Commit 100d6b17 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe

io_uring: fix multishot recv request leaks

Having REQ_F_POLLED set doesn't guarantee that the request is
executed as a multishot from the polling path. Fortunately for us, if
the code thinks it's multishot issue when it's not, it can only ask to
skip completion so leaking the request. Use issue_flags to mark
multipoll issues.

Cc: stable@vger.kernel.org
Fixes: 1300ebb20286b ("io_uring: multishot recv")
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/37762040ba9c52b81b92a2f5ebfd4ee484088951.1668710222.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent 91482864
...@@ -67,8 +67,6 @@ struct io_sr_msg { ...@@ -67,8 +67,6 @@ struct io_sr_msg {
struct io_kiocb *notif; struct io_kiocb *notif;
}; };
#define IO_APOLL_MULTI_POLLED (REQ_F_APOLL_MULTISHOT | REQ_F_POLLED)
int io_shutdown_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe) int io_shutdown_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
{ {
struct io_shutdown *shutdown = io_kiocb_to_cmd(req, struct io_shutdown); struct io_shutdown *shutdown = io_kiocb_to_cmd(req, struct io_shutdown);
...@@ -591,7 +589,8 @@ static inline void io_recv_prep_retry(struct io_kiocb *req) ...@@ -591,7 +589,8 @@ static inline void io_recv_prep_retry(struct io_kiocb *req)
* again (for multishot). * again (for multishot).
*/ */
static inline bool io_recv_finish(struct io_kiocb *req, int *ret, static inline bool io_recv_finish(struct io_kiocb *req, int *ret,
unsigned int cflags, bool mshot_finished) unsigned int cflags, bool mshot_finished,
unsigned issue_flags)
{ {
if (!(req->flags & REQ_F_APOLL_MULTISHOT)) { if (!(req->flags & REQ_F_APOLL_MULTISHOT)) {
io_req_set_res(req, *ret, cflags); io_req_set_res(req, *ret, cflags);
...@@ -614,7 +613,7 @@ static inline bool io_recv_finish(struct io_kiocb *req, int *ret, ...@@ -614,7 +613,7 @@ static inline bool io_recv_finish(struct io_kiocb *req, int *ret,
io_req_set_res(req, *ret, cflags); io_req_set_res(req, *ret, cflags);
if (req->flags & REQ_F_POLLED) if (issue_flags & IO_URING_F_MULTISHOT)
*ret = IOU_STOP_MULTISHOT; *ret = IOU_STOP_MULTISHOT;
else else
*ret = IOU_OK; *ret = IOU_OK;
...@@ -773,8 +772,7 @@ int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags) ...@@ -773,8 +772,7 @@ int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
if (ret < min_ret) { if (ret < min_ret) {
if (ret == -EAGAIN && force_nonblock) { if (ret == -EAGAIN && force_nonblock) {
ret = io_setup_async_msg(req, kmsg, issue_flags); ret = io_setup_async_msg(req, kmsg, issue_flags);
if (ret == -EAGAIN && (req->flags & IO_APOLL_MULTI_POLLED) == if (ret == -EAGAIN && (issue_flags & IO_URING_F_MULTISHOT)) {
IO_APOLL_MULTI_POLLED) {
io_kbuf_recycle(req, issue_flags); io_kbuf_recycle(req, issue_flags);
return IOU_ISSUE_SKIP_COMPLETE; return IOU_ISSUE_SKIP_COMPLETE;
} }
...@@ -803,7 +801,7 @@ int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags) ...@@ -803,7 +801,7 @@ int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags)
if (kmsg->msg.msg_inq) if (kmsg->msg.msg_inq)
cflags |= IORING_CQE_F_SOCK_NONEMPTY; cflags |= IORING_CQE_F_SOCK_NONEMPTY;
if (!io_recv_finish(req, &ret, cflags, mshot_finished)) if (!io_recv_finish(req, &ret, cflags, mshot_finished, issue_flags))
goto retry_multishot; goto retry_multishot;
if (mshot_finished) { if (mshot_finished) {
...@@ -869,7 +867,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags) ...@@ -869,7 +867,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags)
ret = sock_recvmsg(sock, &msg, flags); ret = sock_recvmsg(sock, &msg, flags);
if (ret < min_ret) { if (ret < min_ret) {
if (ret == -EAGAIN && force_nonblock) { if (ret == -EAGAIN && force_nonblock) {
if ((req->flags & IO_APOLL_MULTI_POLLED) == IO_APOLL_MULTI_POLLED) { if (issue_flags & IO_URING_F_MULTISHOT) {
io_kbuf_recycle(req, issue_flags); io_kbuf_recycle(req, issue_flags);
return IOU_ISSUE_SKIP_COMPLETE; return IOU_ISSUE_SKIP_COMPLETE;
} }
...@@ -902,7 +900,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags) ...@@ -902,7 +900,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags)
if (msg.msg_inq) if (msg.msg_inq)
cflags |= IORING_CQE_F_SOCK_NONEMPTY; cflags |= IORING_CQE_F_SOCK_NONEMPTY;
if (!io_recv_finish(req, &ret, cflags, ret <= 0)) if (!io_recv_finish(req, &ret, cflags, ret <= 0, issue_flags))
goto retry_multishot; goto retry_multishot;
return ret; return ret;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment