[PATCH openEuler-1.0-LTS 619/769] io_uring: ensure double poll additions work with both request types

15 Apr 2021

From: Jens Axboe axboe@kernel.dk
mainline inclusion
from mainline-5.8-rc7
commit 807abcb0883439af5ead73f3308310453b97b624
category: feature
bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=27
CVE: NA
---------------------------
The double poll additions were centered around doing POLL_ADD on file
descriptors that use more than one waitqueue (typically one for read,
one for write) when being polled. However, it can also end up being
triggered for when we use poll triggered retry. For that case, we cannot
safely use req->io, as that could be used by the request type itself.
Add a second io_poll_iocb pointer in the structure we allocate for poll
based retry, and ensure we use the right one from the two paths.
Fixes: 18bceab101ad ("io_uring: allow POLL_ADD with double poll_wait() users")
Signed-off-by: Jens Axboe axboe@kernel.dk
Signed-off-by: yangerkun yangerkun@huawei.com
Reviewed-by: zhangyi (F) yi.zhang@huawei.com
Signed-off-by: Cheng Jian cj.chengjian@huawei.com
---
 fs/io_uring.c | 47 ++++++++++++++++++++++++++---------------------
 1 file changed, 26 insertions(+), 21 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 408b496c6b88..93a4d6a3ad57 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -609,6 +609,7 @@ enum {
struct async_poll {
    struct io_poll_iocb	poll;
+	struct io_poll_iocb	*double_poll;
    struct io_wq_work	work;
 };
@@ -4119,9 +4120,9 @@ static bool io_poll_rewait(struct io_kiocb *req, struct io_poll_iocb *poll)
    return false;
 }
-static void io_poll_remove_double(struct io_kiocb *req)
+static void io_poll_remove_double(struct io_kiocb *req, void *data)
 {
-	struct io_poll_iocb *poll = (struct io_poll_iocb *) req->io;
+	struct io_poll_iocb *poll = data;
lockdep_assert_held(&req->ctx->completion_lock);
@@ -4141,7 +4142,7 @@ static void io_poll_complete(struct io_kiocb *req, __poll_t mask, int error)
 {
    struct io_ring_ctx *ctx = req->ctx;
-	io_poll_remove_double(req);
+	io_poll_remove_double(req, req->io);
    req->poll.done = true;
    io_cqring_fill_event(req, error ? error : mangle_poll(mask));
    io_commit_cqring(ctx);
@@ -4184,21 +4185,21 @@ static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,
    		       int sync, void *key)
 {
    struct io_kiocb *req = wait->private;
-	struct io_poll_iocb *poll = (struct io_poll_iocb *) req->io;
+	struct io_poll_iocb *poll = req->apoll->double_poll;
    __poll_t mask = key_to_poll(key);
/* for instances that support it check for an event match first: */
    if (mask && !(mask & poll->events))
    	return 0;
-	if (req->poll.head) {
+	if (poll && poll->head) {
    	bool done;
-		spin_lock(&req->poll.head->lock);
-		done = list_empty(&req->poll.wait.entry);
+		spin_lock(&poll->head->lock);
+		done = list_empty(&poll->wait.entry);
    	if (!done)
-			list_del_init(&req->poll.wait.entry);
-		spin_unlock(&req->poll.head->lock);
+			list_del_init(&poll->wait.entry);
+		spin_unlock(&poll->head->lock);
    	if (!done)
    		__io_async_wake(req, poll, mask, io_poll_task_func);
    }
@@ -4218,7 +4219,8 @@ static void io_init_poll_iocb(struct io_poll_iocb *poll, __poll_t events,
 }
static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
-			    struct wait_queue_head *head)
+			    struct wait_queue_head *head,
+			    struct io_poll_iocb **poll_ptr)
 {
    struct io_kiocb *req = pt->req;
@@ -4229,7 +4231,7 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
     */
    if (unlikely(poll->head)) {
    	/* already have a 2nd entry, fail a third attempt */
-		if (req->io) {
+		if (*poll_ptr) {
    		pt->error = -EINVAL;
    		return;
    	}
@@ -4241,7 +4243,7 @@ static void __io_queue_proc(struct io_poll_iocb *poll, struct io_poll_table *pt,
    	io_init_poll_iocb(poll, req->poll.events, io_poll_double_wake);
    	refcount_inc(&req->refs);
    	poll->wait.private = req;
-		req->io = (void *) poll;
+		*poll_ptr = poll;
    }
pt->error = 0;
@@ -4257,8 +4259,9 @@ static void io_async_queue_proc(struct file *file, struct wait_queue_head *head,
    		       struct poll_table_struct *p)
 {
    struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
+	struct async_poll *apoll = pt->req->apoll;
-	__io_queue_proc(&pt->req->apoll->poll, pt, head);
+	__io_queue_proc(&apoll->poll, pt, head, &apoll->double_poll);
 }
static void io_sq_thread_drop_mm(struct io_ring_ctx *ctx)
@@ -4308,11 +4311,13 @@ static void io_async_task_func(struct callback_head *cb)
    	}
    }
+	io_poll_remove_double(req, apoll->double_poll);
    spin_unlock_irq(&ctx->completion_lock);
/* restore ->work in case we need to retry again */
    if (req->flags & REQ_F_WORK_INITIALIZED)
    	memcpy(&req->work, &apoll->work, sizeof(req->work));
+	kfree(apoll->double_poll);
    kfree(apoll);
if (!canceled) {
@@ -4400,7 +4405,6 @@ static bool io_arm_poll_handler(struct io_kiocb *req)
    struct async_poll *apoll;
    struct io_poll_table ipt;
    __poll_t mask, ret;
-	bool had_io;
if (!req->file || !file_can_poll(req->file))
    	return false;
@@ -4412,11 +4416,11 @@ static bool io_arm_poll_handler(struct io_kiocb *req)
    apoll = kmalloc(sizeof(*apoll), GFP_ATOMIC);
    if (unlikely(!apoll))
    	return false;
+	apoll->double_poll = NULL;
req->flags |= REQ_F_POLLED;
    if (req->flags & REQ_F_WORK_INITIALIZED)
    	memcpy(&apoll->work, &req->work, sizeof(req->work));
-	had_io = req->io != NULL;
io_get_req_task(req);
    req->apoll = apoll;
@@ -4434,13 +4438,11 @@ static bool io_arm_poll_handler(struct io_kiocb *req)
    ret = __io_arm_poll_handler(req, &apoll->poll, &ipt, mask,
    				io_async_wake);
    if (ret) {
-		ipt.error = 0;
-		/* only remove double add if we did it here */
-		if (!had_io)
-			io_poll_remove_double(req);
+		io_poll_remove_double(req, apoll->double_poll);
    	spin_unlock_irq(&ctx->completion_lock);
    	if (req->flags & REQ_F_WORK_INITIALIZED)
    		memcpy(&req->work, &apoll->work, sizeof(req->work));
+		kfree(apoll->double_poll);
    	kfree(apoll);
    	return false;
    }
@@ -4471,11 +4473,13 @@ static bool io_poll_remove_one(struct io_kiocb *req)
    bool do_complete;
if (req->opcode == IORING_OP_POLL_ADD) {
-		io_poll_remove_double(req);
+		io_poll_remove_double(req, req->io);
    	do_complete = __io_poll_remove_one(req, &req->poll);
    } else {
    	struct async_poll *apoll = req->apoll;
+		io_poll_remove_double(req, apoll->double_poll);
+
    	/* non-poll requests have submit ref still */
    	do_complete = __io_poll_remove_one(req, &apoll->poll);
    	if (do_complete) {
@@ -4488,6 +4492,7 @@ static bool io_poll_remove_one(struct io_kiocb *req)
    		if (req->flags & REQ_F_WORK_INITIALIZED)
    			memcpy(&req->work, &apoll->work,
    			       sizeof(req->work));
+			kfree(apoll->double_poll);
    		kfree(apoll);
    	}
    }
@@ -4588,7 +4593,7 @@ static void io_poll_queue_proc(struct file *file, struct wait_queue_head *head,
 {
    struct io_poll_table *pt = container_of(p, struct io_poll_table, pt);
-	__io_queue_proc(&pt->req->poll, pt, head);
+	__io_queue_proc(&pt->req->poll, pt, head, (struct io_poll_iocb **) &pt->req->io);
 }
static int io_poll_add_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
-- 
2.25.1

    

2024

2023

2022

2021

2020

2019

[PATCH openEuler-1.0-LTS 619/769] io_uring: ensure double poll additions work with both request types