Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp4612676iob; Sun, 8 May 2022 19:12:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwvTq/dzEnsAOT28zewYsdWPaZzfhis/M7iw/Bd7sQ7Dj6CdqamZw42A+YugEuWNqRBbN1X X-Received: by 2002:a17:903:2c1:b0:158:f9d0:839c with SMTP id s1-20020a17090302c100b00158f9d0839cmr13890514plk.118.1652062378693; Sun, 08 May 2022 19:12:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652062378; cv=none; d=google.com; s=arc-20160816; b=K0mro2Y5uGlAvB9fA3A0N2lu/KD/Tqo0ZMZzucfSOflx++ax89zwm9ta/N4r4j7JJM QUEoHshKYhO7QZ4wGIMa2nnlmKyxhaM05sM+JPDwX1mhOKeGgJQ4QNUY7AE4PB5bF6Ms L/P/edC6LgsiN6eEX4oPVJPIm6O74Ah2CpaO/jkmgjh3idpVGGhOcIsAE9PNxME2YPJx UVRmAgvRvJqFq3FdbzPZJEOnRx/LafTbTJvmJ6mkE6Ee1n/pREh73v18sGIrPQivBbSH PTQOtSDT1qFaK79dpiJcp9rHhnlsohHQ8fmL7q1DpGNv1moumnhf0y8TYf92W/ltPaAS qCMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=WUxbNWTLni10lJjuJKJhKbb9v83zEQhRp5eBEL96koM=; b=hySy10F7D39BWd1xrMHycq+kwKcMG7mberp6RbZqHX77x/FMO6LFJND2pA/zUdLVAG yHLFWeKiBgn7bCJRPjdGYMRuP1D5IZTJAHIMgi0vwhmF+VF0LC6ZviYHWDTfxvJkkbcY k5Z42b9tHZ3Z4aEBu6RBWjAxGRN7wu6i/t1WeRh8GRFk0ssAGl35uX6NbLAgBb5OC1vm CO8ovjw8Mxj6/Jb45DPdAncAq7FVORmFWMty2kTlAPmwreM76mV+Q4xPj2TjpmcfKcti Iaos8Zr6fbIwFiXXHrsz8IVER8rQ/ruaAeRXS+x7qCU+zyQqK3lOiH7tLxAjrqlIWCyI mYSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=GkIrv3mz; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id d9-20020a63fd09000000b0039d9d404482si12232251pgh.570.2022.05.08.19.12.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 May 2022 19:12:58 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=GkIrv3mz; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id DC29252B07; Sun, 8 May 2022 19:12:51 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1444154AbiEFRYI (ORCPT + 99 others); Fri, 6 May 2022 13:24:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54176 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237371AbiEFRYH (ORCPT ); Fri, 6 May 2022 13:24:07 -0400 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E1BBBC35; Fri, 6 May 2022 10:20:21 -0700 (PDT) Received: by mail-wm1-x32b.google.com with SMTP id m2-20020a1ca302000000b003943bc63f98so4747527wme.4; Fri, 06 May 2022 10:20:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=message-id:date:mime-version:user-agent:subject:content-language:to :cc:references:from:in-reply-to:content-transfer-encoding; bh=WUxbNWTLni10lJjuJKJhKbb9v83zEQhRp5eBEL96koM=; b=GkIrv3mzT75Qub63q/lxL4l/qsbAtTc6bey39A77NKKwdKDr66+pqkJKYFhIlswFGl 5hX0kglY89GXZNy6MoAAQpy/gJBhMi2yGVVsNMh4gUmoKFbReu8B7eaK9esWgGrXWpfJ QU2GINJJr4xvfY4kQI5P5kEFM+m78dthKOuI8cOiP7rzkZaYkabF0pouynJHvk4/n+BL kPGasrMnyPbqYCqxLyzzcM2WRhH4KBWFkV1Pw3IehEN0d/aENH9MGRs35zL8JVNNhoEQ 4JQ4mMLJAJ/oGQJft/0bnm0i1dP84fbIDEGhcfPT6yFjjwDQ0Xfc9sYP5M5dtqz+/bfB b0yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:cc:references:from:in-reply-to :content-transfer-encoding; bh=WUxbNWTLni10lJjuJKJhKbb9v83zEQhRp5eBEL96koM=; b=Rrb9iyQeq9qltGX/IARUnyVRVh2JbxnOYn4y8Dg68wd6IKi4vO8gF4RsaArQt8abMe rddpFm7wMCXPID2ZfU48jKNVOs13gunQB8W6mhUoLsZFssogHr/7HbXJqKx/cHmCa2uB GbB6e114IeTuGTwsb7aTdx0JjqITjF6K5N0xIIaNMrmiU6f5pTteR/8loOPe7Z82b7/l VnHJl9FARr+oG1urcy2lofISCmiRjlvAL3yhrsdwPGomGBWo2XTRTgWsgcje2UJMl2rJ cAh6t/UqD8PyLD6ratj000HSAyYLpmWFe5zLD2sGKYyFWzgNI6mhzLLYAqTn5o43FvfP fHNQ== X-Gm-Message-State: AOAM532jiPCuR0f6m869JPgs1QQde65yqXcDKROBCiWCGiR0wQvmJL9Z MZA5TzE2gNh2/ARknvm6wwQ= X-Received: by 2002:a05:600c:ad1:b0:394:1585:a164 with SMTP id c17-20020a05600c0ad100b003941585a164mr10837341wmr.101.1651857620015; Fri, 06 May 2022 10:20:20 -0700 (PDT) Received: from [192.168.8.198] ([85.255.237.75]) by smtp.gmail.com with ESMTPSA id x5-20020a05600c2d0500b003942a244f45sm4971966wmf.30.2022.05.06.10.20.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 06 May 2022 10:20:19 -0700 (PDT) Message-ID: Date: Fri, 6 May 2022 18:19:42 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.8.1 Subject: Re: [PATCH 3/5] io_uring: let fast poll support multishot Content-Language: en-US To: Hao Xu , io-uring@vger.kernel.org Cc: Jens Axboe , linux-kernel@vger.kernel.org References: <20220506070102.26032-1-haoxu.linux@gmail.com> <20220506070102.26032-4-haoxu.linux@gmail.com> From: Pavel Begunkov In-Reply-To: <20220506070102.26032-4-haoxu.linux@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A, RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/6/22 08:01, Hao Xu wrote: > From: Hao Xu > > For operations like accept, multishot is a useful feature, since we can > reduce a number of accept sqe. Let's integrate it to fast poll, it may > be good for other operations in the future. > > Signed-off-by: Hao Xu > --- > fs/io_uring.c | 41 ++++++++++++++++++++++++++--------------- > 1 file changed, 26 insertions(+), 15 deletions(-) > > diff --git a/fs/io_uring.c b/fs/io_uring.c > index 8ebb1a794e36..d33777575faf 100644 > --- a/fs/io_uring.c > +++ b/fs/io_uring.c > @@ -5952,7 +5952,7 @@ static void io_poll_remove_entries(struct io_kiocb *req) > * either spurious wakeup or multishot CQE is served. 0 when it's done with > * the request, then the mask is stored in req->cqe.res. > */ > -static int io_poll_check_events(struct io_kiocb *req, bool locked) > +static int io_poll_check_events(struct io_kiocb *req, bool *locked) > { > struct io_ring_ctx *ctx = req->ctx; > int v; > @@ -5981,17 +5981,26 @@ static int io_poll_check_events(struct io_kiocb *req, bool locked) > > /* multishot, just fill an CQE and proceed */ > if (req->cqe.res && !(req->apoll_events & EPOLLONESHOT)) { > - __poll_t mask = mangle_poll(req->cqe.res & req->apoll_events); > - bool filled; > - > - spin_lock(&ctx->completion_lock); > - filled = io_fill_cqe_aux(ctx, req->cqe.user_data, mask, > - IORING_CQE_F_MORE); > - io_commit_cqring(ctx); > - spin_unlock(&ctx->completion_lock); > - if (unlikely(!filled)) > - return -ECANCELED; > - io_cqring_ev_posted(ctx); > + if (req->flags & REQ_F_APOLL_MULTISHOT) { > + io_tw_lock(req->ctx, locked); > + if (likely(!(req->task->flags & PF_EXITING))) > + io_queue_sqe(req); That looks dangerous, io_queue_sqe() usually takes the request ownership and doesn't expect that someone, i.e. io_poll_check_events(), may still be actively using it. E.g. io_accept() fails on fd < 0, return an error, io_queue_sqe() -> io_queue_async() -> io_req_complete_failed() kills it. Then io_poll_check_events() and polling in general carry on using the freed request => UAF. Didn't look at it too carefully, but there might other similar cases. > + else > + return -EFAULT; > + } else { > + __poll_t mask = mangle_poll(req->cqe.res & > + req->apoll_events); > + bool filled; > + > + spin_lock(&ctx->completion_lock); > + filled = io_fill_cqe_aux(ctx, req->cqe.user_data, > + mask, IORING_CQE_F_MORE); > + io_commit_cqring(ctx); > + spin_unlock(&ctx->completion_lock); > + if (unlikely(!filled)) > + return -ECANCELED; > + io_cqring_ev_posted(ctx); > + } > } else if (req->cqe.res) { > return 0; > } > @@ -6010,7 +6019,7 @@ static void io_poll_task_func(struct io_kiocb *req, bool *locked) > struct io_ring_ctx *ctx = req->ctx; > int ret; > > - ret = io_poll_check_events(req, *locked); > + ret = io_poll_check_events(req, locked); > if (ret > 0) > return; > > @@ -6035,7 +6044,7 @@ static void io_apoll_task_func(struct io_kiocb *req, bool *locked) > struct io_ring_ctx *ctx = req->ctx; > int ret; > > - ret = io_poll_check_events(req, *locked); > + ret = io_poll_check_events(req, locked); > if (ret > 0) > return; > > @@ -6275,7 +6284,7 @@ static int io_arm_poll_handler(struct io_kiocb *req, unsigned issue_flags) > struct io_ring_ctx *ctx = req->ctx; > struct async_poll *apoll; > struct io_poll_table ipt; > - __poll_t mask = EPOLLONESHOT | POLLERR | POLLPRI; > + __poll_t mask = POLLERR | POLLPRI; > int ret; > > if (!def->pollin && !def->pollout) > @@ -6284,6 +6293,8 @@ static int io_arm_poll_handler(struct io_kiocb *req, unsigned issue_flags) > return IO_APOLL_ABORTED; > if ((req->flags & (REQ_F_POLLED|REQ_F_PARTIAL_IO)) == REQ_F_POLLED) > return IO_APOLL_ABORTED; > + if (!(req->flags & REQ_F_APOLL_MULTISHOT)) > + mask |= EPOLLONESHOT; > > if (def->pollin) { > mask |= POLLIN | POLLRDNORM; -- Pavel Begunkov