On 11/5/19 4:04 PM, Pavel Begunkov wrote:
if (unlikely(!shadow_req))
> @@ -2716,24 +2712,25 @@ static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
> shadow_req->flags |= (REQ_F_IO_DRAIN | REQ_F_SHADOW_DRAIN);
> refcount_dec(&shadow_req->refs);
> }
> - shadow_req->sequence = s.sequence;
> + shadow_req->sequence = req->submit.sequence;
> }
>
> out:
> - s.ring_file = ring_file;
> - s.ring_fd = ring_fd;
> - s.has_user = *mm != NULL;
> - s.in_async = async;
> - s.needs_fixed_file = async;
> - trace_io_uring_submit_sqe(ctx, s.sqe->user_data, true, async);
> - io_submit_sqe(ctx, req, &s, statep, &link);
> + req->submit.ring_file = ring_file;
> + req->submit.ring_fd = ring_fd;
> + req->submit.has_user = *mm != NULL;
> + req->submit.in_async = async;
> + req->submit.needs_fixed_file = async;
> + trace_io_uring_submit_sqe(ctx, req->submit.sqe->user_data,
> + true, async);
> + io_submit_sqe(ctx, req, &req->submit, statep, &link);
> submitted++;
>
> /*
> * If previous wasn't linked and we have a linked command,
> * that's the end of the chain. Submit the previous link.
> */
> - if (!(s.sqe->flags & IOSQE_IO_LINK) && link) {
> + if (!(req->submit.sqe->flags & IOSQE_IO_LINK) && link) {
> io_queue_link_head(ctx, link, &link->submit, shadow_req);
> link = NULL;
> shadow_req = NULL;
Another potential use-after-free here, as 'req' might have completed by
the time you go and check for IOSQE_IO_LINK.
--
Jens Axboe
