1 /* SPDX-License-Identifier: MIT */
2 /*
3 * Based on description from Al Viro - this demonstrates a leak of the
4 * io_uring instance, by sending the io_uring fd over a UNIX socket.
5 *
6 * See:
7 *
8 * https://lore.kernel.org/linux-block/20190129192702.3605-1-axboe@kernel.dk/T/#m6c87fc64e4d063786af6ec6fadce3ac1e95d3184
9 *
10 */
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <stddef.h>
14 #include <signal.h>
15 #include <inttypes.h>
16 #include <sys/types.h>
17 #include <sys/syscall.h>
18 #include <sys/socket.h>
19 #include <sys/wait.h>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <linux/fs.h>
24
25 #include "liburing.h"
26 #include "helpers.h"
27 #include "../src/syscall.h"
28
__io_uring_register_files(int ring_fd,int fd1,int fd2)29 static int __io_uring_register_files(int ring_fd, int fd1, int fd2)
30 {
31 __s32 fds[2] = { fd1, fd2 };
32
33 return __sys_io_uring_register(ring_fd, IORING_REGISTER_FILES, fds, 2);
34 }
35
get_ring_fd(void)36 static int get_ring_fd(void)
37 {
38 struct io_uring_params p;
39 int fd;
40
41 memset(&p, 0, sizeof(p));
42
43 fd = __sys_io_uring_setup(2, &p);
44 if (fd < 0) {
45 perror("io_uring_setup");
46 return -1;
47 }
48
49 return fd;
50 }
51
send_fd(int socket,int fd)52 static int send_fd(int socket, int fd)
53 {
54 char buf[CMSG_SPACE(sizeof(fd))];
55 struct cmsghdr *cmsg;
56 struct msghdr msg;
57
58 memset(buf, 0, sizeof(buf));
59 memset(&msg, 0, sizeof(msg));
60
61 msg.msg_control = buf;
62 msg.msg_controllen = sizeof(buf);
63
64 cmsg = CMSG_FIRSTHDR(&msg);
65 cmsg->cmsg_level = SOL_SOCKET;
66 cmsg->cmsg_type = SCM_RIGHTS;
67 cmsg->cmsg_len = CMSG_LEN(sizeof(fd));
68
69 memmove(CMSG_DATA(cmsg), &fd, sizeof(fd));
70
71 msg.msg_controllen = CMSG_SPACE(sizeof(fd));
72
73 if (sendmsg(socket, &msg, 0) < 0) {
74 if (errno == EINVAL)
75 return T_EXIT_SKIP;
76 perror("sendmsg");
77 return T_EXIT_FAIL;
78 }
79
80 return T_EXIT_PASS;
81 }
82
test_iowq_request_cancel(void)83 static int test_iowq_request_cancel(void)
84 {
85 char buffer[128];
86 struct io_uring ring;
87 struct io_uring_sqe *sqe;
88 int ret, fds[2];
89
90 ret = io_uring_queue_init(8, &ring, 0);
91 if (ret < 0) {
92 fprintf(stderr, "failed to init io_uring: %s\n", strerror(-ret));
93 return ret;
94 }
95 if (pipe(fds)) {
96 perror("pipe");
97 return -1;
98 }
99 ret = io_uring_register_files(&ring, fds, 2);
100 if (ret) {
101 fprintf(stderr, "file_register: %d\n", ret);
102 return ret;
103 }
104 close(fds[1]);
105
106 sqe = io_uring_get_sqe(&ring);
107 if (!sqe) {
108 fprintf(stderr, "%s: failed to get sqe\n", __FUNCTION__);
109 return 1;
110 }
111 /* potentially sitting in internal polling */
112 io_uring_prep_read(sqe, 0, buffer, 10, 0);
113 sqe->flags |= IOSQE_FIXED_FILE;
114
115 sqe = io_uring_get_sqe(&ring);
116 if (!sqe) {
117 fprintf(stderr, "%s: failed to get sqe\n", __FUNCTION__);
118 return 1;
119 }
120 /* staying in io-wq */
121 io_uring_prep_read(sqe, 0, buffer, 10, 0);
122 sqe->flags |= IOSQE_FIXED_FILE | IOSQE_ASYNC;
123
124 ret = io_uring_submit(&ring);
125 if (ret != 2) {
126 fprintf(stderr, "%s: got %d, wanted 1\n", __FUNCTION__, ret);
127 return 1;
128 }
129
130 /* should unregister files and close the write fd */
131 io_uring_queue_exit(&ring);
132
133 /*
134 * We're trying to wait for the ring to "really" exit, that will be
135 * done async. For that rely on the registered write end to be closed
136 * after ring quiesce, so failing read from the other pipe end.
137 */
138 ret = read(fds[0], buffer, 10);
139 if (ret < 0)
140 perror("read");
141 close(fds[0]);
142 return 0;
143 }
144
trigger_unix_gc(void)145 static void trigger_unix_gc(void)
146 {
147 int fd;
148
149 fd = socket(AF_UNIX, SOCK_DGRAM, 0);
150 if (fd < 0)
151 perror("socket dgram");
152 else
153 close(fd);
154 }
155
test_scm_cycles(bool update)156 static int test_scm_cycles(bool update)
157 {
158 char buffer[128];
159 struct io_uring ring;
160 int i, ret;
161 int sp[2], fds[2], reg_fds[4];
162
163 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sp) != 0) {
164 perror("Failed to create Unix-domain socket pair\n");
165 return 1;
166 }
167 ret = io_uring_queue_init(8, &ring, 0);
168 if (ret < 0) {
169 fprintf(stderr, "failed to init io_uring: %s\n", strerror(-ret));
170 return ret;
171 }
172 if (pipe(fds)) {
173 perror("pipe");
174 return -1;
175 }
176 ret = send_fd(sp[0], ring.ring_fd);
177 if (ret != T_EXIT_PASS)
178 return ret;
179
180 /* register an empty set for updates */
181 if (update) {
182 for (i = 0; i < 4; i++)
183 reg_fds[i] = -1;
184 ret = io_uring_register_files(&ring, reg_fds, 4);
185 if (ret) {
186 fprintf(stderr, "file_register: %d\n", ret);
187 return ret;
188 }
189 }
190
191 reg_fds[0] = fds[0];
192 reg_fds[1] = fds[1];
193 reg_fds[2] = sp[0];
194 reg_fds[3] = sp[1];
195 if (update) {
196 ret = io_uring_register_files_update(&ring, 0, reg_fds, 4);
197 if (ret != 4) {
198 fprintf(stderr, "file_register: %d\n", ret);
199 return ret;
200 }
201 } else {
202 ret = io_uring_register_files(&ring, reg_fds, 4);
203 if (ret) {
204 fprintf(stderr, "file_register: %d\n", ret);
205 return ret;
206 }
207 }
208
209 close(fds[1]);
210 close(sp[0]);
211 close(sp[1]);
212
213 /* should unregister files and close the write fd */
214 io_uring_queue_exit(&ring);
215
216 trigger_unix_gc();
217
218 /*
219 * We're trying to wait for the ring to "really" exit, that will be
220 * done async. For that rely on the registered write end to be closed
221 * after ring quiesce, so failing read from the other pipe end.
222 */
223 ret = read(fds[0], buffer, 10);
224 if (ret < 0)
225 perror("read");
226 close(fds[0]);
227 return 0;
228 }
229
main(int argc,char * argv[])230 int main(int argc, char *argv[])
231 {
232 int sp[2], pid, ring_fd, ret;
233 int i;
234
235 if (argc > 1)
236 return 0;
237
238 ret = test_iowq_request_cancel();
239 if (ret) {
240 fprintf(stderr, "test_iowq_request_cancel() failed\n");
241 return 1;
242 }
243
244 for (i = 0; i < 2; i++) {
245 bool update = !!(i & 1);
246
247 ret = test_scm_cycles(update);
248 if (ret == T_EXIT_SKIP)
249 return T_EXIT_SKIP;
250 if (ret) {
251 fprintf(stderr, "test_scm_cycles() failed %i\n",
252 update);
253 return 1;
254 }
255 }
256
257 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sp) != 0) {
258 perror("Failed to create Unix-domain socket pair\n");
259 return 1;
260 }
261
262 ring_fd = get_ring_fd();
263 if (ring_fd < 0)
264 return 1;
265
266 ret = __io_uring_register_files(ring_fd, sp[0], sp[1]);
267 if (ret < 0) {
268 perror("register files");
269 return 1;
270 }
271
272 pid = fork();
273 if (pid) {
274 ret = send_fd(sp[0], ring_fd);
275 if (ret != T_EXIT_PASS)
276 return ret;
277 }
278
279 close(ring_fd);
280 close(sp[0]);
281 close(sp[1]);
282 return 0;
283 }
284