git.itanic.dy.fi Git - linux-stable/commit

author	Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
	Thu, 18 Jun 2020 07:01:56 +0000 (15:01 +0800)
committer	Jens Axboe <axboe@kernel.dk>
	Thu, 18 Jun 2020 14:32:44 +0000 (08:32 -0600)
commit	6f2cc1664db20676069cff27a461ccc97dbfd114
tree	03f8e94c146b804f87b40ffa3f84b08d13f065d8	tree \| snapshot
parent	56952e91acc93ed624fe9da840900defb75f1323	commit \| diff

io_uring: fix possible race condition against REQ_F_NEED_CLEANUP

In io_read() or io_write(), when io request is submitted successfully,
it'll go through the below sequence:

    kfree(iovec);
    req->flags &= ~REQ_F_NEED_CLEANUP;
    return ret;

But clearing REQ_F_NEED_CLEANUP might be unsafe. The io request may
already have been completed, and then io_complete_rw_iopoll()
and io_complete_rw() will be called, both of which will also modify
req->flags if needed. This causes a race condition, with concurrent
non-atomic modification of req->flags.

To eliminate this race, in io_read() or io_write(), if io request is
submitted successfully, we don't remove REQ_F_NEED_CLEANUP flag. If
REQ_F_NEED_CLEANUP is set, we'll leave __io_req_aux_free() to the
iovec cleanup work correspondingly.

Cc: stable@vger.kernel.org
Signed-off-by: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>