REQ_F_LINK;
>  			INIT_LIST_HEAD(&req->link_list);
> +
> +			if (io_alloc_async_ctx(req)) {
> +				ret = -EAGAIN;
> +				goto err_req;
> +			}
>  			ret = io_req_defer_prep(req, sqe);
>  			if (ret)
>  				req->flags |= REQ_F_FAIL_LINK;
> 

-- 
Pavel Begunkov