io_uring: fix race condition reading SQE data

When punting to workers the SQE gets copied after the initial try. There is a race condition between reading SQE data for the initial try and copying it for punting it to the workers. For example io_rw_done calls kiocb->ki_complete even if it was prepared for IORING_OP_FSYNC (and would be NULL). The easiest solution for now is to alway prepare again in the worker. req->file is safe to prepare though as long as it is checked before use. Signed-off-by: Stefan Bühler <source@stbuehler.de> Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Stefan Bühler <source@stbuehler.de> 2019-05-11 13:08:01 -0400
committer: Jens Axboe <axboe@kernel.dk> 2019-05-13 11:15:42 -0400
commit: e2033e33cb3821c26d4f9e70677910827d3b7885 (patch)
tree: 9a4c0da34b35916590b1104581ccd89339ea6d94
parent: a13f0655503a4a89df67fdc7cac6a7810795d4b3 (diff)
1 files changed, 2 insertions, 15 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 48ea3977012a..576d9c652b4c 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -329,9 +329,8 @@ struct io_kiocb {
 #define REQ_F_IOPOLL_COMPLETED  2       /* polled IO has completed */
 #define REQ_F_FIXED_FILE        4       /* ctx owns file */
 #define REQ_F_SEQ_PREV          8       /* sequential with previous */
-#define REQ_F_PREPPED           16      /* prep already done */
+#define REQ_F_IO_DRAIN          16      /* drain existing IO first */
-#define REQ_F_IO_DRAIN          32      /* drain existing IO first */
+#define REQ_F_IO_DRAINED        32      /* drain done */
-#define REQ_F_IO_DRAINED        64      /* drain done */
        u64                     user_data;
        u32                     error;  /* iopoll result from callback */
        u32                     sequence;
@@ -896,9 +895,6 @@ static int io_prep_rw(struct io_kiocb *req, const struct sqe_submit *s,
        if (!req->file)
                return -EBADF;
-        /* For -EAGAIN retry, everything is already prepped */
-        if (req->flags & REQ_F_PREPPED)
-                return 0;
        if (force_nonblock && !io_file_supports_async(req->file))
                force_nonblock = false;
@@ -941,7 +937,6 @@ static int io_prep_rw(struct io_kiocb *req, const struct sqe_submit *s,
                        return -EINVAL;
                kiocb->ki_complete = io_complete_rw;
        }
-        req->flags |= REQ_F_PREPPED;
        return 0;
 }
@@ -1227,16 +1222,12 @@ static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
        if (!req->file)
                return -EBADF;
-        /* Prep already done (EAGAIN retry) */
-        if (req->flags & REQ_F_PREPPED)
-                return 0;
        if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
                return -EINVAL;
        if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
                return -EINVAL;
-        req->flags |= REQ_F_PREPPED;
        return 0;
 }
@@ -1277,16 +1268,12 @@ static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
        if (!req->file)
                return -EBADF;
-        /* Prep already done (EAGAIN retry) */
-        if (req->flags & REQ_F_PREPPED)
-                return 0;
        if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
                return -EINVAL;
        if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
                return -EINVAL;
-        req->flags |= REQ_F_PREPPED;
        return ret;
 }
author	Stefan Bühler <source@stbuehler.de>	2019-05-11 13:08:01 -0400
committer	Jens Axboe <axboe@kernel.dk>	2019-05-13 11:15:42 -0400
commit	e2033e33cb3821c26d4f9e70677910827d3b7885 (patch)
tree	9a4c0da34b35916590b1104581ccd89339ea6d94
parent	a13f0655503a4a89df67fdc7cac6a7810795d4b3 (diff)