linux-next/io_uring
Joseph Qi 54aa7f2330 io_uring: fix fget leak when fs don't support nowait buffered read
Heming reported a BUG when using io_uring doing link-cp on ocfs2. [1]

Do the following steps can reproduce this BUG:
mount -t ocfs2 /dev/vdc /mnt/ocfs2
cp testfile /mnt/ocfs2/
./link-cp /mnt/ocfs2/testfile /mnt/ocfs2/testfile.1
umount /mnt/ocfs2

Then umount will fail, and it outputs:
umount: /mnt/ocfs2: target is busy.

While tracing umount, it blames mnt_get_count() not return as expected.
Do a deep investigation for fget()/fput() on related code flow, I've
finally found that fget() leaks since ocfs2 doesn't support nowait
buffered read.

io_issue_sqe
|-io_assign_file  // do fget() first
  |-io_read
  |-io_iter_do_read
    |-ocfs2_file_read_iter  // return -EOPNOTSUPP
  |-kiocb_done
    |-io_rw_done
      |-__io_complete_rw_common  // set REQ_F_REISSUE
    |-io_resubmit_prep
      |-io_req_prep_async  // override req->file, leak happens

This was introduced by commit a196c78b54 in v5.18. Fix it by don't
re-assign req->file if it has already been assigned.

[1] https://lore.kernel.org/ocfs2-devel/ab580a75-91c8-d68a-3455-40361be1bfa8@linux.alibaba.com/T/#t

Fixes: a196c78b54 ("io_uring: assign non-fixed early for async work")
Cc: <stable@vger.kernel.org>
Reported-by: Heming Zhao <heming.zhao@suse.com>
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
Link: https://lore.kernel.org/r/20230228045459.13524-1-joseph.qi@linux.alibaba.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2023-02-28 05:58:42 -07:00
..
advise.c io_uring: always go async for unsupported fadvise flags 2023-01-29 15:18:26 -07:00
advise.h io_uring: split out fadvise/madvise operations 2022-07-24 18:39:11 -06:00
alloc_cache.h io_uring: impose max limit on apoll cache 2022-07-24 18:39:17 -06:00
cancel.c io_uring/cancel: re-grab ctx mutex after finishing wait 2022-12-21 13:31:40 -07:00
cancel.h io_uring: add sync cancelation API through io_uring_register() 2022-07-24 18:39:15 -06:00
epoll.c io_uring: make io_kiocb_to_cmd() typesafe 2022-08-12 17:01:00 -06:00
epoll.h io_uring: move epoll handler to its own file 2022-07-24 18:39:11 -06:00
fdinfo.c io_uring/fdinfo: include locked hash table in fdinfo output 2023-01-10 10:24:52 -07:00
fdinfo.h io_uring: move fdinfo helpers to its own file 2022-07-24 18:39:12 -06:00
filetable.c io_uring/filetable: fix file reference underflow 2022-11-25 06:54:46 -07:00
filetable.h io_uring: kill hot path fixed file bitmap debug checks 2022-10-16 17:07:53 -06:00
fs.c io_uring: for requests that require async, force it 2023-01-29 15:18:26 -07:00
fs.h io_uring: split out filesystem related operations 2022-07-24 18:39:11 -06:00
io_uring.c io_uring: fix fget leak when fs don't support nowait buffered read 2023-02-28 05:58:42 -07:00
io_uring.h io_uring: mark task TASK_RUNNING before handling resume/task work 2023-02-06 08:23:21 -07:00
io-wq.c io_uring/io-wq: only free worker if it was allocated for creation 2023-01-08 10:39:17 -07:00
io-wq.h io_uring: move list helpers to a separate file 2022-07-24 18:39:15 -06:00
kbuf.c io_uring: fix size calculation when registering buf ring 2023-02-22 09:57:23 -07:00
kbuf.h io_uring: allow buffer recycling in READV 2022-09-21 10:30:43 -06:00
Makefile io_uring: add zc notification infrastructure 2022-07-24 18:41:06 -06:00
msg_ring.c io_uring/msg-ring: ensure flags passing works for task_work completions 2023-01-29 15:17:41 -07:00
msg_ring.h io_uring: get rid of double locking 2022-12-07 06:47:13 -07:00
net.c io_uring: remove MSG_NOSIGNAL from recvmsg 2023-02-24 12:59:02 -07:00
net.h io_uring/net: zerocopy sendmsg 2022-09-21 13:15:02 -06:00
nop.c io_uring: kill extra io_uring_types.h includes 2022-07-24 18:39:14 -06:00
nop.h io_uring: move nop into its own file 2022-07-24 18:39:11 -06:00
notif.c io_uring: refactor req allocation 2023-01-29 15:17:41 -07:00
notif.h io_uring: move zc reporting from the hot path 2022-11-21 07:38:31 -07:00
opdef.c io_uring,audit: don't log IORING_OP_MADVISE 2023-02-10 16:00:30 -07:00
opdef.h io_uring: Split io_issue_def struct 2023-01-29 15:17:41 -07:00
openclose.c io_uring: always go async for unsupported open flags 2023-01-29 15:18:26 -07:00
openclose.h io_uring: split out fixed file installation and removal 2022-07-24 18:39:16 -06:00
poll.c io_uring/poll: allow some retries for poll triggering spuriously 2023-02-25 20:10:13 -07:00
poll.h io_uring/poll: allow some retries for poll triggering spuriously 2023-02-25 20:10:13 -07:00
refs.h io_uring: make io_uring_types.h public 2022-07-24 18:39:14 -06:00
rsrc.c io_uring/rsrc: always initialize 'folio' to NULL 2023-02-24 12:58:31 -07:00
rsrc.h io_uring: use tw for putting rsrc 2022-12-07 06:47:13 -07:00
rw.c for-6.3/iter-ubuf-2023-02-16 2023-02-20 14:03:57 -08:00
rw.h io_uring/rw: don't lose partial IO result on fail 2022-09-21 13:15:02 -06:00
slist.h io_uring: remove unused wq_list_merge 2023-02-22 09:57:23 -07:00
splice.c io_uring: for requests that require async, force it 2023-01-29 15:18:26 -07:00
splice.h io_uring: split out splice related operations 2022-07-24 18:39:11 -06:00
sqpoll.c io_uring: make io_sqpoll_wait_sq return void 2023-01-29 15:17:40 -07:00
sqpoll.h io_uring: make io_sqpoll_wait_sq return void 2023-01-29 15:17:40 -07:00
statx.c io_uring: for requests that require async, force it 2023-01-29 15:18:26 -07:00
statx.h io_uring: move statx handling to its own file 2022-07-24 18:39:11 -06:00
sync.c io_uring: for requests that require async, force it 2023-01-29 15:18:26 -07:00
sync.h io_uring: split out fs related sync/fallocate functions 2022-07-24 18:39:11 -06:00
tctx.c io_uring: rename 'in_idle' to 'in_cancel' 2023-02-22 09:57:23 -07:00
tctx.h io_uring: simplify __io_uring_add_tctx_node 2022-10-07 12:25:30 -06:00
timeout.c io_uring: ease timeout flush locking requirements 2022-12-14 08:53:35 -07:00
timeout.h io_uring: remove unused return from io_disarm_next 2022-09-21 13:15:01 -06:00
uring_cmd.c io_uring: iopoll protect complete_post 2022-11-23 10:45:31 -07:00
uring_cmd.h io_uring: move uring_cmd handling to its own file 2022-07-24 18:39:11 -06:00
xattr.c io_uring: for requests that require async, force it 2023-01-29 15:18:26 -07:00
xattr.h io_uring: move xattr related opcodes to its own file 2022-07-24 18:39:11 -06:00