* [PATCH 1/2] io_uring: unaccount scq mem properly
@ 2019-04-27 11:38 Shenghui Wang
2019-04-27 11:38 ` [PATCH 2/2] io_uring: free ctx->sq_ring if array size overflow detected in io_allocate_scq_urings Shenghui Wang
0 siblings, 1 reply; 2+ messages in thread
From: Shenghui Wang @ 2019-04-27 11:38 UTC (permalink / raw)
To: axboe, viro, linux-block, linux-fsdevel
io_allocate_scq_urings() may fail to allocate scq rings, and fail to
set ctx->sq_entries or ctx->cq_entries. In io_ring_ctx_free(), the code
'
if (ctx->account_mem)
io_unaccount_mem(ctx->user,
ring_pages(ctx->sq_entries, ctx->cq_entries));
'
may not unaccount properly.
E.g, in io_uring_create(), we have ctx allocated with zero filled.
Later, io_allocate_scq_urings() fails, and we may still have
0-valued ctx->sq_entries & ctx->cq_entries. Then the unaccount code
cannot unaccout what io_account_mem() has changed.
Signed-off-by: Shenghui Wang <shhuiw@foxmail.com>
---
fs/io_uring.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index f65f85d89217..9d382ac27e63 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2741,7 +2741,6 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
sq_ring->ring_mask = p->sq_entries - 1;
sq_ring->ring_entries = p->sq_entries;
ctx->sq_mask = sq_ring->ring_mask;
- ctx->sq_entries = sq_ring->ring_entries;
size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
if (size == SIZE_MAX)
@@ -2764,7 +2763,6 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
cq_ring->ring_mask = p->cq_entries - 1;
cq_ring->ring_entries = p->cq_entries;
ctx->cq_mask = cq_ring->ring_mask;
- ctx->cq_entries = cq_ring->ring_entries;
return 0;
}
@@ -2854,6 +2852,8 @@ static int io_uring_create(unsigned entries, struct io_uring_params *p)
ctx->compat = in_compat_syscall();
ctx->account_mem = account_mem;
ctx->user = user;
+ ctx->sq_entries = p->sq_entries;
+ ctx->cq_entries = p->cq_entries;
ret = io_allocate_scq_urings(ctx, p);
if (ret)
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH 2/2] io_uring: free ctx->sq_ring if array size overflow detected in io_allocate_scq_urings
2019-04-27 11:38 [PATCH 1/2] io_uring: unaccount scq mem properly Shenghui Wang
@ 2019-04-27 11:38 ` Shenghui Wang
0 siblings, 0 replies; 2+ messages in thread
From: Shenghui Wang @ 2019-04-27 11:38 UTC (permalink / raw)
To: axboe, viro, linux-block, linux-fsdevel
Free ctx->sq_ring before return -EOVERFLOW.
Signed-off-by: Shenghui Wang <shhuiw@foxmail.com>
---
fs/io_uring.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 9d382ac27e63..6e1d22cbb029 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2743,8 +2743,10 @@ static int io_allocate_scq_urings(struct io_ring_ctx *ctx,
ctx->sq_mask = sq_ring->ring_mask;
size = array_size(sizeof(struct io_uring_sqe), p->sq_entries);
- if (size == SIZE_MAX)
+ if (size == SIZE_MAX) {
+ io_mem_free(ctx->sq_ring);
return -EOVERFLOW;
+ }
ctx->sq_sqes = io_mem_alloc(size);
if (!ctx->sq_sqes) {
--
2.20.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-04-27 11:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-27 11:38 [PATCH 1/2] io_uring: unaccount scq mem properly Shenghui Wang
2019-04-27 11:38 ` [PATCH 2/2] io_uring: free ctx->sq_ring if array size overflow detected in io_allocate_scq_urings Shenghui Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).