提交 91482864 编写于 作者: P Pavel Begunkov 提交者: Jens Axboe

io_uring: fix multishot accept request leaks

Having REQ_F_POLLED set doesn't guarantee that the request is
executed as a multishot from the polling path. Fortunately for us, if
the code thinks it's multishot issue when it's not, it can only ask to
skip completion so leaking the request. Use issue_flags to mark
multipoll issues.

Cc: stable@vger.kernel.org
Fixes: 390ed29b ("io_uring: add IORING_ACCEPT_MULTISHOT for accept")
Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/7700ac57653f2823e30b34dc74da68678c0c5f13.1668710222.git.asml.silence@gmail.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
上级 539bcb57
...@@ -16,6 +16,9 @@ enum io_uring_cmd_flags { ...@@ -16,6 +16,9 @@ enum io_uring_cmd_flags {
IO_URING_F_SQE128 = 4, IO_URING_F_SQE128 = 4,
IO_URING_F_CQE32 = 8, IO_URING_F_CQE32 = 8,
IO_URING_F_IOPOLL = 16, IO_URING_F_IOPOLL = 16,
/* the request is executed from poll, it should not be freed */
IO_URING_F_MULTISHOT = 32,
}; };
struct io_uring_cmd { struct io_uring_cmd {
......
...@@ -1768,7 +1768,7 @@ int io_poll_issue(struct io_kiocb *req, bool *locked) ...@@ -1768,7 +1768,7 @@ int io_poll_issue(struct io_kiocb *req, bool *locked)
io_tw_lock(req->ctx, locked); io_tw_lock(req->ctx, locked);
if (unlikely(req->task->flags & PF_EXITING)) if (unlikely(req->task->flags & PF_EXITING))
return -EFAULT; return -EFAULT;
return io_issue_sqe(req, IO_URING_F_NONBLOCK); return io_issue_sqe(req, IO_URING_F_NONBLOCK|IO_URING_F_MULTISHOT);
} }
struct io_wq_work *io_wq_free_work(struct io_wq_work *work) struct io_wq_work *io_wq_free_work(struct io_wq_work *work)
......
...@@ -17,8 +17,8 @@ enum { ...@@ -17,8 +17,8 @@ enum {
IOU_ISSUE_SKIP_COMPLETE = -EIOCBQUEUED, IOU_ISSUE_SKIP_COMPLETE = -EIOCBQUEUED,
/* /*
* Intended only when both REQ_F_POLLED and REQ_F_APOLL_MULTISHOT * Intended only when both IO_URING_F_MULTISHOT is passed
* are set to indicate to the poll runner that multishot should be * to indicate to the poll runner that multishot should be
* removed and the result is set on req->cqe.res. * removed and the result is set on req->cqe.res.
*/ */
IOU_STOP_MULTISHOT = -ECANCELED, IOU_STOP_MULTISHOT = -ECANCELED,
......
...@@ -1289,8 +1289,7 @@ int io_accept(struct io_kiocb *req, unsigned int issue_flags) ...@@ -1289,8 +1289,7 @@ int io_accept(struct io_kiocb *req, unsigned int issue_flags)
* return EAGAIN to arm the poll infra since it * return EAGAIN to arm the poll infra since it
* has already been done * has already been done
*/ */
if ((req->flags & IO_APOLL_MULTI_POLLED) == if (issue_flags & IO_URING_F_MULTISHOT)
IO_APOLL_MULTI_POLLED)
ret = IOU_ISSUE_SKIP_COMPLETE; ret = IOU_ISSUE_SKIP_COMPLETE;
return ret; return ret;
} }
...@@ -1315,9 +1314,7 @@ int io_accept(struct io_kiocb *req, unsigned int issue_flags) ...@@ -1315,9 +1314,7 @@ int io_accept(struct io_kiocb *req, unsigned int issue_flags)
goto retry; goto retry;
io_req_set_res(req, ret, 0); io_req_set_res(req, ret, 0);
if (req->flags & REQ_F_POLLED) return (issue_flags & IO_URING_F_MULTISHOT) ? IOU_STOP_MULTISHOT : IOU_OK;
return IOU_STOP_MULTISHOT;
return IOU_OK;
} }
int io_socket_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) int io_socket_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册