From: Jens Axboe <axboe@kernel.dk>
To: Jeff Moyer <jmoyer@redhat.com>
Cc: linux-aio@kvack.org, linux-block@vger.kernel.org,
linux-api@vger.kernel.org, hch@lst.de, avi@scylladb.com,
jannh@google.com, viro@ZenIV.linux.org.uk
Subject: Re: [PATCH 12/18] io_uring: add support for pre-mapped user IO buffers
Date: Thu, 7 Feb 2019 14:02:46 -0700 [thread overview]
Message-ID: <0a382a3f-d277-21d2-e62f-b2c41b3c441a@kernel.dk> (raw)
In-Reply-To: <x49mun75nam.fsf@segfault.boston.devel.redhat.com>
On 2/7/19 1:57 PM, Jeff Moyer wrote:
> Hi, Jens,
>
> Jens Axboe <axboe@kernel.dk> writes:
>
>> +static int io_sqe_buffer_unregister(struct io_ring_ctx *ctx)
>> +{
>> + int i, j;
>> +
>> + if (!ctx->user_bufs)
>> + return -ENXIO;
>> +
>> + for (i = 0; i < ctx->sq_entries; i++) {
>> + struct io_mapped_ubuf *imu = &ctx->user_bufs[i];
>> +
>> + for (j = 0; j < imu->nr_bvecs; j++)
>> + put_page(imu->bvec[j].bv_page);
>> +
>> + io_unaccount_mem(ctx->user, imu->nr_bvecs);
>> + kfree(imu->bvec);
>> + imu->nr_bvecs = 0;
>> + }
>> +
>> + kfree(ctx->user_bufs);
>> + ctx->user_bufs = NULL;
>> + free_uid(ctx->user);
> ^^^^^^^^^^^^^^^^^^^
>> + ctx->user = NULL;
> ^^^^^^^^^^^^^^^^^
>
> I don't think you want to do that here. If you do an
> IORING_REGISTER_BUFFERS, followed by IORING_UNREGISTER_BUFFERS, and then
> follow that up with IORING_REGISTER_FILES, you'll get a null pointer
> dereference trying to bump the reference count of the (now NULL)
> ctx->user (io_uring.c:1944):
>
> [ 216.927990] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
> [ 216.935825] #PF error: [WRITE]
> [ 216.938883] PGD 5f39244067 P4D 5f39244067 PUD 5f043ca067 PMD 0
> [ 216.944803] Oops: 0002 [#1] SMP
> [ 216.947949] CPU: 79 PID: 3371 Comm: io_uring_regist Not tainted 5.0.0-rc5.io_uring.4+ #26
> [ 216.956119] Hardware name: Intel Corporation S2600WFD/S2600WFD, BIOS SE5C620.86B.0D.01.0108.091420182119 09/14/2018
> [ 216.966553] RIP: 0010:__io_uring_register+0x1c2/0x7c0
> [ 216.971606] Code: 49 89 c6 48 85 c0 0f 84 9b 05 00 00 48 8b 83 20 02 00 00 48 8b 40 20 49 c7 46 60 60 89 1d 96 49 89 46 18 48 8b 83 18 01 00 00 <f0> ff 00 0f 88 1a a0 52 00 45 31 e4 66 83 7d 00 00 48 89 45 08 7e
> [ 216.990355] RSP: 0018:ffffb296087e3e70 EFLAGS: 00010286
> [ 216.995578] RAX: 0000000000000000 RBX: ffff9aacbbff3800 RCX: 0000000000000000
> [ 217.002711] RDX: ffff9aacbbaf1ac0 RSI: 00000000ffffffff RDI: ffff9aacb9a8f6b0
> [ 217.009842] RBP: ffff9aacbb45e800 R08: 00000000000000c0 R09: ffff9a4e87c07000
> [ 217.016977] R10: 0000000000000006 R11: ffff9aac97da9b00 R12: 00007efdc3dbd1fc
> [ 217.024107] R13: ffff9aacbb45ec08 R14: ffff9aacb9a8f600 R15: ffff9aac97da9a00
> [ 217.031241] FS: 00007f01c439e500(0000) GS:ffff9aacbf7c0000(0000) knlGS:0000000000000000
> [ 217.039326] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 217.045075] CR2: 0000000000000000 CR3: 0000005f08d85002 CR4: 00000000007606e0
> [ 217.052207] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [ 217.059340] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [ 217.066472] PKRU: 55555554
> [ 217.069183] Call Trace:
> [ 217.071638] __x64_sys_io_uring_register+0x91/0xb0
> [ 217.076433] do_syscall_64+0x4f/0x190
> [ 217.080110] entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 217.085167] RIP: 0033:0x7f01c3eb42bd
> [ 217.088743] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 9b 6b 2c 00 f7 d8 64 89 01 48
>
> I'd expect ctx->user to live as long as the io_uring context itself,
> right?
Yes, it used to just be used for the buffers, now we use it generally. I've
fixed that up, thanks Jeff!
--
Jens Axboe
next prev parent reply other threads:[~2019-02-07 21:02 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-07 19:55 [PATCHSET v12] io_uring IO interface Jens Axboe
2019-02-07 19:55 ` [PATCH 01/18] fs: add an iopoll method to struct file_operations Jens Axboe
2019-02-07 19:55 ` [PATCH 02/18] block: wire up block device iopoll method Jens Axboe
2019-02-07 19:55 ` [PATCH 03/18] block: add bio_set_polled() helper Jens Axboe
2019-02-07 19:55 ` [PATCH 04/18] iomap: wire up the iopoll method Jens Axboe
2019-02-07 19:55 ` [PATCH 05/18] Add io_uring IO interface Jens Axboe
2019-02-07 20:15 ` Keith Busch
2019-02-07 20:16 ` Jens Axboe
2019-02-07 19:55 ` [PATCH 06/18] io_uring: add fsync support Jens Axboe
2019-02-07 19:55 ` [PATCH 07/18] io_uring: support for IO polling Jens Axboe
2019-02-07 19:55 ` [PATCH 08/18] fs: add fget_many() and fput_many() Jens Axboe
2019-02-07 19:55 ` [PATCH 09/18] io_uring: use fget/fput_many() for file references Jens Axboe
2019-02-07 19:55 ` [PATCH 10/18] io_uring: batch io_kiocb allocation Jens Axboe
2019-02-07 19:55 ` [PATCH 11/18] block: implement bio helper to add iter bvec pages to bio Jens Axboe
2019-02-07 19:55 ` [PATCH 12/18] io_uring: add support for pre-mapped user IO buffers Jens Axboe
2019-02-07 20:57 ` Jeff Moyer
2019-02-07 21:02 ` Jens Axboe [this message]
2019-02-07 22:38 ` Jeff Moyer
2019-02-07 22:47 ` Jens Axboe
2019-02-07 19:55 ` [PATCH 13/18] io_uring: add file set registration Jens Axboe
2019-02-08 12:17 ` Alan Jenkins
2019-02-08 12:57 ` Jens Axboe
2019-02-08 14:02 ` Alan Jenkins
2019-02-08 15:13 ` Jens Axboe
2019-02-12 12:29 ` Alan Jenkins
2019-02-12 15:17 ` Jens Axboe
2019-02-12 17:21 ` Alan Jenkins
2019-02-12 17:33 ` Jens Axboe
2019-02-12 20:23 ` Alan Jenkins
2019-02-12 21:10 ` Jens Axboe
2019-02-07 19:55 ` [PATCH 14/18] io_uring: add submission polling Jens Axboe
2019-02-07 19:55 ` [PATCH 15/18] io_uring: add io_kiocb ref count Jens Axboe
2019-02-07 19:55 ` [PATCH 16/18] io_uring: add support for IORING_OP_POLL Jens Axboe
2019-02-07 22:12 ` Jeff Moyer
2019-02-07 22:18 ` Jens Axboe
2019-02-07 19:55 ` [PATCH 17/18] io_uring: allow workqueue item to handle multiple buffered requests Jens Axboe
2019-02-07 19:55 ` [PATCH 18/18] io_uring: add io_uring_event cache hit information Jens Axboe
-- strict thread matches above, loose matches on Subject: below --
2019-02-01 15:23 [PATCHSET v11] io_uring IO interface Jens Axboe
2019-02-01 15:24 ` [PATCH 12/18] io_uring: add support for pre-mapped user IO buffers Jens Axboe
2019-01-30 21:55 [PATCHSET v10] io_uring IO interface Jens Axboe
2019-01-30 21:55 ` [PATCH 12/18] io_uring: add support for pre-mapped user IO buffers Jens Axboe
2019-01-29 19:26 [PATCHSET v9] io_uring IO interface Jens Axboe
2019-01-29 19:26 ` [PATCH 12/18] io_uring: add support for pre-mapped user IO buffers Jens Axboe
2019-01-29 22:44 ` Jann Horn
2019-01-29 22:56 ` Jens Axboe
2019-01-29 23:03 ` Jann Horn
2019-01-29 23:06 ` Jens Axboe
2019-01-29 23:08 ` Jann Horn
2019-01-29 23:14 ` Jens Axboe
2019-01-29 23:42 ` Jann Horn
2019-01-29 23:51 ` Jens Axboe
2019-01-28 21:35 [PATCHSET v8] io_uring IO interface Jens Axboe
2019-01-28 21:35 ` [PATCH 12/18] io_uring: add support for pre-mapped user IO buffers Jens Axboe
2019-01-28 23:35 ` Jann Horn
2019-01-28 23:50 ` Jens Axboe
2019-01-29 0:36 ` Jann Horn
2019-01-29 1:25 ` Jens Axboe
2019-01-23 15:35 [PATCHSET v7] io_uring IO interface Jens Axboe
2019-01-23 15:35 ` [PATCH 12/18] io_uring: add support for pre-mapped user IO buffers Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0a382a3f-d277-21d2-e62f-b2c41b3c441a@kernel.dk \
--to=axboe@kernel.dk \
--cc=avi@scylladb.com \
--cc=hch@lst.de \
--cc=jannh@google.com \
--cc=jmoyer@redhat.com \
--cc=linux-aio@kvack.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).