Skip to content

Commit e2033e3

Browse files
stbuehleraxboe
stbuehler
authored and
axboe
committed
io_uring: fix race condition reading SQE data
When punting to workers the SQE gets copied after the initial try. There is a race condition between reading SQE data for the initial try and copying it for punting it to the workers. For example io_rw_done calls kiocb->ki_complete even if it was prepared for IORING_OP_FSYNC (and would be NULL). The easiest solution for now is to alway prepare again in the worker. req->file is safe to prepare though as long as it is checked before use. Signed-off-by: Stefan Bühler <[email protected]> Signed-off-by: Jens Axboe <[email protected]>
1 parent a13f065 commit e2033e3

File tree

1 file changed

+2
-15
lines changed

1 file changed

+2
-15
lines changed

fs/io_uring.c

Lines changed: 2 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -329,9 +329,8 @@ struct io_kiocb {
329329
#define REQ_F_IOPOLL_COMPLETED 2 /* polled IO has completed */
330330
#define REQ_F_FIXED_FILE 4 /* ctx owns file */
331331
#define REQ_F_SEQ_PREV 8 /* sequential with previous */
332-
#define REQ_F_PREPPED 16 /* prep already done */
333-
#define REQ_F_IO_DRAIN 32 /* drain existing IO first */
334-
#define REQ_F_IO_DRAINED 64 /* drain done */
332+
#define REQ_F_IO_DRAIN 16 /* drain existing IO first */
333+
#define REQ_F_IO_DRAINED 32 /* drain done */
335334
u64 user_data;
336335
u32 error; /* iopoll result from callback */
337336
u32 sequence;
@@ -896,9 +895,6 @@ static int io_prep_rw(struct io_kiocb *req, const struct sqe_submit *s,
896895

897896
if (!req->file)
898897
return -EBADF;
899-
/* For -EAGAIN retry, everything is already prepped */
900-
if (req->flags & REQ_F_PREPPED)
901-
return 0;
902898

903899
if (force_nonblock && !io_file_supports_async(req->file))
904900
force_nonblock = false;
@@ -941,7 +937,6 @@ static int io_prep_rw(struct io_kiocb *req, const struct sqe_submit *s,
941937
return -EINVAL;
942938
kiocb->ki_complete = io_complete_rw;
943939
}
944-
req->flags |= REQ_F_PREPPED;
945940
return 0;
946941
}
947942

@@ -1227,16 +1222,12 @@ static int io_prep_fsync(struct io_kiocb *req, const struct io_uring_sqe *sqe)
12271222

12281223
if (!req->file)
12291224
return -EBADF;
1230-
/* Prep already done (EAGAIN retry) */
1231-
if (req->flags & REQ_F_PREPPED)
1232-
return 0;
12331225

12341226
if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
12351227
return -EINVAL;
12361228
if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
12371229
return -EINVAL;
12381230

1239-
req->flags |= REQ_F_PREPPED;
12401231
return 0;
12411232
}
12421233

@@ -1277,16 +1268,12 @@ static int io_prep_sfr(struct io_kiocb *req, const struct io_uring_sqe *sqe)
12771268

12781269
if (!req->file)
12791270
return -EBADF;
1280-
/* Prep already done (EAGAIN retry) */
1281-
if (req->flags & REQ_F_PREPPED)
1282-
return 0;
12831271

12841272
if (unlikely(ctx->flags & IORING_SETUP_IOPOLL))
12851273
return -EINVAL;
12861274
if (unlikely(sqe->addr || sqe->ioprio || sqe->buf_index))
12871275
return -EINVAL;
12881276

1289-
req->flags |= REQ_F_PREPPED;
12901277
return ret;
12911278
}
12921279

0 commit comments

Comments
 (0)