| Message ID | 20250317135742.4331-6-sidong.yang@furiosa.ai (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | introduce io_uring_cmd_import_fixed_vec | expand |
On 3/17/25 13:57, Sidong Yang wrote: > This patch fixes a bug on encoded_read. In btrfs_uring_encoded_read(), > btrfs_encoded_read could return -EAGAIN when receiving requests concurrently. > And data->iov goes to out_free and it freed and return -EAGAIN. io-uring > subsystem would call it again and it doesn't reset data. And data->iov > freed and iov_iter reference it. iov_iter would be used in > btrfs_uring_read_finished() and could be raise memory bug. Fixes should go first. Please send it separately, and CC Mark. A "Fixes" tag would also be good to have. > Signed-off-by: Sidong Yang <sidong.yang@furiosa.ai> > --- > fs/btrfs/ioctl.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c > index a7b52fd99059..02fa8dd1a3ce 100644 > --- a/fs/btrfs/ioctl.c > +++ b/fs/btrfs/ioctl.c > @@ -4922,6 +4922,9 @@ static int btrfs_uring_encoded_read(struct io_uring_cmd *cmd, unsigned int issue > > ret = btrfs_encoded_read(&kiocb, &data->iter, &data->args, &cached_state, > &disk_bytenr, &disk_io_size); > + > + if (ret == -EAGAIN) > + goto out_acct; > if (ret < 0 && ret != -EIOCBQUEUED) > goto out_free; >
On Tue, Mar 18, 2025 at 07:21:00AM +0000, Pavel Begunkov wrote: > On 3/17/25 13:57, Sidong Yang wrote: > > This patch fixes a bug on encoded_read. In btrfs_uring_encoded_read(), > > btrfs_encoded_read could return -EAGAIN when receiving requests concurrently. > > And data->iov goes to out_free and it freed and return -EAGAIN. io-uring > > subsystem would call it again and it doesn't reset data. And data->iov > > freed and iov_iter reference it. iov_iter would be used in > > btrfs_uring_read_finished() and could be raise memory bug. > > Fixes should go first. Please send it separately, and CC Mark. > A "Fixes" tag would also be good to have. Okay, I'll remove this from patch series. Thanks, Sidong > > > Signed-off-by: Sidong Yang <sidong.yang@furiosa.ai> > > --- > > fs/btrfs/ioctl.c | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c > > index a7b52fd99059..02fa8dd1a3ce 100644 > > --- a/fs/btrfs/ioctl.c > > +++ b/fs/btrfs/ioctl.c > > @@ -4922,6 +4922,9 @@ static int btrfs_uring_encoded_read(struct io_uring_cmd *cmd, unsigned int issue > > ret = btrfs_encoded_read(&kiocb, &data->iter, &data->args, &cached_state, > > &disk_bytenr, &disk_io_size); > > + > > + if (ret == -EAGAIN) > > + goto out_acct; > > if (ret < 0 && ret != -EIOCBQUEUED) > > goto out_free; > > -- > Pavel Begunkov >
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index a7b52fd99059..02fa8dd1a3ce 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -4922,6 +4922,9 @@ static int btrfs_uring_encoded_read(struct io_uring_cmd *cmd, unsigned int issue ret = btrfs_encoded_read(&kiocb, &data->iter, &data->args, &cached_state, &disk_bytenr, &disk_io_size); + + if (ret == -EAGAIN) + goto out_acct; if (ret < 0 && ret != -EIOCBQUEUED) goto out_free;
This patch fixes a bug on encoded_read. In btrfs_uring_encoded_read(), btrfs_encoded_read could return -EAGAIN when receiving requests concurrently. And data->iov goes to out_free and it freed and return -EAGAIN. io-uring subsystem would call it again and it doesn't reset data. And data->iov freed and iov_iter reference it. iov_iter would be used in btrfs_uring_read_finished() and could be raise memory bug. Signed-off-by: Sidong Yang <sidong.yang@furiosa.ai> --- fs/btrfs/ioctl.c | 3 +++ 1 file changed, 3 insertions(+)