* [PATCH] io_uring: consider the overflow of sequence for timeout req
@ 2019-10-14 8:08 yangerkun
2019-10-14 11:26 ` yangerkun
0 siblings, 1 reply; 2+ messages in thread
From: yangerkun @ 2019-10-14 8:08 UTC (permalink / raw)
To: axboe, linux-block; +Cc: yi.zhang, houtao1, yangerkun
The sequence for timeout req may overflow, and it will lead to wrong
order of timeout req list. And we should consider two situation:
1. ctx->cached_sq_head + count - 1 may overflow;
2. cached_sq_head of now may overflow compare with before
cached_sq_head.
Fix the wrong logic by add record of count and use type long long to
record the overflow.
Signed-off-by: yangerkun <yangerkun@huawei.com>
---
fs/io_uring.c | 31 +++++++++++++++++++++++++------
1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 76fdbe84aff5..9cc96f68b370 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -288,6 +288,7 @@ struct io_poll_iocb {
struct io_timeout {
struct file *file;
struct hrtimer timer;
+ unsigned count;
};
/*
@@ -1884,7 +1885,7 @@ static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
static int io_timeout(struct io_kiocb *req, const struct io_uring_sqe *sqe)
{
- unsigned count, req_dist, tail_index;
+ unsigned count;
struct io_ring_ctx *ctx = req->ctx;
struct list_head *entry;
struct timespec64 ts;
@@ -1907,21 +1908,39 @@ static int io_timeout(struct io_kiocb *req, const struct io_uring_sqe *sqe)
count = 1;
req->sequence = ctx->cached_sq_head + count - 1;
+ req->timeout.count = count;
req->flags |= REQ_F_TIMEOUT;
/*
* Insertion sort, ensuring the first entry in the list is always
* the one we need first.
*/
- tail_index = ctx->cached_cq_tail - ctx->rings->sq_dropped;
- req_dist = req->sequence - tail_index;
spin_lock_irq(&ctx->completion_lock);
list_for_each_prev(entry, &ctx->timeout_list) {
struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
- unsigned dist;
+ unsigned nxt_sq_head;
+ long long tmp, tmp_nxt;
- dist = nxt->sequence - tail_index;
- if (req_dist >= dist)
+ /* count bigger than before should break directly. */
+ if (count >= nxt->timeout.count)
+ break;
+
+ /*
+ * Since cached_sq_head + count - 1 can overflow, use type long
+ * long to store it.
+ */
+ tmp = (long long)ctx->cached_sq_head + count - 1;
+ nxt_sq_head = nxt->sequence - nxt->timeout.count + 1;
+ tmp_nxt = (long long)nxt_sq_head + nxt->timeout.count - 1;
+
+ /*
+ * cached_sq_head may overflow, and it will never overflow twice
+ * once there is some timeout req still be valid.
+ */
+ if (ctx->cached_sq_head < nxt_sq_head)
+ tmp_nxt += UINT_MAX;
+
+ if (tmp >= tmp_nxt)
break;
}
list_add(&req->list, entry);
--
2.17.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] io_uring: consider the overflow of sequence for timeout req
2019-10-14 8:08 [PATCH] io_uring: consider the overflow of sequence for timeout req yangerkun
@ 2019-10-14 11:26 ` yangerkun
0 siblings, 0 replies; 2+ messages in thread
From: yangerkun @ 2019-10-14 11:26 UTC (permalink / raw)
To: axboe, linux-block; +Cc: yi.zhang, houtao1
On 2019/10/14 16:08, yangerkun wrote:
> The sequence for timeout req may overflow, and it will lead to wrong
> order of timeout req list. And we should consider two situation:
>
> 1. ctx->cached_sq_head + count - 1 may overflow;
> 2. cached_sq_head of now may overflow compare with before
> cached_sq_head.
>
> Fix the wrong logic by add record of count and use type long long to
> record the overflow.
>
> Signed-off-by: yangerkun <yangerkun@huawei.com>
> ---
> fs/io_uring.c | 31 +++++++++++++++++++++++++------
> 1 file changed, 25 insertions(+), 6 deletions(-)
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 76fdbe84aff5..9cc96f68b370 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -288,6 +288,7 @@ struct io_poll_iocb {
> struct io_timeout {
> struct file *file;
> struct hrtimer timer;
> + unsigned count;
> };
>
> /*
> @@ -1884,7 +1885,7 @@ static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
>
> static int io_timeout(struct io_kiocb *req, const struct io_uring_sqe *sqe)
> {
> - unsigned count, req_dist, tail_index;
> + unsigned count;
> struct io_ring_ctx *ctx = req->ctx;
> struct list_head *entry;
> struct timespec64 ts;
> @@ -1907,21 +1908,39 @@ static int io_timeout(struct io_kiocb *req, const struct io_uring_sqe *sqe)
> count = 1;
>
> req->sequence = ctx->cached_sq_head + count - 1;
> + req->timeout.count = count;
> req->flags |= REQ_F_TIMEOUT;
>
> /*
> * Insertion sort, ensuring the first entry in the list is always
> * the one we need first.
> */
> - tail_index = ctx->cached_cq_tail - ctx->rings->sq_dropped;
> - req_dist = req->sequence - tail_index;
> spin_lock_irq(&ctx->completion_lock);
> list_for_each_prev(entry, &ctx->timeout_list) {
> struct io_kiocb *nxt = list_entry(entry, struct io_kiocb, list);
> - unsigned dist;
> + unsigned nxt_sq_head;
> + long long tmp, tmp_nxt;
>
> - dist = nxt->sequence - tail_index;
> - if (req_dist >= dist)
> + /* count bigger than before should break directly. */
> + if (count >= nxt->timeout.count)
> + break;
> +
> + /*
> + * Since cached_sq_head + count - 1 can overflow, use type long
> + * long to store it.
> + */
> + tmp = (long long)ctx->cached_sq_head + count - 1;
> + nxt_sq_head = nxt->sequence - nxt->timeout.count + 1;
> + tmp_nxt = (long long)nxt_sq_head + nxt->timeout.count - 1;
> +
> + /*
> + * cached_sq_head may overflow, and it will never overflow twice
> + * once there is some timeout req still be valid.
> + */
> + if (ctx->cached_sq_head < nxt_sq_head)
> + tmp_nxt += UINT_MAX;
Should be "tmp += UINT_MAX;"
So sorry for this, will resend the patch.
> +
> + if (tmp >= tmp_nxt)
> break;
> }
> list_add(&req->list, entry);
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-10-14 11:26 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-14 8:08 [PATCH] io_uring: consider the overflow of sequence for timeout req yangerkun
2019-10-14 11:26 ` yangerkun
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).