On 1/9/2020 6:23 PM, Jens Axboe wrote:
> On 1/9/20 8:17 AM, Pavel Begunkov wrote:
>> On 1/9/2020 5:51 PM, Jens Axboe wrote:
>>> On 1/9/20 7:26 AM, Pavel Begunkov wrote:
>>>> On 1/9/2020 4:17 PM, Dmitrii Dolgov wrote:
>>>>> With combination of --fixedbufs and an old version of fio I've managed
>>>>> to get a strange situation, when doing io_iopoll_complete NULL pointer
>>>>> dereference on file_data was caused in io_free_req_many. Interesting
>>>>> enough, the very same configuration doesn't fail on a newest version of
>>>>> fio (the old one is fc220349e4514, the new one is 2198a6b5a9f4), but I
>>>>> guess it still makes sense to have this check if it's possible to craft
>>>>> such request to io_uring.
>>>>
>>>> I didn't looked up why it could become NULL in the first place, but the
>>>> problem is probably deeper.
>>>>
>>>> 1. I don't see why it puts @rb->to_free @file_data->refs, even though
>>>> there could be non-fixed reqs. It needs to count REQ_F_FIXED_FILE reqs
>>>> and put only as much.
>>>
>>> Agree on the fixed file refs, there's a bug there where it assumes they
>>> are all still fixed. See below - Dmitrii, use this patch for testing
>>> instead of the other one!
>>>
>>>> 2. Jens, there is another line bothering me, could you take a look?
>>>>
>>>> io_free_req_many()
>>>> {
>>>> ...
>>>> if (req->flags & REQ_F_INFLIGHT) ...;
>>>> else
>>>> rb->reqs[i] = NULL;
>>>> ...
>>>> }
>>>>
>>>> It zeroes rb->reqs[i], calls __io_req_aux_free(), but did not free
>>>> memory for the request itself. Is it as intended?
>>>
>>> We free them at the end of that function, in bulk. But we can't do that
>>> with the aux data.
>>
>> Right, we can't do that with the aux data. But we NULL a req in the
>> array, which then passed to kmem_cache_free_bulk(). So, it won't be
>> visible to the *_free_bulk(). Am I missing something?
>>
>> e.g.
>> 1. initial reqs [req1 with files, ->io, etc]
>> 2. set to NULL, so [NULL]
>> 3. __io_req_aux_free(req)
>> 4. bulk_free([NULL]);
>
> Yeah that looks wrong, I don't think you're missing something. We
> should just use the flags check again. I'll double check this in
> testing now.
Great, thanks!
BTW, if by any chance you missed it, there was another comment in my
previous mail regarding your fix for the put problem.
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 49622a320317..d7a77830a2f2 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -1235,8 +1235,6 @@ static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
> }
> if (req->flags & REQ_F_INFLIGHT)
> inflight++;
> - else
> - rb->reqs[i] = NULL;
> __io_req_aux_free(req);
> }
> if (!inflight)
> @@ -1246,7 +1244,7 @@ static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
> for (i = 0; i < rb->to_free; i++) {
> struct io_kiocb *req = rb->reqs[i];
>
> - if (req) {
> + if (req->flags & REQ_F_INFLIGHT)
> list_del(&req->inflight_entry);
> if (!--inflight)
> break;
>
--
Pavel Begunkov
