* [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io
@ 2024-03-15 22:48 Jens Axboe
2024-03-15 23:09 ` Pavel Begunkov
0 siblings, 1 reply; 24+ messages in thread
From: Jens Axboe @ 2024-03-15 22:48 UTC (permalink / raw)
To: io-uring
If we get a request with IOSQE_ASYNC set, then we first run the prep
async handlers. But if we then fail setting it up and want to post
a CQE with -EINVAL, we use ->done_io. This was previously guarded with
REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any
potential errors, but we need to cover the async setup too.
Fixes: 9817ad85899f ("io_uring/net: remove dependency on REQ_F_PARTIAL_IO for sr->done_io")
Reported-by: syzbot+f8e9a371388aa62ecab4@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
V2: missed a refresh, and hence v1 had io_send_prep_async() overwriting
sr->done_io if we had already set it up.
diff --git a/io_uring/net.c b/io_uring/net.c
index 19451f0dbf81..1e7665ff6ef7 100644
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -326,7 +326,10 @@ int io_send_prep_async(struct io_kiocb *req)
struct io_async_msghdr *io;
int ret;
- if (!zc->addr || req_has_async_data(req))
+ if (req_has_async_data(req))
+ return 0;
+ zc->done_io = 0;
+ if (!zc->addr)
return 0;
io = io_msg_alloc_async_prep(req);
if (!io)
@@ -353,8 +356,10 @@ static int io_setup_async_addr(struct io_kiocb *req,
int io_sendmsg_prep_async(struct io_kiocb *req)
{
+ struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg);
int ret;
+ sr->done_io = 0;
if (!io_msg_alloc_async_prep(req))
return -ENOMEM;
ret = io_sendmsg_copy_hdr(req, req->async_data);
@@ -608,9 +613,11 @@ static int io_recvmsg_copy_hdr(struct io_kiocb *req,
int io_recvmsg_prep_async(struct io_kiocb *req)
{
+ struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg);
struct io_async_msghdr *iomsg;
int ret;
+ sr->done_io = 0;
if (!io_msg_alloc_async_prep(req))
return -ENOMEM;
iomsg = req->async_data;
--
Jens Axboe
^ permalink raw reply related [flat|nested] 24+ messages in thread* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-15 22:48 [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io Jens Axboe @ 2024-03-15 23:09 ` Pavel Begunkov 2024-03-15 23:13 ` Pavel Begunkov 2024-03-15 23:13 ` Jens Axboe 0 siblings, 2 replies; 24+ messages in thread From: Pavel Begunkov @ 2024-03-15 23:09 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/15/24 22:48, Jens Axboe wrote: > If we get a request with IOSQE_ASYNC set, then we first run the prep > async handlers. But if we then fail setting it up and want to post > a CQE with -EINVAL, we use ->done_io. This was previously guarded with > REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any > potential errors, but we need to cover the async setup too. You can hit io_req_defer_failed() { opdef->fail(); } off of an early submission failure path where def->prep has not yet been called, I don't think the patch will fix the problem. ->fail() handlers are fragile, maybe we should skip them if def->prep() wasn't called. Not even compile tested: diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 846d67a9c72e..56eed1490571 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -993,7 +993,7 @@ void io_req_defer_failed(struct io_kiocb *req, s32 res) req_set_fail(req); io_req_set_res(req, res, io_put_kbuf(req, IO_URING_F_UNLOCKED)); - if (def->fail) + if ((req->flags & REQ_F_EARLY_FAIL) && def->fail) def->fail(req); io_req_complete_defer(req); } @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, } req->flags |= REQ_F_CREDS; } - - return def->prep(req, sqe); + return 0; } static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, int ret; ret = io_init_req(ctx, req, sqe); - if (unlikely(ret)) + if (unlikely(ret)) { +fail: + req->flags |= REQ_F_EARLY_FAIL; return io_submit_fail_init(sqe, req, ret); + } + + ret = def->prep(req, sqe); + if (unlikely(ret)) + goto fail; trace_io_uring_submit_req(req); -- Pavel Begunkov ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-15 23:09 ` Pavel Begunkov @ 2024-03-15 23:13 ` Pavel Begunkov 2024-03-15 23:19 ` Pavel Begunkov 2024-03-15 23:13 ` Jens Axboe 1 sibling, 1 reply; 24+ messages in thread From: Pavel Begunkov @ 2024-03-15 23:13 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/15/24 23:09, Pavel Begunkov wrote: > On 3/15/24 22:48, Jens Axboe wrote: >> If we get a request with IOSQE_ASYNC set, then we first run the prep >> async handlers. But if we then fail setting it up and want to post >> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >> potential errors, but we need to cover the async setup too. > > You can hit io_req_defer_failed() { opdef->fail(); } > off of an early submission failure path where def->prep has > not yet been called, I don't think the patch will fix the > problem. > > ->fail() handlers are fragile, maybe we should skip them > if def->prep() wasn't called. Not even compile tested: > > > diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c > index 846d67a9c72e..56eed1490571 100644 > --- a/io_uring/io_uring.c > +++ b/io_uring/io_uring.c > @@ -993,7 +993,7 @@ void io_req_defer_failed(struct io_kiocb *req, s32 res) > > req_set_fail(req); > io_req_set_res(req, res, io_put_kbuf(req, IO_URING_F_UNLOCKED)); > - if (def->fail) > + if ((req->flags & REQ_F_EARLY_FAIL) && def->fail) it rather should've been !(req->flags & REQ_F_EARLY_FAIL) > def->fail(req); > io_req_complete_defer(req); > } > @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, > } > req->flags |= REQ_F_CREDS; > } > - > - return def->prep(req, sqe); > + return 0; > } > > static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, > @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, > int ret; > > ret = io_init_req(ctx, req, sqe); > - if (unlikely(ret)) > + if (unlikely(ret)) { > +fail: > + req->flags |= REQ_F_EARLY_FAIL; > return io_submit_fail_init(sqe, req, ret); > + } > + > + ret = def->prep(req, sqe); > + if (unlikely(ret)) > + goto fail; > > trace_io_uring_submit_req(req); > -- Pavel Begunkov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-15 23:13 ` Pavel Begunkov @ 2024-03-15 23:19 ` Pavel Begunkov 2024-03-15 23:25 ` Jens Axboe 0 siblings, 1 reply; 24+ messages in thread From: Pavel Begunkov @ 2024-03-15 23:19 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/15/24 23:13, Pavel Begunkov wrote: > On 3/15/24 23:09, Pavel Begunkov wrote: >> On 3/15/24 22:48, Jens Axboe wrote: >>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>> async handlers. But if we then fail setting it up and want to post >>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>> potential errors, but we need to cover the async setup too. >> >> You can hit io_req_defer_failed() { opdef->fail(); } >> off of an early submission failure path where def->prep has >> not yet been called, I don't think the patch will fix the >> problem. >> >> ->fail() handlers are fragile, maybe we should skip them >> if def->prep() wasn't called. Not even compile tested: >> >> >> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >> index 846d67a9c72e..56eed1490571 100644 >> --- a/io_uring/io_uring.c >> +++ b/io_uring/io_uring.c [...] >> def->fail(req); >> io_req_complete_defer(req); >> } >> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >> } >> req->flags |= REQ_F_CREDS; >> } >> - >> - return def->prep(req, sqe); >> + return 0; >> } >> >> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >> int ret; >> >> ret = io_init_req(ctx, req, sqe); >> - if (unlikely(ret)) >> + if (unlikely(ret)) { >> +fail: Obvious the diff is crap, but still bugging me enough to write that the label should've been one line below, otherwise we'd flag after ->prep as well. >> + req->flags |= REQ_F_EARLY_FAIL; >> return io_submit_fail_init(sqe, req, ret); >> + } >> + >> + ret = def->prep(req, sqe); >> + if (unlikely(ret)) >> + goto fail; >> >> trace_io_uring_submit_req(req); >> > -- Pavel Begunkov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-15 23:19 ` Pavel Begunkov @ 2024-03-15 23:25 ` Jens Axboe 2024-03-15 23:28 ` Pavel Begunkov 0 siblings, 1 reply; 24+ messages in thread From: Jens Axboe @ 2024-03-15 23:25 UTC (permalink / raw) To: Pavel Begunkov, io-uring On 3/15/24 5:19 PM, Pavel Begunkov wrote: > On 3/15/24 23:13, Pavel Begunkov wrote: >> On 3/15/24 23:09, Pavel Begunkov wrote: >>> On 3/15/24 22:48, Jens Axboe wrote: >>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>> async handlers. But if we then fail setting it up and want to post >>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>> potential errors, but we need to cover the async setup too. >>> >>> You can hit io_req_defer_failed() { opdef->fail(); } >>> off of an early submission failure path where def->prep has >>> not yet been called, I don't think the patch will fix the >>> problem. >>> >>> ->fail() handlers are fragile, maybe we should skip them >>> if def->prep() wasn't called. Not even compile tested: >>> >>> >>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>> index 846d67a9c72e..56eed1490571 100644 >>> --- a/io_uring/io_uring.c >>> +++ b/io_uring/io_uring.c > [...] >>> def->fail(req); >>> io_req_complete_defer(req); >>> } >>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>> } >>> req->flags |= REQ_F_CREDS; >>> } >>> - >>> - return def->prep(req, sqe); >>> + return 0; >>> } >>> >>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>> int ret; >>> >>> ret = io_init_req(ctx, req, sqe); >>> - if (unlikely(ret)) >>> + if (unlikely(ret)) { >>> +fail: > > Obvious the diff is crap, but still bugging me enough to write > that the label should've been one line below, otherwise we'd > flag after ->prep as well. It certainly needs testing :-) We can go either way - patch up the net thing, or do a proper EARLY_FAIL and hopefully not have to worry about it again. Do you want to clean it up, test it, and send it out? -- Jens Axboe ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-15 23:25 ` Jens Axboe @ 2024-03-15 23:28 ` Pavel Begunkov 2024-03-15 23:53 ` Jens Axboe 2024-03-16 16:14 ` Jens Axboe 0 siblings, 2 replies; 24+ messages in thread From: Pavel Begunkov @ 2024-03-15 23:28 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/15/24 23:25, Jens Axboe wrote: > On 3/15/24 5:19 PM, Pavel Begunkov wrote: >> On 3/15/24 23:13, Pavel Begunkov wrote: >>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>> async handlers. But if we then fail setting it up and want to post >>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>> potential errors, but we need to cover the async setup too. >>>> >>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>> off of an early submission failure path where def->prep has >>>> not yet been called, I don't think the patch will fix the >>>> problem. >>>> >>>> ->fail() handlers are fragile, maybe we should skip them >>>> if def->prep() wasn't called. Not even compile tested: >>>> >>>> >>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>> index 846d67a9c72e..56eed1490571 100644 >>>> --- a/io_uring/io_uring.c >>>> +++ b/io_uring/io_uring.c >> [...] >>>> def->fail(req); >>>> io_req_complete_defer(req); >>>> } >>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>> } >>>> req->flags |= REQ_F_CREDS; >>>> } >>>> - >>>> - return def->prep(req, sqe); >>>> + return 0; >>>> } >>>> >>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>> int ret; >>>> >>>> ret = io_init_req(ctx, req, sqe); >>>> - if (unlikely(ret)) >>>> + if (unlikely(ret)) { >>>> +fail: >> >> Obvious the diff is crap, but still bugging me enough to write >> that the label should've been one line below, otherwise we'd >> flag after ->prep as well. > > It certainly needs testing :-) > > We can go either way - patch up the net thing, or do a proper EARLY_FAIL > and hopefully not have to worry about it again. Do you want to clean it > up, test it, and send it out? I'd rather leave it to you, I suspect it wouldn't fix the syzbot report w/o fiddling with done_io as in your patch. -- Pavel Begunkov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-15 23:28 ` Pavel Begunkov @ 2024-03-15 23:53 ` Jens Axboe 2024-03-16 16:14 ` Jens Axboe 1 sibling, 0 replies; 24+ messages in thread From: Jens Axboe @ 2024-03-15 23:53 UTC (permalink / raw) To: Pavel Begunkov, io-uring On 3/15/24 5:28 PM, Pavel Begunkov wrote: > On 3/15/24 23:25, Jens Axboe wrote: >> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>> async handlers. But if we then fail setting it up and want to post >>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>> potential errors, but we need to cover the async setup too. >>>>> >>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>> off of an early submission failure path where def->prep has >>>>> not yet been called, I don't think the patch will fix the >>>>> problem. >>>>> >>>>> ->fail() handlers are fragile, maybe we should skip them >>>>> if def->prep() wasn't called. Not even compile tested: >>>>> >>>>> >>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>> index 846d67a9c72e..56eed1490571 100644 >>>>> --- a/io_uring/io_uring.c >>>>> +++ b/io_uring/io_uring.c >>> [...] >>>>> def->fail(req); >>>>> io_req_complete_defer(req); >>>>> } >>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>> } >>>>> req->flags |= REQ_F_CREDS; >>>>> } >>>>> - >>>>> - return def->prep(req, sqe); >>>>> + return 0; >>>>> } >>>>> >>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>> int ret; >>>>> >>>>> ret = io_init_req(ctx, req, sqe); >>>>> - if (unlikely(ret)) >>>>> + if (unlikely(ret)) { >>>>> +fail: >>> >>> Obvious the diff is crap, but still bugging me enough to write >>> that the label should've been one line below, otherwise we'd >>> flag after ->prep as well. >> >> It certainly needs testing :-) >> >> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >> and hopefully not have to worry about it again. Do you want to clean it >> up, test it, and send it out? > > I'd rather leave it to you, I suspect it wouldn't fix the syzbot > report w/o fiddling with done_io as in your patch. I'd probably be in favor of just doing the net one for now, ensuring it's OK. Then we can do a generic version for 6.10. -- Jens Axboe ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-15 23:28 ` Pavel Begunkov 2024-03-15 23:53 ` Jens Axboe @ 2024-03-16 16:14 ` Jens Axboe 2024-03-16 16:28 ` Pavel Begunkov 1 sibling, 1 reply; 24+ messages in thread From: Jens Axboe @ 2024-03-16 16:14 UTC (permalink / raw) To: Pavel Begunkov, io-uring On 3/15/24 5:28 PM, Pavel Begunkov wrote: > On 3/15/24 23:25, Jens Axboe wrote: >> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>> async handlers. But if we then fail setting it up and want to post >>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>> potential errors, but we need to cover the async setup too. >>>>> >>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>> off of an early submission failure path where def->prep has >>>>> not yet been called, I don't think the patch will fix the >>>>> problem. >>>>> >>>>> ->fail() handlers are fragile, maybe we should skip them >>>>> if def->prep() wasn't called. Not even compile tested: >>>>> >>>>> >>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>> index 846d67a9c72e..56eed1490571 100644 >>>>> --- a/io_uring/io_uring.c >>>>> +++ b/io_uring/io_uring.c >>> [...] >>>>> def->fail(req); >>>>> io_req_complete_defer(req); >>>>> } >>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>> } >>>>> req->flags |= REQ_F_CREDS; >>>>> } >>>>> - >>>>> - return def->prep(req, sqe); >>>>> + return 0; >>>>> } >>>>> >>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>> int ret; >>>>> >>>>> ret = io_init_req(ctx, req, sqe); >>>>> - if (unlikely(ret)) >>>>> + if (unlikely(ret)) { >>>>> +fail: >>> >>> Obvious the diff is crap, but still bugging me enough to write >>> that the label should've been one line below, otherwise we'd >>> flag after ->prep as well. >> >> It certainly needs testing :-) >> >> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >> and hopefully not have to worry about it again. Do you want to clean it >> up, test it, and send it out? > > I'd rather leave it to you, I suspect it wouldn't fix the syzbot > report w/o fiddling with done_io as in your patch. I gave this a shot, but some fail handlers do want to get called. But they can't use sr->done_io at that point. I'll ponder this a bit and see what the best generic solution is. -- Jens Axboe ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:14 ` Jens Axboe @ 2024-03-16 16:28 ` Pavel Begunkov 2024-03-16 16:31 ` Jens Axboe 0 siblings, 1 reply; 24+ messages in thread From: Pavel Begunkov @ 2024-03-16 16:28 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/16/24 16:14, Jens Axboe wrote: > On 3/15/24 5:28 PM, Pavel Begunkov wrote: >> On 3/15/24 23:25, Jens Axboe wrote: >>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>> potential errors, but we need to cover the async setup too. >>>>>> >>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>> off of an early submission failure path where def->prep has >>>>>> not yet been called, I don't think the patch will fix the >>>>>> problem. >>>>>> >>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>> >>>>>> >>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>> --- a/io_uring/io_uring.c >>>>>> +++ b/io_uring/io_uring.c >>>> [...] >>>>>> def->fail(req); >>>>>> io_req_complete_defer(req); >>>>>> } >>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>> } >>>>>> req->flags |= REQ_F_CREDS; >>>>>> } >>>>>> - >>>>>> - return def->prep(req, sqe); >>>>>> + return 0; >>>>>> } >>>>>> >>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>> int ret; >>>>>> >>>>>> ret = io_init_req(ctx, req, sqe); >>>>>> - if (unlikely(ret)) >>>>>> + if (unlikely(ret)) { >>>>>> +fail: >>>> >>>> Obvious the diff is crap, but still bugging me enough to write >>>> that the label should've been one line below, otherwise we'd >>>> flag after ->prep as well. >>> >>> It certainly needs testing :-) >>> >>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>> and hopefully not have to worry about it again. Do you want to clean it >>> up, test it, and send it out? >> >> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >> report w/o fiddling with done_io as in your patch. > > I gave this a shot, but some fail handlers do want to get called. But Which one and/or which part of it? > they can't use sr->done_io at that point. I'll ponder this a bit and see > what the best generic solution is. -- Pavel Begunkov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:28 ` Pavel Begunkov @ 2024-03-16 16:31 ` Jens Axboe 2024-03-16 16:32 ` Pavel Begunkov 0 siblings, 1 reply; 24+ messages in thread From: Jens Axboe @ 2024-03-16 16:31 UTC (permalink / raw) To: Pavel Begunkov, io-uring On 3/16/24 10:28 AM, Pavel Begunkov wrote: > On 3/16/24 16:14, Jens Axboe wrote: >> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>> On 3/15/24 23:25, Jens Axboe wrote: >>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>> >>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>> off of an early submission failure path where def->prep has >>>>>>> not yet been called, I don't think the patch will fix the >>>>>>> problem. >>>>>>> >>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>> >>>>>>> >>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>> --- a/io_uring/io_uring.c >>>>>>> +++ b/io_uring/io_uring.c >>>>> [...] >>>>>>> def->fail(req); >>>>>>> io_req_complete_defer(req); >>>>>>> } >>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>> } >>>>>>> req->flags |= REQ_F_CREDS; >>>>>>> } >>>>>>> - >>>>>>> - return def->prep(req, sqe); >>>>>>> + return 0; >>>>>>> } >>>>>>> >>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>> int ret; >>>>>>> >>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>> - if (unlikely(ret)) >>>>>>> + if (unlikely(ret)) { >>>>>>> +fail: >>>>> >>>>> Obvious the diff is crap, but still bugging me enough to write >>>>> that the label should've been one line below, otherwise we'd >>>>> flag after ->prep as well. >>>> >>>> It certainly needs testing :-) >>>> >>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>> and hopefully not have to worry about it again. Do you want to clean it >>>> up, test it, and send it out? >>> >>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>> report w/o fiddling with done_io as in your patch. >> >> I gave this a shot, but some fail handlers do want to get called. But > > Which one and/or which part of it? send zc I think the sanest is: 1) Opcode handlers should always initialize whatever they need before failure 2) If we fail before ->prep, don't call ->fail Yes that doesn't cover the case where opcode handlers do stupid things like use opcode members in fail if they fail the prep, but that should be the smallest part. -- Jens Axboe ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:31 ` Jens Axboe @ 2024-03-16 16:32 ` Pavel Begunkov 2024-03-16 16:34 ` Pavel Begunkov 2024-03-16 16:36 ` Jens Axboe 0 siblings, 2 replies; 24+ messages in thread From: Pavel Begunkov @ 2024-03-16 16:32 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/16/24 16:31, Jens Axboe wrote: > On 3/16/24 10:28 AM, Pavel Begunkov wrote: >> On 3/16/24 16:14, Jens Axboe wrote: >>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>> >>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>> off of an early submission failure path where def->prep has >>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>> problem. >>>>>>>> >>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>> >>>>>>>> >>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>> --- a/io_uring/io_uring.c >>>>>>>> +++ b/io_uring/io_uring.c >>>>>> [...] >>>>>>>> def->fail(req); >>>>>>>> io_req_complete_defer(req); >>>>>>>> } >>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>> } >>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>> } >>>>>>>> - >>>>>>>> - return def->prep(req, sqe); >>>>>>>> + return 0; >>>>>>>> } >>>>>>>> >>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>> int ret; >>>>>>>> >>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>> - if (unlikely(ret)) >>>>>>>> + if (unlikely(ret)) { >>>>>>>> +fail: >>>>>> >>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>> that the label should've been one line below, otherwise we'd >>>>>> flag after ->prep as well. >>>>> >>>>> It certainly needs testing :-) >>>>> >>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>> up, test it, and send it out? >>>> >>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>> report w/o fiddling with done_io as in your patch. >>> >>> I gave this a shot, but some fail handlers do want to get called. But >> >> Which one and/or which part of it? > > send zc I don't think so. If prep wasn't called there wouldn't be a notif allocated, and so no F_MORE required. If you take at the code path it's under REQ_F_NEED_CLEANUP, which is only set by opcode handlers > > I think the sanest is: > > 1) Opcode handlers should always initialize whatever they need before > failure > 2) If we fail before ->prep, don't call ->fail > > Yes that doesn't cover the case where opcode handlers do stupid things > like use opcode members in fail if they fail the prep, but that should > be the smallest part. > -- Pavel Begunkov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:32 ` Pavel Begunkov @ 2024-03-16 16:34 ` Pavel Begunkov 2024-03-16 16:36 ` Jens Axboe 1 sibling, 0 replies; 24+ messages in thread From: Pavel Begunkov @ 2024-03-16 16:34 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/16/24 16:32, Pavel Begunkov wrote: > On 3/16/24 16:31, Jens Axboe wrote: >> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>> On 3/16/24 16:14, Jens Axboe wrote: >>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>> >>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>> problem. >>>>>>>>> >>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>> >>>>>>>>> >>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>> [...] >>>>>>>>> def->fail(req); >>>>>>>>> io_req_complete_defer(req); >>>>>>>>> } >>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>> } >>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>> } >>>>>>>>> - >>>>>>>>> - return def->prep(req, sqe); >>>>>>>>> + return 0; >>>>>>>>> } >>>>>>>>> >>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>> int ret; >>>>>>>>> >>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>> - if (unlikely(ret)) >>>>>>>>> + if (unlikely(ret)) { >>>>>>>>> +fail: >>>>>>> >>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>> that the label should've been one line below, otherwise we'd >>>>>>> flag after ->prep as well. >>>>>> >>>>>> It certainly needs testing :-) >>>>>> >>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>> up, test it, and send it out? >>>>> >>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>> report w/o fiddling with done_io as in your patch. >>>> >>>> I gave this a shot, but some fail handlers do want to get called. But Maybe I didn't get you right. I assumed you're saying "the zc's ->fail wants to get called even if prep didn't happen. ? >>> Which one and/or which part of it? >> >> send zc > > I don't think so. If prep wasn't called there wouldn't be > a notif allocated, and so no F_MORE required. If you take > at the code path it's under REQ_F_NEED_CLEANUP, which is only > set by opcode handlers > > >> >> I think the sanest is: >> >> 1) Opcode handlers should always initialize whatever they need before >> failure Yes >> 2) If we fail before ->prep, don't call ->fail That's what I suggested >> Yes that doesn't cover the case where opcode handlers do stupid things >> like use opcode members in fail if they fail the prep, but that should >> be the smallest part. >> > -- Pavel Begunkov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:32 ` Pavel Begunkov 2024-03-16 16:34 ` Pavel Begunkov @ 2024-03-16 16:36 ` Jens Axboe 2024-03-16 16:36 ` Pavel Begunkov 1 sibling, 1 reply; 24+ messages in thread From: Jens Axboe @ 2024-03-16 16:36 UTC (permalink / raw) To: Pavel Begunkov, io-uring On 3/16/24 10:32 AM, Pavel Begunkov wrote: > On 3/16/24 16:31, Jens Axboe wrote: >> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>> On 3/16/24 16:14, Jens Axboe wrote: >>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>> >>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>> problem. >>>>>>>>> >>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>> >>>>>>>>> >>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>> [...] >>>>>>>>> def->fail(req); >>>>>>>>> io_req_complete_defer(req); >>>>>>>>> } >>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>> } >>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>> } >>>>>>>>> - >>>>>>>>> - return def->prep(req, sqe); >>>>>>>>> + return 0; >>>>>>>>> } >>>>>>>>> >>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>> int ret; >>>>>>>>> >>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>> - if (unlikely(ret)) >>>>>>>>> + if (unlikely(ret)) { >>>>>>>>> +fail: >>>>>>> >>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>> that the label should've been one line below, otherwise we'd >>>>>>> flag after ->prep as well. >>>>>> >>>>>> It certainly needs testing :-) >>>>>> >>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>> up, test it, and send it out? >>>>> >>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>> report w/o fiddling with done_io as in your patch. >>>> >>>> I gave this a shot, but some fail handlers do want to get called. But >>> >>> Which one and/or which part of it? >> >> send zc > > I don't think so. If prep wasn't called there wouldn't be > a notif allocated, and so no F_MORE required. If you take > at the code path it's under REQ_F_NEED_CLEANUP, which is only > set by opcode handlers I'm not making this up, your test case will literally fail as it doesn't get to flag MORE for that case. FWIW, this was done with EARLY_FAIL being flagged, and failing if we fail during or before prep. -- Jens Axboe ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:36 ` Jens Axboe @ 2024-03-16 16:36 ` Pavel Begunkov 2024-03-16 16:40 ` Pavel Begunkov 2024-03-16 16:42 ` Jens Axboe 0 siblings, 2 replies; 24+ messages in thread From: Pavel Begunkov @ 2024-03-16 16:36 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/16/24 16:36, Jens Axboe wrote: > On 3/16/24 10:32 AM, Pavel Begunkov wrote: >> On 3/16/24 16:31, Jens Axboe wrote: >>> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>>> On 3/16/24 16:14, Jens Axboe wrote: >>>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>>> >>>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>>> problem. >>>>>>>>>> >>>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>>> [...] >>>>>>>>>> def->fail(req); >>>>>>>>>> io_req_complete_defer(req); >>>>>>>>>> } >>>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>> } >>>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>>> } >>>>>>>>>> - >>>>>>>>>> - return def->prep(req, sqe); >>>>>>>>>> + return 0; >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>> int ret; >>>>>>>>>> >>>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>>> - if (unlikely(ret)) >>>>>>>>>> + if (unlikely(ret)) { >>>>>>>>>> +fail: >>>>>>>> >>>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>>> that the label should've been one line below, otherwise we'd >>>>>>>> flag after ->prep as well. >>>>>>> >>>>>>> It certainly needs testing :-) >>>>>>> >>>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>>> up, test it, and send it out? >>>>>> >>>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>>> report w/o fiddling with done_io as in your patch. >>>>> >>>>> I gave this a shot, but some fail handlers do want to get called. But >>>> >>>> Which one and/or which part of it? >>> >>> send zc >> >> I don't think so. If prep wasn't called there wouldn't be >> a notif allocated, and so no F_MORE required. If you take >> at the code path it's under REQ_F_NEED_CLEANUP, which is only >> set by opcode handlers > > I'm not making this up, your test case will literally fail as it doesn't > get to flag MORE for that case. FWIW, this was done with EARLY_FAIL > being flagged, and failing if we fail during or before prep. Maybe the test is too strict, but your approach is different from what I mentioned yesterday - return def->prep(req, sqe); + ret = def->prep(req, sqe); + if (unlikely(ret)) { + req->flags |= REQ_F_EARLY_FAIL; + return ret; + } + + return 0; It should only set REQ_F_EARLY_FAIL if we fail _before_ prep is called -- Pavel Begunkov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:36 ` Pavel Begunkov @ 2024-03-16 16:40 ` Pavel Begunkov 2024-03-16 16:42 ` Jens Axboe 1 sibling, 0 replies; 24+ messages in thread From: Pavel Begunkov @ 2024-03-16 16:40 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/16/24 16:36, Pavel Begunkov wrote: > On 3/16/24 16:36, Jens Axboe wrote: >> On 3/16/24 10:32 AM, Pavel Begunkov wrote: >>> On 3/16/24 16:31, Jens Axboe wrote: >>>> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>>>> On 3/16/24 16:14, Jens Axboe wrote: >>>>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>>>> >>>>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>>>> problem. >>>>>>>>>>> >>>>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>>>> [...] >>>>>>>>>>> def->fail(req); >>>>>>>>>>> io_req_complete_defer(req); >>>>>>>>>>> } >>>>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>> } >>>>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>>>> } >>>>>>>>>>> - >>>>>>>>>>> - return def->prep(req, sqe); >>>>>>>>>>> + return 0; >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>> int ret; >>>>>>>>>>> >>>>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>>>> - if (unlikely(ret)) >>>>>>>>>>> + if (unlikely(ret)) { >>>>>>>>>>> +fail: >>>>>>>>> >>>>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>>>> that the label should've been one line below, otherwise we'd >>>>>>>>> flag after ->prep as well. >>>>>>>> >>>>>>>> It certainly needs testing :-) >>>>>>>> >>>>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>>>> up, test it, and send it out? >>>>>>> >>>>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>>>> report w/o fiddling with done_io as in your patch. >>>>>> >>>>>> I gave this a shot, but some fail handlers do want to get called. But >>>>> >>>>> Which one and/or which part of it? >>>> >>>> send zc >>> >>> I don't think so. If prep wasn't called there wouldn't be >>> a notif allocated, and so no F_MORE required. If you take >>> at the code path it's under REQ_F_NEED_CLEANUP, which is only >>> set by opcode handlers >> >> I'm not making this up, your test case will literally fail as it doesn't >> get to flag MORE for that case. FWIW, this was done with EARLY_FAIL >> being flagged, and failing if we fail during or before prep. > > Maybe the test is too strict, but your approach is different > from what I mentioned yesterday > > - return def->prep(req, sqe); > + ret = def->prep(req, sqe); > + if (unlikely(ret)) { > + req->flags |= REQ_F_EARLY_FAIL; > + return ret; > + } > + > + return 0; > > It should only set REQ_F_EARLY_FAIL if we fail > _before_ prep is called We can't post a notif unless we allocated it, which couldn't possibly happen without ->prep being called fist. Let's better call it UNPREPPED_FAIL or somehow more meaningfully, I expect a lot of confusion around "EARLY_FAIL" -- Pavel Begunkov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:36 ` Pavel Begunkov 2024-03-16 16:40 ` Pavel Begunkov @ 2024-03-16 16:42 ` Jens Axboe 2024-03-16 16:46 ` Pavel Begunkov 1 sibling, 1 reply; 24+ messages in thread From: Jens Axboe @ 2024-03-16 16:42 UTC (permalink / raw) To: Pavel Begunkov, io-uring On 3/16/24 10:36 AM, Pavel Begunkov wrote: > On 3/16/24 16:36, Jens Axboe wrote: >> On 3/16/24 10:32 AM, Pavel Begunkov wrote: >>> On 3/16/24 16:31, Jens Axboe wrote: >>>> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>>>> On 3/16/24 16:14, Jens Axboe wrote: >>>>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>>>> >>>>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>>>> problem. >>>>>>>>>>> >>>>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>>>> [...] >>>>>>>>>>> def->fail(req); >>>>>>>>>>> io_req_complete_defer(req); >>>>>>>>>>> } >>>>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>> } >>>>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>>>> } >>>>>>>>>>> - >>>>>>>>>>> - return def->prep(req, sqe); >>>>>>>>>>> + return 0; >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>> int ret; >>>>>>>>>>> >>>>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>>>> - if (unlikely(ret)) >>>>>>>>>>> + if (unlikely(ret)) { >>>>>>>>>>> +fail: >>>>>>>>> >>>>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>>>> that the label should've been one line below, otherwise we'd >>>>>>>>> flag after ->prep as well. >>>>>>>> >>>>>>>> It certainly needs testing :-) >>>>>>>> >>>>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>>>> up, test it, and send it out? >>>>>>> >>>>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>>>> report w/o fiddling with done_io as in your patch. >>>>>> >>>>>> I gave this a shot, but some fail handlers do want to get called. But >>>>> >>>>> Which one and/or which part of it? >>>> >>>> send zc >>> >>> I don't think so. If prep wasn't called there wouldn't be >>> a notif allocated, and so no F_MORE required. If you take >>> at the code path it's under REQ_F_NEED_CLEANUP, which is only >>> set by opcode handlers >> >> I'm not making this up, your test case will literally fail as it doesn't >> get to flag MORE for that case. FWIW, this was done with EARLY_FAIL >> being flagged, and failing if we fail during or before prep. > > Maybe the test is too strict, but your approach is different > from what I mentioned yesterday > > - return def->prep(req, sqe); > + ret = def->prep(req, sqe); > + if (unlikely(ret)) { > + req->flags |= REQ_F_EARLY_FAIL; > + return ret; > + } > + > + return 0; > > It should only set REQ_F_EARLY_FAIL if we fail > _before_ prep is called I did try both ways, fails if we just have: return def->prep(req, sqe); fail: req->flags |= REQ_F_EARLY_FAIL; ... as well. -- Jens Axboe ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:42 ` Jens Axboe @ 2024-03-16 16:46 ` Pavel Begunkov 2024-03-16 16:51 ` Jens Axboe 0 siblings, 1 reply; 24+ messages in thread From: Pavel Begunkov @ 2024-03-16 16:46 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/16/24 16:42, Jens Axboe wrote: > On 3/16/24 10:36 AM, Pavel Begunkov wrote: >> On 3/16/24 16:36, Jens Axboe wrote: >>> On 3/16/24 10:32 AM, Pavel Begunkov wrote: >>>> On 3/16/24 16:31, Jens Axboe wrote: >>>>> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>>>>> On 3/16/24 16:14, Jens Axboe wrote: >>>>>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>>>>> >>>>>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>>>>> problem. >>>>>>>>>>>> >>>>>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>>>>> [...] >>>>>>>>>>>> def->fail(req); >>>>>>>>>>>> io_req_complete_defer(req); >>>>>>>>>>>> } >>>>>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>> } >>>>>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>>>>> } >>>>>>>>>>>> - >>>>>>>>>>>> - return def->prep(req, sqe); >>>>>>>>>>>> + return 0; >>>>>>>>>>>> } >>>>>>>>>>>> >>>>>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>> int ret; >>>>>>>>>>>> >>>>>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>>>>> - if (unlikely(ret)) >>>>>>>>>>>> + if (unlikely(ret)) { >>>>>>>>>>>> +fail: >>>>>>>>>> >>>>>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>>>>> that the label should've been one line below, otherwise we'd >>>>>>>>>> flag after ->prep as well. >>>>>>>>> >>>>>>>>> It certainly needs testing :-) >>>>>>>>> >>>>>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>>>>> up, test it, and send it out? >>>>>>>> >>>>>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>>>>> report w/o fiddling with done_io as in your patch. >>>>>>> >>>>>>> I gave this a shot, but some fail handlers do want to get called. But >>>>>> >>>>>> Which one and/or which part of it? >>>>> >>>>> send zc >>>> >>>> I don't think so. If prep wasn't called there wouldn't be >>>> a notif allocated, and so no F_MORE required. If you take >>>> at the code path it's under REQ_F_NEED_CLEANUP, which is only >>>> set by opcode handlers >>> >>> I'm not making this up, your test case will literally fail as it doesn't >>> get to flag MORE for that case. FWIW, this was done with EARLY_FAIL >>> being flagged, and failing if we fail during or before prep. >> >> Maybe the test is too strict, but your approach is different >> from what I mentioned yesterday >> >> - return def->prep(req, sqe); >> + ret = def->prep(req, sqe); >> + if (unlikely(ret)) { >> + req->flags |= REQ_F_EARLY_FAIL; >> + return ret; >> + } >> + >> + return 0; >> >> It should only set REQ_F_EARLY_FAIL if we fail >> _before_ prep is called > > I did try both ways, fails if we just have: Ok, but the point is that the sendzc's ->fail doesn't need to be called unless you've done ->prep first. > return def->prep(req, sqe); > fail: > req->flags |= REQ_F_EARLY_FAIL; > ... > > as well. > -- Pavel Begunkov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:46 ` Pavel Begunkov @ 2024-03-16 16:51 ` Jens Axboe 2024-03-16 16:57 ` Pavel Begunkov 0 siblings, 1 reply; 24+ messages in thread From: Jens Axboe @ 2024-03-16 16:51 UTC (permalink / raw) To: Pavel Begunkov, io-uring On 3/16/24 10:46 AM, Pavel Begunkov wrote: > On 3/16/24 16:42, Jens Axboe wrote: >> On 3/16/24 10:36 AM, Pavel Begunkov wrote: >>> On 3/16/24 16:36, Jens Axboe wrote: >>>> On 3/16/24 10:32 AM, Pavel Begunkov wrote: >>>>> On 3/16/24 16:31, Jens Axboe wrote: >>>>>> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>>>>>> On 3/16/24 16:14, Jens Axboe wrote: >>>>>>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>>>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>>>>>> >>>>>>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>>>>>> problem. >>>>>>>>>>>>> >>>>>>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>>>>>> [...] >>>>>>>>>>>>> def->fail(req); >>>>>>>>>>>>> io_req_complete_defer(req); >>>>>>>>>>>>> } >>>>>>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>>> } >>>>>>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>>>>>> } >>>>>>>>>>>>> - >>>>>>>>>>>>> - return def->prep(req, sqe); >>>>>>>>>>>>> + return 0; >>>>>>>>>>>>> } >>>>>>>>>>>>> >>>>>>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>>> int ret; >>>>>>>>>>>>> >>>>>>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>>>>>> - if (unlikely(ret)) >>>>>>>>>>>>> + if (unlikely(ret)) { >>>>>>>>>>>>> +fail: >>>>>>>>>>> >>>>>>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>>>>>> that the label should've been one line below, otherwise we'd >>>>>>>>>>> flag after ->prep as well. >>>>>>>>>> >>>>>>>>>> It certainly needs testing :-) >>>>>>>>>> >>>>>>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>>>>>> up, test it, and send it out? >>>>>>>>> >>>>>>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>>>>>> report w/o fiddling with done_io as in your patch. >>>>>>>> >>>>>>>> I gave this a shot, but some fail handlers do want to get called. But >>>>>>> >>>>>>> Which one and/or which part of it? >>>>>> >>>>>> send zc >>>>> >>>>> I don't think so. If prep wasn't called there wouldn't be >>>>> a notif allocated, and so no F_MORE required. If you take >>>>> at the code path it's under REQ_F_NEED_CLEANUP, which is only >>>>> set by opcode handlers >>>> >>>> I'm not making this up, your test case will literally fail as it doesn't >>>> get to flag MORE for that case. FWIW, this was done with EARLY_FAIL >>>> being flagged, and failing if we fail during or before prep. >>> >>> Maybe the test is too strict, but your approach is different >>> from what I mentioned yesterday >>> >>> - return def->prep(req, sqe); >>> + ret = def->prep(req, sqe); >>> + if (unlikely(ret)) { >>> + req->flags |= REQ_F_EARLY_FAIL; >>> + return ret; >>> + } >>> + >>> + return 0; >>> >>> It should only set REQ_F_EARLY_FAIL if we fail >>> _before_ prep is called >> >> I did try both ways, fails if we just have: > > Ok, but the point is that the sendzc's ->fail doesn't > need to be called unless you've done ->prep first. But it fails, not sure how else to say it. FWIW, the current io_uring-6.9 branch has two patches on top, looks fine for me so far. We'll see if syzbot agrees. I'll send them out later today, unless I change my mind and try a different approach. -- Jens Axboe ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:51 ` Jens Axboe @ 2024-03-16 16:57 ` Pavel Begunkov 2024-03-16 17:01 ` Jens Axboe 0 siblings, 1 reply; 24+ messages in thread From: Pavel Begunkov @ 2024-03-16 16:57 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/16/24 16:51, Jens Axboe wrote: > On 3/16/24 10:46 AM, Pavel Begunkov wrote: >> On 3/16/24 16:42, Jens Axboe wrote: >>> On 3/16/24 10:36 AM, Pavel Begunkov wrote: >>>> On 3/16/24 16:36, Jens Axboe wrote: >>>>> On 3/16/24 10:32 AM, Pavel Begunkov wrote: >>>>>> On 3/16/24 16:31, Jens Axboe wrote: >>>>>>> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>>>>>>> On 3/16/24 16:14, Jens Axboe wrote: >>>>>>>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>>>>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>>>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>>>>>>> >>>>>>>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>>>>>>> problem. >>>>>>>>>>>>>> >>>>>>>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>>>>>>> [...] >>>>>>>>>>>>>> def->fail(req); >>>>>>>>>>>>>> io_req_complete_defer(req); >>>>>>>>>>>>>> } >>>>>>>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>>>> } >>>>>>>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>>>>>>> } >>>>>>>>>>>>>> - >>>>>>>>>>>>>> - return def->prep(req, sqe); >>>>>>>>>>>>>> + return 0; >>>>>>>>>>>>>> } >>>>>>>>>>>>>> >>>>>>>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>>>> int ret; >>>>>>>>>>>>>> >>>>>>>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>>>>>>> - if (unlikely(ret)) >>>>>>>>>>>>>> + if (unlikely(ret)) { >>>>>>>>>>>>>> +fail: >>>>>>>>>>>> >>>>>>>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>>>>>>> that the label should've been one line below, otherwise we'd >>>>>>>>>>>> flag after ->prep as well. >>>>>>>>>>> >>>>>>>>>>> It certainly needs testing :-) >>>>>>>>>>> >>>>>>>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>>>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>>>>>>> up, test it, and send it out? >>>>>>>>>> >>>>>>>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>>>>>>> report w/o fiddling with done_io as in your patch. >>>>>>>>> >>>>>>>>> I gave this a shot, but some fail handlers do want to get called. But >>>>>>>> >>>>>>>> Which one and/or which part of it? >>>>>>> >>>>>>> send zc >>>>>> >>>>>> I don't think so. If prep wasn't called there wouldn't be >>>>>> a notif allocated, and so no F_MORE required. If you take >>>>>> at the code path it's under REQ_F_NEED_CLEANUP, which is only >>>>>> set by opcode handlers >>>>> >>>>> I'm not making this up, your test case will literally fail as it doesn't >>>>> get to flag MORE for that case. FWIW, this was done with EARLY_FAIL >>>>> being flagged, and failing if we fail during or before prep. >>>> >>>> Maybe the test is too strict, but your approach is different >>>> from what I mentioned yesterday >>>> >>>> - return def->prep(req, sqe); >>>> + ret = def->prep(req, sqe); >>>> + if (unlikely(ret)) { >>>> + req->flags |= REQ_F_EARLY_FAIL; >>>> + return ret; >>>> + } >>>> + >>>> + return 0; >>>> >>>> It should only set REQ_F_EARLY_FAIL if we fail >>>> _before_ prep is called >>> >>> I did try both ways, fails if we just have: >> >> Ok, but the point is that the sendzc's ->fail doesn't >> need to be called unless you've done ->prep first. > > But it fails, not sure how else to say it. liburing tests? Which test case? If so, it should be another bug. REQ_F_NEED_CLEANUP is only set by opcodes, if a request is terminated before ->prep is called, it means it never entered any of the opdef callbacks and have never seen any of net.c code, so there should be no REQ_F_NEED_CLEANUP, and so io_sendrecv_fail() wouldn't try to set F_MORE. I don't know what's wrong. > FWIW, the current io_uring-6.9 branch has two patches on top, looks fine > for me so far. We'll see if syzbot agrees. I'll send them out later > today, unless I change my mind and try a different approach. > -- Pavel Begunkov ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 16:57 ` Pavel Begunkov @ 2024-03-16 17:01 ` Jens Axboe 2024-03-16 17:42 ` Pavel Begunkov 0 siblings, 1 reply; 24+ messages in thread From: Jens Axboe @ 2024-03-16 17:01 UTC (permalink / raw) To: Pavel Begunkov, io-uring On 3/16/24 10:57 AM, Pavel Begunkov wrote: > On 3/16/24 16:51, Jens Axboe wrote: >> On 3/16/24 10:46 AM, Pavel Begunkov wrote: >>> On 3/16/24 16:42, Jens Axboe wrote: >>>> On 3/16/24 10:36 AM, Pavel Begunkov wrote: >>>>> On 3/16/24 16:36, Jens Axboe wrote: >>>>>> On 3/16/24 10:32 AM, Pavel Begunkov wrote: >>>>>>> On 3/16/24 16:31, Jens Axboe wrote: >>>>>>>> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>>>>>>>> On 3/16/24 16:14, Jens Axboe wrote: >>>>>>>>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>>>>>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>>>>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>>>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>>>>>>>> problem. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>>>>>>>> [...] >>>>>>>>>>>>>>> def->fail(req); >>>>>>>>>>>>>>> io_req_complete_defer(req); >>>>>>>>>>>>>>> } >>>>>>>>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>>>>> } >>>>>>>>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>>>>>>>> } >>>>>>>>>>>>>>> - >>>>>>>>>>>>>>> - return def->prep(req, sqe); >>>>>>>>>>>>>>> + return 0; >>>>>>>>>>>>>>> } >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>>>>> int ret; >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>>>>>>>> - if (unlikely(ret)) >>>>>>>>>>>>>>> + if (unlikely(ret)) { >>>>>>>>>>>>>>> +fail: >>>>>>>>>>>>> >>>>>>>>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>>>>>>>> that the label should've been one line below, otherwise we'd >>>>>>>>>>>>> flag after ->prep as well. >>>>>>>>>>>> >>>>>>>>>>>> It certainly needs testing :-) >>>>>>>>>>>> >>>>>>>>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>>>>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>>>>>>>> up, test it, and send it out? >>>>>>>>>>> >>>>>>>>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>>>>>>>> report w/o fiddling with done_io as in your patch. >>>>>>>>>> >>>>>>>>>> I gave this a shot, but some fail handlers do want to get called. But >>>>>>>>> >>>>>>>>> Which one and/or which part of it? >>>>>>>> >>>>>>>> send zc >>>>>>> >>>>>>> I don't think so. If prep wasn't called there wouldn't be >>>>>>> a notif allocated, and so no F_MORE required. If you take >>>>>>> at the code path it's under REQ_F_NEED_CLEANUP, which is only >>>>>>> set by opcode handlers >>>>>> >>>>>> I'm not making this up, your test case will literally fail as it doesn't >>>>>> get to flag MORE for that case. FWIW, this was done with EARLY_FAIL >>>>>> being flagged, and failing if we fail during or before prep. >>>>> >>>>> Maybe the test is too strict, but your approach is different >>>>> from what I mentioned yesterday >>>>> >>>>> - return def->prep(req, sqe); >>>>> + ret = def->prep(req, sqe); >>>>> + if (unlikely(ret)) { >>>>> + req->flags |= REQ_F_EARLY_FAIL; >>>>> + return ret; >>>>> + } >>>>> + >>>>> + return 0; >>>>> >>>>> It should only set REQ_F_EARLY_FAIL if we fail >>>>> _before_ prep is called >>>> >>>> I did try both ways, fails if we just have: >>> >>> Ok, but the point is that the sendzc's ->fail doesn't >>> need to be called unless you've done ->prep first. >> >> But it fails, not sure how else to say it. > > liburing tests? Which test case? If so, it should be another Like I mentioned earlier, it's send zc and it's failing the test case for that. test/send-zerocopy.t. > bug. REQ_F_NEED_CLEANUP is only set by opcodes, if a request is > terminated before ->prep is called, it means it never entered > any of the opdef callbacks and have never seen any of net.c > code, so there should be no REQ_F_NEED_CLEANUP, and so > io_sendrecv_fail() wouldn't try to set F_MORE. I don't know > what's wrong. Feel free to take a look! I do like the simplicity of the early error flag. -- Jens Axboe ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 17:01 ` Jens Axboe @ 2024-03-16 17:42 ` Pavel Begunkov 2024-03-16 23:58 ` Jens Axboe 0 siblings, 1 reply; 24+ messages in thread From: Pavel Begunkov @ 2024-03-16 17:42 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/16/24 17:01, Jens Axboe wrote: > On 3/16/24 10:57 AM, Pavel Begunkov wrote: >> On 3/16/24 16:51, Jens Axboe wrote: >>> On 3/16/24 10:46 AM, Pavel Begunkov wrote: >>>> On 3/16/24 16:42, Jens Axboe wrote: >>>>> On 3/16/24 10:36 AM, Pavel Begunkov wrote: >>>>>> On 3/16/24 16:36, Jens Axboe wrote: >>>>>>> On 3/16/24 10:32 AM, Pavel Begunkov wrote: >>>>>>>> On 3/16/24 16:31, Jens Axboe wrote: >>>>>>>>> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>>>>>>>>> On 3/16/24 16:14, Jens Axboe wrote: >>>>>>>>>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>>>>>>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>>>>>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>>>>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>>>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>>>>>>>>> problem. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>>>>>>>>> [...] >>>>>>>>>>>>>>>> def->fail(req); >>>>>>>>>>>>>>>> io_req_complete_defer(req); >>>>>>>>>>>>>>>> } >>>>>>>>>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>>>>>> } >>>>>>>>>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>>>>>>>>> } >>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>> - return def->prep(req, sqe); >>>>>>>>>>>>>>>> + return 0; >>>>>>>>>>>>>>>> } >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>>>>>> int ret; >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>>>>>>>>> - if (unlikely(ret)) >>>>>>>>>>>>>>>> + if (unlikely(ret)) { >>>>>>>>>>>>>>>> +fail: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>>>>>>>>> that the label should've been one line below, otherwise we'd >>>>>>>>>>>>>> flag after ->prep as well. >>>>>>>>>>>>> >>>>>>>>>>>>> It certainly needs testing :-) >>>>>>>>>>>>> >>>>>>>>>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>>>>>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>>>>>>>>> up, test it, and send it out? >>>>>>>>>>>> >>>>>>>>>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>>>>>>>>> report w/o fiddling with done_io as in your patch. >>>>>>>>>>> >>>>>>>>>>> I gave this a shot, but some fail handlers do want to get called. But >>>>>>>>>> >>>>>>>>>> Which one and/or which part of it? >>>>>>>>> >>>>>>>>> send zc >>>>>>>> >>>>>>>> I don't think so. If prep wasn't called there wouldn't be >>>>>>>> a notif allocated, and so no F_MORE required. If you take >>>>>>>> at the code path it's under REQ_F_NEED_CLEANUP, which is only >>>>>>>> set by opcode handlers >>>>>>> >>>>>>> I'm not making this up, your test case will literally fail as it doesn't >>>>>>> get to flag MORE for that case. FWIW, this was done with EARLY_FAIL >>>>>>> being flagged, and failing if we fail during or before prep. >>>>>> >>>>>> Maybe the test is too strict, but your approach is different >>>>>> from what I mentioned yesterday >>>>>> >>>>>> - return def->prep(req, sqe); >>>>>> + ret = def->prep(req, sqe); >>>>>> + if (unlikely(ret)) { >>>>>> + req->flags |= REQ_F_EARLY_FAIL; >>>>>> + return ret; >>>>>> + } >>>>>> + >>>>>> + return 0; >>>>>> >>>>>> It should only set REQ_F_EARLY_FAIL if we fail >>>>>> _before_ prep is called >>>>> >>>>> I did try both ways, fails if we just have: >>>> >>>> Ok, but the point is that the sendzc's ->fail doesn't >>>> need to be called unless you've done ->prep first. >>> >>> But it fails, not sure how else to say it. >> >> liburing tests? Which test case? If so, it should be another > > Like I mentioned earlier, it's send zc and it's failing the test case > for that. test/send-zerocopy.t. > >> bug. REQ_F_NEED_CLEANUP is only set by opcodes, if a request is >> terminated before ->prep is called, it means it never entered >> any of the opdef callbacks and have never seen any of net.c >> code, so there should be no REQ_F_NEED_CLEANUP, and so >> io_sendrecv_fail() wouldn't try to set F_MORE. I don't know >> what's wrong. > > Feel free to take a look! I do like the simplicity of the early error > flag. ./send-zerocopy.t works fine diff --git a/include/linux/io_uring_types.h b/include/linux/io_uring_types.h index ea7e5488b3be..de3a2c67c4a7 100644 --- a/include/linux/io_uring_types.h +++ b/include/linux/io_uring_types.h @@ -478,6 +478,7 @@ enum { REQ_F_CAN_POLL_BIT, REQ_F_BL_EMPTY_BIT, REQ_F_BL_NO_RECYCLE_BIT, + REQ_F_UNPREPPED_FAIL_BIT, /* not a real bit, just to check we're not overflowing the space */ __REQ_F_LAST_BIT, @@ -556,6 +557,8 @@ enum { REQ_F_BL_EMPTY = IO_REQ_FLAG(REQ_F_BL_EMPTY_BIT), /* don't recycle provided buffers for this request */ REQ_F_BL_NO_RECYCLE = IO_REQ_FLAG(REQ_F_BL_NO_RECYCLE_BIT), + + REQ_F_UNPREPPED_FAIL = IO_REQ_FLAG(REQ_F_UNPREPPED_FAIL_BIT), }; typedef void (*io_req_tw_func_t)(struct io_kiocb *req, struct io_tw_state *ts); diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 846d67a9c72e..6523fa4c5630 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -993,7 +993,7 @@ void io_req_defer_failed(struct io_kiocb *req, s32 res) req_set_fail(req); io_req_set_res(req, res, io_put_kbuf(req, IO_URING_F_UNLOCKED)); - if (def->fail) + if (!(req->flags & REQ_F_UNPREPPED_FAIL) && def->fail) def->fail(req); io_req_complete_defer(req); } @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, } req->flags |= REQ_F_CREDS; } - - return def->prep(req, sqe); + return 0; } static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, @@ -2250,7 +2249,13 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, int ret; ret = io_init_req(ctx, req, sqe); - if (unlikely(ret)) + if (unlikely(ret)) { + req->flags |= REQ_F_UNPREPPED_FAIL; + return io_submit_fail_init(sqe, req, ret); + } + + ret = def->prep(req, sqe); + if (ret) return io_submit_fail_init(sqe, req, ret); trace_io_uring_submit_req(req); -- Pavel Begunkov ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 17:42 ` Pavel Begunkov @ 2024-03-16 23:58 ` Jens Axboe 2024-03-17 20:45 ` Pavel Begunkov 0 siblings, 1 reply; 24+ messages in thread From: Jens Axboe @ 2024-03-16 23:58 UTC (permalink / raw) To: Pavel Begunkov, io-uring On 3/16/24 11:42 AM, Pavel Begunkov wrote: > On 3/16/24 17:01, Jens Axboe wrote: >> On 3/16/24 10:57 AM, Pavel Begunkov wrote: >>> On 3/16/24 16:51, Jens Axboe wrote: >>>> On 3/16/24 10:46 AM, Pavel Begunkov wrote: >>>>> On 3/16/24 16:42, Jens Axboe wrote: >>>>>> On 3/16/24 10:36 AM, Pavel Begunkov wrote: >>>>>>> On 3/16/24 16:36, Jens Axboe wrote: >>>>>>>> On 3/16/24 10:32 AM, Pavel Begunkov wrote: >>>>>>>>> On 3/16/24 16:31, Jens Axboe wrote: >>>>>>>>>> On 3/16/24 10:28 AM, Pavel Begunkov wrote: >>>>>>>>>>> On 3/16/24 16:14, Jens Axboe wrote: >>>>>>>>>>>> On 3/15/24 5:28 PM, Pavel Begunkov wrote: >>>>>>>>>>>>> On 3/15/24 23:25, Jens Axboe wrote: >>>>>>>>>>>>>> On 3/15/24 5:19 PM, Pavel Begunkov wrote: >>>>>>>>>>>>>>> On 3/15/24 23:13, Pavel Begunkov wrote: >>>>>>>>>>>>>>>> On 3/15/24 23:09, Pavel Begunkov wrote: >>>>>>>>>>>>>>>>> On 3/15/24 22:48, Jens Axboe wrote: >>>>>>>>>>>>>>>>>> If we get a request with IOSQE_ASYNC set, then we first run the prep >>>>>>>>>>>>>>>>>> async handlers. But if we then fail setting it up and want to post >>>>>>>>>>>>>>>>>> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >>>>>>>>>>>>>>>>>> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >>>>>>>>>>>>>>>>>> potential errors, but we need to cover the async setup too. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> You can hit io_req_defer_failed() { opdef->fail(); } >>>>>>>>>>>>>>>>> off of an early submission failure path where def->prep has >>>>>>>>>>>>>>>>> not yet been called, I don't think the patch will fix the >>>>>>>>>>>>>>>>> problem. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ->fail() handlers are fragile, maybe we should skip them >>>>>>>>>>>>>>>>> if def->prep() wasn't called. Not even compile tested: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c >>>>>>>>>>>>>>>>> index 846d67a9c72e..56eed1490571 100644 >>>>>>>>>>>>>>>>> --- a/io_uring/io_uring.c >>>>>>>>>>>>>>>>> +++ b/io_uring/io_uring.c >>>>>>>>>>>>>>> [...] >>>>>>>>>>>>>>>>> def->fail(req); >>>>>>>>>>>>>>>>> io_req_complete_defer(req); >>>>>>>>>>>>>>>>> } >>>>>>>>>>>>>>>>> @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>>>>>>> } >>>>>>>>>>>>>>>>> req->flags |= REQ_F_CREDS; >>>>>>>>>>>>>>>>> } >>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>> - return def->prep(req, sqe); >>>>>>>>>>>>>>>>> + return 0; >>>>>>>>>>>>>>>>> } >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, >>>>>>>>>>>>>>>>> @@ -2250,8 +2249,15 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >>>>>>>>>>>>>>>>> int ret; >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ret = io_init_req(ctx, req, sqe); >>>>>>>>>>>>>>>>> - if (unlikely(ret)) >>>>>>>>>>>>>>>>> + if (unlikely(ret)) { >>>>>>>>>>>>>>>>> +fail: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Obvious the diff is crap, but still bugging me enough to write >>>>>>>>>>>>>>> that the label should've been one line below, otherwise we'd >>>>>>>>>>>>>>> flag after ->prep as well. >>>>>>>>>>>>>> >>>>>>>>>>>>>> It certainly needs testing :-) >>>>>>>>>>>>>> >>>>>>>>>>>>>> We can go either way - patch up the net thing, or do a proper EARLY_FAIL >>>>>>>>>>>>>> and hopefully not have to worry about it again. Do you want to clean it >>>>>>>>>>>>>> up, test it, and send it out? >>>>>>>>>>>>> >>>>>>>>>>>>> I'd rather leave it to you, I suspect it wouldn't fix the syzbot >>>>>>>>>>>>> report w/o fiddling with done_io as in your patch. >>>>>>>>>>>> >>>>>>>>>>>> I gave this a shot, but some fail handlers do want to get called. But >>>>>>>>>>> >>>>>>>>>>> Which one and/or which part of it? >>>>>>>>>> >>>>>>>>>> send zc >>>>>>>>> >>>>>>>>> I don't think so. If prep wasn't called there wouldn't be >>>>>>>>> a notif allocated, and so no F_MORE required. If you take >>>>>>>>> at the code path it's under REQ_F_NEED_CLEANUP, which is only >>>>>>>>> set by opcode handlers >>>>>>>> >>>>>>>> I'm not making this up, your test case will literally fail as it doesn't >>>>>>>> get to flag MORE for that case. FWIW, this was done with EARLY_FAIL >>>>>>>> being flagged, and failing if we fail during or before prep. >>>>>>> >>>>>>> Maybe the test is too strict, but your approach is different >>>>>>> from what I mentioned yesterday >>>>>>> >>>>>>> - return def->prep(req, sqe); >>>>>>> + ret = def->prep(req, sqe); >>>>>>> + if (unlikely(ret)) { >>>>>>> + req->flags |= REQ_F_EARLY_FAIL; >>>>>>> + return ret; >>>>>>> + } >>>>>>> + >>>>>>> + return 0; >>>>>>> >>>>>>> It should only set REQ_F_EARLY_FAIL if we fail >>>>>>> _before_ prep is called >>>>>> >>>>>> I did try both ways, fails if we just have: >>>>> >>>>> Ok, but the point is that the sendzc's ->fail doesn't >>>>> need to be called unless you've done ->prep first. >>>> >>>> But it fails, not sure how else to say it. >>> >>> liburing tests? Which test case? If so, it should be another >> >> Like I mentioned earlier, it's send zc and it's failing the test case >> for that. test/send-zerocopy.t. >> >>> bug. REQ_F_NEED_CLEANUP is only set by opcodes, if a request is >>> terminated before ->prep is called, it means it never entered >>> any of the opdef callbacks and have never seen any of net.c >>> code, so there should be no REQ_F_NEED_CLEANUP, and so >>> io_sendrecv_fail() wouldn't try to set F_MORE. I don't know >>> what's wrong. >> >> Feel free to take a look! I do like the simplicity of the early error >> flag. > > ./send-zerocopy.t works fine Huh, I wonder what I messed up. But: > @@ -2250,7 +2249,13 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, > int ret; > > ret = io_init_req(ctx, req, sqe); > - if (unlikely(ret)) > + if (unlikely(ret)) { > + req->flags |= REQ_F_UNPREPPED_FAIL; > + return io_submit_fail_init(sqe, req, ret); > + } > + > + ret = def->prep(req, sqe); > + if (ret) > return io_submit_fail_init(sqe, req, ret); this obviously won't compile, assuming this is not the one you ran. In any case, I do like the one I sent out for review. It moves all the slow path out of line and shrinks things nicely too. And clearing the cmd.data area seems like a good idea for that case. -- Jens Axboe ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-16 23:58 ` Jens Axboe @ 2024-03-17 20:45 ` Pavel Begunkov 0 siblings, 0 replies; 24+ messages in thread From: Pavel Begunkov @ 2024-03-17 20:45 UTC (permalink / raw) To: Jens Axboe, io-uring On 3/16/24 23:58, Jens Axboe wrote: > On 3/16/24 11:42 AM, Pavel Begunkov wrote: >> On 3/16/24 17:01, Jens Axboe wrote: >>> On 3/16/24 10:57 AM, Pavel Begunkov wrote: >>>> On 3/16/24 16:51, Jens Axboe wrote: >>>>> On 3/16/24 10:46 AM, Pavel Begunkov wrote: >>>>>> On 3/16/24 16:42, Jens Axboe wrote: >>>>>>> On 3/16/24 10:36 AM, Pavel Begunkov wrote: >>>>>>>> On 3/16/24 16:36, Jens Axboe wrote: ... >>>>>>>> >>>>>>>> It should only set REQ_F_EARLY_FAIL if we fail >>>>>>>> _before_ prep is called >>>>>>> >>>>>>> I did try both ways, fails if we just have: >>>>>> >>>>>> Ok, but the point is that the sendzc's ->fail doesn't >>>>>> need to be called unless you've done ->prep first. >>>>> >>>>> But it fails, not sure how else to say it. >>>> >>>> liburing tests? Which test case? If so, it should be another >>> >>> Like I mentioned earlier, it's send zc and it's failing the test case >>> for that. test/send-zerocopy.t. >>> >>>> bug. REQ_F_NEED_CLEANUP is only set by opcodes, if a request is >>>> terminated before ->prep is called, it means it never entered >>>> any of the opdef callbacks and have never seen any of net.c >>>> code, so there should be no REQ_F_NEED_CLEANUP, and so >>>> io_sendrecv_fail() wouldn't try to set F_MORE. I don't know >>>> what's wrong. >>> >>> Feel free to take a look! I do like the simplicity of the early error >>> flag. >> >> ./send-zerocopy.t works fine > > Huh, I wonder what I messed up. But: My blind guess would be it called ->prep(), which is assumingly failed, but then there was no ->fail() following it. BTW, we might want to loose up that case, similar to mshots sendzc might decide not to post notifications for any reason and the user should always check F_MORE first. >> @@ -2250,7 +2249,13 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, >> int ret; >> >> ret = io_init_req(ctx, req, sqe); >> - if (unlikely(ret)) >> + if (unlikely(ret)) { >> + req->flags |= REQ_F_UNPREPPED_FAIL; >> + return io_submit_fail_init(sqe, req, ret); >> + } >> + >> + ret = def->prep(req, sqe); >> + if (ret) >> return io_submit_fail_init(sqe, req, ret); > > this obviously won't compile, assuming this is not the one you ran. Urgh, yeah, some left unstaged diff --git a/include/linux/io_uring_types.h b/include/linux/io_uring_types.h index ea7e5488b3be..de3a2c67c4a7 100644 --- a/include/linux/io_uring_types.h +++ b/include/linux/io_uring_types.h @@ -478,6 +478,7 @@ enum { REQ_F_CAN_POLL_BIT, REQ_F_BL_EMPTY_BIT, REQ_F_BL_NO_RECYCLE_BIT, + REQ_F_UNPREPPED_FAIL_BIT, /* not a real bit, just to check we're not overflowing the space */ __REQ_F_LAST_BIT, @@ -556,6 +557,8 @@ enum { REQ_F_BL_EMPTY = IO_REQ_FLAG(REQ_F_BL_EMPTY_BIT), /* don't recycle provided buffers for this request */ REQ_F_BL_NO_RECYCLE = IO_REQ_FLAG(REQ_F_BL_NO_RECYCLE_BIT), + + REQ_F_UNPREPPED_FAIL = IO_REQ_FLAG(REQ_F_UNPREPPED_FAIL_BIT), }; typedef void (*io_req_tw_func_t)(struct io_kiocb *req, struct io_tw_state *ts); diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 846d67a9c72e..1231f8c53014 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -993,7 +993,7 @@ void io_req_defer_failed(struct io_kiocb *req, s32 res) req_set_fail(req); io_req_set_res(req, res, io_put_kbuf(req, IO_URING_F_UNLOCKED)); - if (def->fail) + if (!(req->flags & REQ_F_UNPREPPED_FAIL) && def->fail) def->fail(req); io_req_complete_defer(req); } @@ -2201,8 +2201,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, } req->flags |= REQ_F_CREDS; } - - return def->prep(req, sqe); + return 0; } static __cold int io_submit_fail_init(const struct io_uring_sqe *sqe, @@ -2250,7 +2249,13 @@ static inline int io_submit_sqe(struct io_ring_ctx *ctx, struct io_kiocb *req, int ret; ret = io_init_req(ctx, req, sqe); - if (unlikely(ret)) + if (unlikely(ret)) { + req->flags |= REQ_F_UNPREPPED_FAIL; + return io_submit_fail_init(sqe, req, ret); + } + + ret = io_issue_defs[req->opcode].prep(req, sqe); + if (ret) return io_submit_fail_init(sqe, req, ret); trace_io_uring_submit_req(req); -- Pavel Begunkov ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io 2024-03-15 23:09 ` Pavel Begunkov 2024-03-15 23:13 ` Pavel Begunkov @ 2024-03-15 23:13 ` Jens Axboe 1 sibling, 0 replies; 24+ messages in thread From: Jens Axboe @ 2024-03-15 23:13 UTC (permalink / raw) To: Pavel Begunkov, io-uring On 3/15/24 5:09 PM, Pavel Begunkov wrote: > On 3/15/24 22:48, Jens Axboe wrote: >> If we get a request with IOSQE_ASYNC set, then we first run the prep >> async handlers. But if we then fail setting it up and want to post >> a CQE with -EINVAL, we use ->done_io. This was previously guarded with >> REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any >> potential errors, but we need to cover the async setup too. > > You can hit io_req_defer_failed() { opdef->fail(); } > off of an early submission failure path where def->prep has > not yet been called, I don't think the patch will fix the > problem. > > ->fail() handlers are fragile, maybe we should skip them > if def->prep() wasn't called. Not even compile tested: Yeah they are a mess honestly. Maybe we're better off just flagging it like in your below patch, and avoid needing opcode handling for this. Was going to suggest having a PREP_DONE flag, but it's better to have a FAIL_EARLY and avoid needing to fiddle with it in the normal path. -- Jens Axboe ^ permalink raw reply [flat|nested] 24+ messages in thread
end of thread, other threads:[~2024-03-17 20:46 UTC | newest] Thread overview: 24+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2024-03-15 22:48 [PATCH v2] io_uring/net: ensure async prep handlers always initialize ->done_io Jens Axboe 2024-03-15 23:09 ` Pavel Begunkov 2024-03-15 23:13 ` Pavel Begunkov 2024-03-15 23:19 ` Pavel Begunkov 2024-03-15 23:25 ` Jens Axboe 2024-03-15 23:28 ` Pavel Begunkov 2024-03-15 23:53 ` Jens Axboe 2024-03-16 16:14 ` Jens Axboe 2024-03-16 16:28 ` Pavel Begunkov 2024-03-16 16:31 ` Jens Axboe 2024-03-16 16:32 ` Pavel Begunkov 2024-03-16 16:34 ` Pavel Begunkov 2024-03-16 16:36 ` Jens Axboe 2024-03-16 16:36 ` Pavel Begunkov 2024-03-16 16:40 ` Pavel Begunkov 2024-03-16 16:42 ` Jens Axboe 2024-03-16 16:46 ` Pavel Begunkov 2024-03-16 16:51 ` Jens Axboe 2024-03-16 16:57 ` Pavel Begunkov 2024-03-16 17:01 ` Jens Axboe 2024-03-16 17:42 ` Pavel Begunkov 2024-03-16 23:58 ` Jens Axboe 2024-03-17 20:45 ` Pavel Begunkov 2024-03-15 23:13 ` Jens Axboe
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.