[PATCH 5.15] io_uring: fix ltimeout unprep

[PATCH 5.15] io_uring: fix ltimeout unprep

[Pavel Begunkov]

io_unprep_linked_timeout() is broken, first it needs to return back
REQ_F_ARM_LTIMEOUT, so the linked timeout is enqueued and disarmed. But
now we refcounted it, and linked timeouts may get not executed at all,
leaking a request.

Just kill the unprep optimisation.

Fixes: 906c6caaf5861 ("io_uring: optimise io_prep_linked_timeout()")
Reported-by: Beld Zhang <beldzhang@gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 fs/io_uring.c | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index c87931d8b503..18de14a9e7a4 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1406,11 +1406,6 @@ static inline void io_req_track_inflight(struct io_kiocb *req)
 	}
 }
 
-static inline void io_unprep_linked_timeout(struct io_kiocb *req)
-{
-	req->flags &= ~REQ_F_LINK_TIMEOUT;
-}
-
 static struct io_kiocb *__io_prep_linked_timeout(struct io_kiocb *req)
 {
 	if (WARN_ON_ONCE(!req->link))
@@ -6892,10 +6887,6 @@ static void io_queue_sqe_arm_apoll(struct io_kiocb *req)
 
 	switch (io_arm_poll_handler(req)) {
 	case IO_APOLL_READY:
-		if (linked_timeout) {
-			io_unprep_linked_timeout(req);
-			linked_timeout = NULL;
-		}
 		io_req_task_queue(req);
 		break;
 	case IO_APOLL_ABORTED:
-- 
2.33.1

Re: [PATCH 5.15] io_uring: fix ltimeout unprep

[Jens Axboe]

On 10/19/21 7:26 PM, Pavel Begunkov wrote:
> io_unprep_linked_timeout() is broken, first it needs to return back
> REQ_F_ARM_LTIMEOUT, so the linked timeout is enqueued and disarmed. But
> now we refcounted it, and linked timeouts may get not executed at all,
> leaking a request.
> 
> Just kill the unprep optimisation.

This appears to be against something that is not 5.15, can you please
check the end result:

https://git.kernel.dk/cgit/linux-block/commit/?h=io_uring-5.15&id=46cb76b2f5ff39bf019bf7a072524fc7fe6deb01

-- 
Jens Axboe

Re: [PATCH 5.15] io_uring: fix ltimeout unprep

[Pavel Begunkov]

On 10/20/21 02:48, Jens Axboe wrote:
> On 10/19/21 7:26 PM, Pavel Begunkov wrote:
>> io_unprep_linked_timeout() is broken, first it needs to return back
>> REQ_F_ARM_LTIMEOUT, so the linked timeout is enqueued and disarmed. But
>> now we refcounted it, and linked timeouts may get not executed at all,
>> leaking a request.
>>
>> Just kill the unprep optimisation.
> 
> This appears to be against something that is not 5.15, can you please
> check the end result:

Yeah, it was 5.16 for some reason. Looks good, thanks!


> https://git.kernel.dk/cgit/linux-block/commit/?h=io_uring-5.15&id=46cb76b2f5ff39bf019bf7a072524fc7fe6deb01

-- 
Pavel Begunkov

Re: [PATCH 5.15] io_uring: fix ltimeout unprep

[Pavel Begunkov]

On 10/20/21 09:33, Pavel Begunkov wrote:
> On 10/20/21 02:48, Jens Axboe wrote:
>> On 10/19/21 7:26 PM, Pavel Begunkov wrote:
>>> io_unprep_linked_timeout() is broken, first it needs to return back
>>> REQ_F_ARM_LTIMEOUT, so the linked timeout is enqueued and disarmed. But
>>> now we refcounted it, and linked timeouts may get not executed at all,
>>> leaking a request.
>>>
>>> Just kill the unprep optimisation.
>>
>> This appears to be against something that is not 5.15, can you please
>> check the end result:
> 
> Yeah, it was 5.16 for some reason. Looks good, thanks!

Actually, it's not. We need either unprep but "smarter" or queue the
timeout. I'll send a v2 for convenience, but a fold in is below.

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 36db7b76cf8d..d5cc103224f1 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6979,6 +6979,8 @@ static void __io_queue_sqe(struct io_kiocb *req)
  
  		switch (io_arm_poll_handler(req)) {
  		case IO_APOLL_READY:
+			if (linked_timeout)
+				io_queue_linked_timeout(linked_timeout);
  			goto issue_sqe;
  		case IO_APOLL_ABORTED:
  			/*


-- 
Pavel Begunkov