Re: [PATCH 2/4] fuse: {io-uring} Access entries with queue lock in fuse_uring_entry_teardown

Joanne Koong <joannelkoong@xxxxxxxxx> · Fri, 24 Jan 2025 16:37:18 -0800

On Fri, Jan 24, 2025 at 8:47 AM Bernd Schubert <bschubert@xxxxxxx> wrote:
>
> This ensures that ent->cmd and ent->fuse_req are accessed in
> fuse_uring_entry_teardown while holding the queue lock.
>
> Fixes: a4bdb3d786c0 ("fuse: enable fuse-over-io-uring")
> Signed-off-by: Bernd Schubert <bschubert@xxxxxxx>
> ---
>  fs/fuse/dev_uring.c | 27 +++++++++++++++++++--------
>  1 file changed, 19 insertions(+), 8 deletions(-)
>
> diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
> index 1834c1933d2bbab0342257fde4b030f06506c55d..87bb89994c311f435c370f78984be060fcb8036f 100644
> --- a/fs/fuse/dev_uring.c
> +++ b/fs/fuse/dev_uring.c
> @@ -315,14 +315,20 @@ static void fuse_uring_stop_fuse_req_end(struct fuse_ring_ent *ent)
>   */
>  static void fuse_uring_entry_teardown(struct fuse_ring_ent *ent)
>  {
> -       struct fuse_ring_queue *queue = ent->queue;
> -       if (ent->cmd) {
> -               io_uring_cmd_done(ent->cmd, -ENOTCONN, 0, IO_URING_F_UNLOCKED);
> -               ent->cmd = NULL;
> -       }
> +       struct fuse_req *req;
> +       struct io_uring_cmd *cmd;
>
> -       if (ent->fuse_req)
> -               fuse_uring_stop_fuse_req_end(ent);
> +       struct fuse_ring_queue *queue = ent->queue;
> +
> +       spin_lock(&queue->lock);
> +       ent->fuse_req = NULL;
> +
> +       req = ent->fuse_req;

I think you meant here to switch these two lines? otherwise i think
req will alwyas be null here.

Thanks,
Joanne

> +       if (req)
> +               list_del_init(&req->list);
> +
> +       cmd = ent->cmd;
> +       ent->cmd = NULL;
>
>         /*
>          * The entry must not be freed immediately, due to access of direct
> @@ -330,10 +336,15 @@ static void fuse_uring_entry_teardown(struct fuse_ring_ent *ent)
>          * of race between daemon termination (which triggers IO_URING_F_CANCEL
>          * and accesses entries without checking the list state first
>          */
> -       spin_lock(&queue->lock);
>         list_move(&ent->list, &queue->ent_released);
>         ent->state = FRRS_RELEASED;
>         spin_unlock(&queue->lock);
> +
> +       if (cmd)
> +               io_uring_cmd_done(cmd, -ENOTCONN, 0, IO_URING_F_UNLOCKED);
> +
> +       if (req)
> +               fuse_uring_stop_fuse_req_end(req);
>  }
>
>  static void fuse_uring_stop_list_entries(struct list_head *head,
>
> --
> 2.43.0
>