[PATCH v2 0/2] fix failing request submission

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v2 0/2] fix failing request submission
@ 2021-08-31 13:13 Pavel Begunkov
  2021-08-31 13:13 ` [PATCH v2 1/2] io_uring: fix queueing half-created requests Pavel Begunkov
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Pavel Begunkov @ 2021-08-31 13:13 UTC (permalink / raw)
  To: Jens Axboe, io-uring; +Cc: Hao Xu

Fix small problems with new link fail logic

v2: set REQ_F_LINK after clearing HARDLINK, leaking reqs otherwise (Hao)

Pavel Begunkov (2):
  io_uring: fix queueing half-created requests
  io_uring: don't submit half-prepared drain request

 fs/io_uring.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

-- 
2.33.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH v2 1/2] io_uring: fix queueing half-created requests
  2021-08-31 13:13 [PATCH v2 0/2] fix failing request submission Pavel Begunkov
@ 2021-08-31 13:13 ` Pavel Begunkov
  2021-08-31 13:13 ` [PATCH v2 2/2] io_uring: don't submit half-prepared drain request Pavel Begunkov
  2021-08-31 16:57 ` [PATCH v2 0/2] fix failing request submission Jens Axboe
  2 siblings, 0 replies; 4+ messages in thread
From: Pavel Begunkov @ 2021-08-31 13:13 UTC (permalink / raw)
  To: Jens Axboe, io-uring; +Cc: Hao Xu, syzbot+f9704d1878e290eddf73

[   27.259845] general protection fault, probably for non-canonical address 0xdffffc0000000005: 0000 [#1] SMP KASAN PTI
[   27.261043] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f]
[   27.263730] RIP: 0010:sock_from_file+0x20/0x90
[   27.272444] Call Trace:
[   27.272736]  io_sendmsg+0x98/0x600
[   27.279216]  io_issue_sqe+0x498/0x68d0
[   27.281142]  __io_queue_sqe+0xab/0xb50
[   27.285830]  io_req_task_submit+0xbf/0x1b0
[   27.286306]  tctx_task_work+0x178/0xad0
[   27.288211]  task_work_run+0xe2/0x190
[   27.288571]  exit_to_user_mode_prepare+0x1a1/0x1b0
[   27.289041]  syscall_exit_to_user_mode+0x19/0x50
[   27.289521]  do_syscall_64+0x48/0x90
[   27.289871]  entry_SYSCALL_64_after_hwframe+0x44/0xae

io_req_complete_failed() -> io_req_complete_post() ->
io_req_task_queue() still would try to enqueue hard linked request,
which can be half prepared (e.g. failed init), so we can't allow
that to happen.

Fixes: a8295b982c46d ("io_uring: fix failed linkchain code logic")
Reported-by: syzbot+f9704d1878e290eddf73@syzkaller.appspotmail.com
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 fs/io_uring.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 473a977c7979..6e07456d9842 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1823,6 +1823,17 @@ static void io_req_complete_failed(struct io_kiocb *req, long res)
 	io_req_complete_post(req, res, 0);
 }
 
+static void io_req_complete_fail_submit(struct io_kiocb *req)
+{
+	/*
+	 * We don't submit, fail them all, for that replace hardlinks with
+	 * normal links. Extra REQ_F_LINK is tolerated.
+	 */
+	req->flags &= ~REQ_F_HARDLINK;
+	req->flags |= REQ_F_LINK;
+	io_req_complete_failed(req, req->result);
+}
+
 /*
  * Don't initialise the fields below on every allocation, but do that in
  * advance and keep them valid across allocations.
@@ -6717,7 +6728,7 @@ static inline void io_queue_sqe(struct io_kiocb *req)
 	if (likely(!(req->flags & (REQ_F_FORCE_ASYNC | REQ_F_FAIL)))) {
 		__io_queue_sqe(req);
 	} else if (req->flags & REQ_F_FAIL) {
-		io_req_complete_failed(req, req->result);
+		io_req_complete_fail_submit(req);
 	} else {
 		int ret = io_req_prep_async(req);
 
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH v2 2/2] io_uring: don't submit half-prepared drain request
  2021-08-31 13:13 [PATCH v2 0/2] fix failing request submission Pavel Begunkov
  2021-08-31 13:13 ` [PATCH v2 1/2] io_uring: fix queueing half-created requests Pavel Begunkov
@ 2021-08-31 13:13 ` Pavel Begunkov
  2021-08-31 16:57 ` [PATCH v2 0/2] fix failing request submission Jens Axboe
  2 siblings, 0 replies; 4+ messages in thread
From: Pavel Begunkov @ 2021-08-31 13:13 UTC (permalink / raw)
  To: Jens Axboe, io-uring; +Cc: Hao Xu

[ 3784.910888] BUG: kernel NULL pointer dereference, address: 0000000000000020
[ 3784.910904] RIP: 0010:__io_file_supports_nowait+0x5/0xc0
[ 3784.910926] Call Trace:
[ 3784.910928]  ? io_read+0x17c/0x480
[ 3784.910945]  io_issue_sqe+0xcb/0x1840
[ 3784.910953]  __io_queue_sqe+0x44/0x300
[ 3784.910959]  io_req_task_submit+0x27/0x70
[ 3784.910962]  tctx_task_work+0xeb/0x1d0
[ 3784.910966]  task_work_run+0x61/0xa0
[ 3784.910968]  io_run_task_work_sig+0x53/0xa0
[ 3784.910975]  __x64_sys_io_uring_enter+0x22/0x30
[ 3784.910977]  do_syscall_64+0x3d/0x90
[ 3784.910981]  entry_SYSCALL_64_after_hwframe+0x44/0xae

io_drain_req() goes before checks for REQ_F_FAIL, which protect us from
submitting under-prepared request (e.g. failed in io_init_req(). Fail
such drained requests as well.

Fixes: a8295b982c46d ("io_uring: fix failed linkchain code logic")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 fs/io_uring.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 6e07456d9842..2514adced460 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6232,6 +6232,11 @@ static bool io_drain_req(struct io_kiocb *req)
 	int ret;
 	u32 seq;
 
+	if (req->flags & REQ_F_FAIL) {
+		io_req_complete_fail_submit(req);
+		return true;
+	}
+
 	/*
 	 * If we need to drain a request in the middle of a link, drain the
 	 * head request and the next request/link after the current link.
-- 
2.33.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v2 0/2] fix failing request submission
  2021-08-31 13:13 [PATCH v2 0/2] fix failing request submission Pavel Begunkov
  2021-08-31 13:13 ` [PATCH v2 1/2] io_uring: fix queueing half-created requests Pavel Begunkov
  2021-08-31 13:13 ` [PATCH v2 2/2] io_uring: don't submit half-prepared drain request Pavel Begunkov
@ 2021-08-31 16:57 ` Jens Axboe
  2 siblings, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2021-08-31 16:57 UTC (permalink / raw)
  To: Pavel Begunkov, io-uring; +Cc: Hao Xu

On 8/31/21 7:13 AM, Pavel Begunkov wrote:
> Fix small problems with new link fail logic
> 
> v2: set REQ_F_LINK after clearing HARDLINK, leaking reqs otherwise (Hao)
> 
> Pavel Begunkov (2):
>   io_uring: fix queueing half-created requests
>   io_uring: don't submit half-prepared drain request
> 
>  fs/io_uring.c | 18 +++++++++++++++++-
>  1 file changed, 17 insertions(+), 1 deletion(-)

Applied, thanks.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-08-31 16:57 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-31 13:13 [PATCH v2 0/2] fix failing request submission Pavel Begunkov
2021-08-31 13:13 ` [PATCH v2 1/2] io_uring: fix queueing half-created requests Pavel Begunkov
2021-08-31 13:13 ` [PATCH v2 2/2] io_uring: don't submit half-prepared drain request Pavel Begunkov
2021-08-31 16:57 ` [PATCH v2 0/2] fix failing request submission Jens Axboe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.