On 1/9/20 9:04 AM, Dmitry Dolgov wrote: >> On Thu, Jan 09, 2020 at 07:51:28AM -0700, Jens Axboe wrote: >> On 1/9/20 7:26 AM, Pavel Begunkov wrote: >>> On 1/9/2020 4:17 PM, Dmitrii Dolgov wrote: >>>> With combination of --fixedbufs and an old version of fio I've managed >>>> to get a strange situation, when doing io_iopoll_complete NULL pointer >>>> dereference on file_data was caused in io_free_req_many. Interesting >>>> enough, the very same configuration doesn't fail on a newest version of >>>> fio (the old one is fc220349e4514, the new one is 2198a6b5a9f4), but I >>>> guess it still makes sense to have this check if it's possible to craft >>>> such request to io_uring. >>> >>> I didn't looked up why it could become NULL in the first place, but the >>> problem is probably deeper. >>> >>> 1. I don't see why it puts @rb->to_free @file_data->refs, even though >>> there could be non-fixed reqs. It needs to count REQ_F_FIXED_FILE reqs >>> and put only as much. >> >> Agree on the fixed file refs, there's a bug there where it assumes they >> are all still fixed. See below - Dmitrii, use this patch for testing >> instead of the other one! > > Yes, the patch from this email also fixes the issue. Great, thanks for testing, I'll add your Tested-by to the commit. -- Jens Axboe
