[PATCH] io_uring/net: ensure async prep handlers always initialize ->done_io

* [PATCH] io_uring/net: ensure async prep handlers always initialize ->done_io
@ 2024-03-15 22:39 Jens Axboe
  0 siblings, 0 replies; only message in thread
From: Jens Axboe @ 2024-03-15 22:39 UTC (permalink / raw)
  To: io-uring

If we get a request with IOSQE_ASYNC set, then we first run the prep
async handlers. But if we then fail setting it up and want to post
a CQE with -EINVAL, we use ->done_io. This was previously guarded with
REQ_F_PARTIAL_IO, and the normal setup handlers do set it up before any
potential errors, but we need to cover the async setup too.

Fixes: 9817ad85899f ("io_uring/net: remove dependency on REQ_F_PARTIAL_IO for sr->done_io")
Reported-by: syzbot+f8e9a371388aa62ecab4@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

---

diff --git a/io_uring/net.c b/io_uring/net.c
index 19451f0dbf81..c5352c92fcc5 100644
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -326,6 +326,7 @@ int io_send_prep_async(struct io_kiocb *req)
 	struct io_async_msghdr *io;
 	int ret;
 
+	zc->done_io = 0;
 	if (!zc->addr || req_has_async_data(req))
 		return 0;
 	io = io_msg_alloc_async_prep(req);
@@ -353,8 +354,10 @@ static int io_setup_async_addr(struct io_kiocb *req,
 
 int io_sendmsg_prep_async(struct io_kiocb *req)
 {
+	struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg);
 	int ret;
 
+	sr->done_io = 0;
 	if (!io_msg_alloc_async_prep(req))
 		return -ENOMEM;
 	ret = io_sendmsg_copy_hdr(req, req->async_data);
@@ -608,9 +611,11 @@ static int io_recvmsg_copy_hdr(struct io_kiocb *req,
 
 int io_recvmsg_prep_async(struct io_kiocb *req)
 {
+	struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg);
 	struct io_async_msghdr *iomsg;
 	int ret;
 
+	sr->done_io = 0;
 	if (!io_msg_alloc_async_prep(req))
 		return -ENOMEM;
 	iomsg = req->async_data;

-- 
Jens Axboe


^ permalink raw reply related	[flat|nested] only message in thread