From: "Stefan Bühler" <source@stbuehler.de>
To: Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: io_uring: REQ_F_PREPPED race condition with punting to workers
Date: Fri, 3 May 2019 12:22:33 +0200 [thread overview]
Message-ID: <bdc72cc4-ee7b-db12-baee-47e8f06d30e7@stbuehler.de> (raw)
Hi,
if the initial operation returns EAGAIN (and REQ_F_NOWAIT) is not set,
io_submit_sqe copies the SQE for processing in a worker.
The worker will then read from the SQE copy to determine (some)
parameters for operations, but not all of those parameters will be
validated again, as the initial operation sets REQ_F_PREPPED.
So between the initial operation and the memcpy is a race in which the
application could change the SQE: for example it could change from
IORING_OP_FSYNC to IORING_OP_READV, which would result in broken kiocb
data afaict.
The only way around that I can see right now is copying the SQE in
io_submit_sqe (moving the call to io_cqring_add_event to io_submit_sqe
should simplify this afaict): does that sound acceptable?
cheers,
Stefan
next reply other threads:[~2019-05-03 10:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-03 10:22 Stefan Bühler [this message]
2019-05-03 14:48 ` io_uring: REQ_F_PREPPED race condition with punting to workers Jens Axboe
2019-05-11 17:08 ` [PATCH 1/1] io_uring: fix race condition reading SQE data Stefan Bühler
2019-05-13 15:15 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bdc72cc4-ee7b-db12-baee-47e8f06d30e7@stbuehler.de \
--to=source@stbuehler.de \
--cc=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.