[PATCH] io_uring: always prep_async for drain requests

[PATCH] io_uring: always prep_async for drain requests

[Dylan Yudaken]

Drain requests all go through io_drain_req, which has a quick exit in case
there is nothing pending (ie the drain is not useful). In that case it can
run the issue the request immediately.

However for safety it queues it through task work.
The problem is that in this case the request is run asynchronously, but
the async work has not been prepared through io_req_prep_async.

This has not been a problem up to now, as the task work always would run
before returning to userspace, and so the user would not have a chance to
race with it.

However - with IORING_SETUP_DEFER_TASKRUN - this is no longer the case and
the work might be defered, giving userspace a chance to change data being
referred to in the request.

Instead _always_ prep_async for drain requests, which is simpler anyway
and removes this issue.

Cc: stable@vger.kernel.org
Fixes: c0e0d6ba25f1 ("io_uring: add IORING_SETUP_DEFER_TASKRUN")
Signed-off-by: Dylan Yudaken <dylany@meta.com>
---

Hi,

Worth pointing out in discussion with Pavel that we considered just
removing the fast path in io_drain_req. That felt like more of an invasive
change as it can add an extra kmalloc + io_prep_async_link(), but perhaps
you feel that is a better approach.

I'll send out a liburing test shortly.

Dylan


 io_uring/io_uring.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 0a4efada9b3c..db623b3185c8 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1765,17 +1765,12 @@ static __cold void io_drain_req(struct io_kiocb *req)
 	}
 	spin_unlock(&ctx->completion_lock);
 
-	ret = io_req_prep_async(req);
-	if (ret) {
-fail:
-		io_req_defer_failed(req, ret);
-		return;
-	}
 	io_prep_async_link(req);
 	de = kmalloc(sizeof(*de), GFP_KERNEL);
 	if (!de) {
 		ret = -ENOMEM;
-		goto fail;
+		io_req_defer_failed(req, ret);
+		return;
 	}
 
 	spin_lock(&ctx->completion_lock);
@@ -2048,13 +2043,16 @@ static void io_queue_sqe_fallback(struct io_kiocb *req)
 		req->flags &= ~REQ_F_HARDLINK;
 		req->flags |= REQ_F_LINK;
 		io_req_defer_failed(req, req->cqe.res);
-	} else if (unlikely(req->ctx->drain_active)) {
-		io_drain_req(req);
 	} else {
 		int ret = io_req_prep_async(req);
 
-		if (unlikely(ret))
+		if (unlikely(ret)) {
 			io_req_defer_failed(req, ret);
+			return;
+		}
+
+		if (unlikely(req->ctx->drain_active))
+			io_drain_req(req);
 		else
 			io_queue_iowq(req, NULL);
 	}

base-commit: b00c51ef8f72ced0965d021a291b98ff822c5337
-- 
2.30.2

Re: [PATCH] io_uring: always prep_async for drain requests

[Jens Axboe]

On Fri, 27 Jan 2023 02:59:11 -0800, Dylan Yudaken wrote:
> Drain requests all go through io_drain_req, which has a quick exit in case
> there is nothing pending (ie the drain is not useful). In that case it can
> run the issue the request immediately.
> 
> However for safety it queues it through task work.
> The problem is that in this case the request is run asynchronously, but
> the async work has not been prepared through io_req_prep_async.
> 
> [...]

Applied, thanks!

[1/1] io_uring: always prep_async for drain requests
      commit: ef5c600adb1d985513d2b612cc90403a148ff287

Best regards,
-- 
Jens Axboe