From: Dmitrii Dolgov <9erthalion6@gmail.com>
To: axboe@kernel.dk, io-uring@vger.kernel.org
Cc: Dmitrii Dolgov <9erthalion6@gmail.com>
Subject: [RFC] Check if file_data is initialized
Date: Thu, 9 Jan 2020 14:17:50 +0100 [thread overview]
Message-ID: <20200109131750.30468-1-9erthalion6@gmail.com> (raw)
With combination of --fixedbufs and an old version of fio I've managed
to get a strange situation, when doing io_iopoll_complete NULL pointer
dereference on file_data was caused in io_free_req_many. Interesting
enough, the very same configuration doesn't fail on a newest version of
fio (the old one is fc220349e4514, the new one is 2198a6b5a9f4), but I
guess it still makes sense to have this check if it's possible to craft
such request to io_uring.
More details about configuration:
[global]
filename=/dev/vda
rw=randread
bs=256k
direct=1
time_based=1
randrepeat=1
gtod_reduce=1
[fiotest]
fio test.fio \
--readonly \
--ioengine=io_uring \
--iodepth 1024 \
--fixedbufs \
--hipri \
--numjobs=1 \
--runtime=10
Signed-off-by: Dmitrii Dolgov <9erthalion6@gmail.com>
---
fs/io_uring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
I'm not entirely sure if my analysis is correct, but since this change
fixes the issue for me, I've decided to post it.
diff --git a/fs/io_uring.c b/fs/io_uring.c
index c770c2c0eb52..c5e69dfc0221 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1232,7 +1232,8 @@ static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
do_free:
kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
percpu_ref_put_many(&ctx->refs, rb->to_free);
- percpu_ref_put_many(&ctx->file_data->refs, rb->to_free);
+ if (ctx->file_data)
+ percpu_ref_put_many(&ctx->file_data->refs, rb->to_free);
rb->to_free = rb->need_iter = 0;
}
--
2.21.0
next reply other threads:[~2020-01-09 13:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-09 13:17 Dmitrii Dolgov [this message]
2020-01-09 14:26 ` [RFC] Check if file_data is initialized Pavel Begunkov
2020-01-09 14:51 ` Jens Axboe
2020-01-09 15:17 ` Pavel Begunkov
2020-01-09 15:23 ` Jens Axboe
2020-01-09 15:32 ` Pavel Begunkov
2020-01-09 15:34 ` Jens Axboe
2020-01-09 16:04 ` Dmitry Dolgov
2020-01-09 16:19 ` Jens Axboe
2020-01-09 14:45 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200109131750.30468-1-9erthalion6@gmail.com \
--to=9erthalion6@gmail.com \
--cc=axboe@kernel.dk \
--cc=io-uring@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.