1 /* SPDX-License-Identifier: MIT */
2 /*
3 * Based on description from Al Viro - this demonstrates a leak of the
4 * io_uring instance, by sending the io_uring fd over a UNIX socket.
5 *
6 * See:
7 *
8 * https://lore.kernel.org/linux-block/[email protected]/T/#m6c87fc64e4d063786af6ec6fadce3ac1e95d3184
9 *
10 */
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <stddef.h>
14 #include <signal.h>
15 #include <inttypes.h>
16 #include <sys/types.h>
17 #include <sys/syscall.h>
18 #include <sys/socket.h>
19 #include <sys/wait.h>
20 #include <fcntl.h>
21 #include <unistd.h>
22 #include <string.h>
23 #include <linux/fs.h>
24
25 #include "liburing.h"
26 #include "../src/syscall.h"
27
__io_uring_register_files(int ring_fd,int fd1,int fd2)28 static int __io_uring_register_files(int ring_fd, int fd1, int fd2)
29 {
30 __s32 fds[2] = { fd1, fd2 };
31
32 return __sys_io_uring_register(ring_fd, IORING_REGISTER_FILES, fds, 2);
33 }
34
get_ring_fd(void)35 static int get_ring_fd(void)
36 {
37 struct io_uring_params p;
38 int fd;
39
40 memset(&p, 0, sizeof(p));
41
42 fd = __sys_io_uring_setup(2, &p);
43 if (fd < 0) {
44 perror("io_uring_setup");
45 return -1;
46 }
47
48 return fd;
49 }
50
send_fd(int socket,int fd)51 static void send_fd(int socket, int fd)
52 {
53 char buf[CMSG_SPACE(sizeof(fd))];
54 struct cmsghdr *cmsg;
55 struct msghdr msg;
56
57 memset(buf, 0, sizeof(buf));
58 memset(&msg, 0, sizeof(msg));
59
60 msg.msg_control = buf;
61 msg.msg_controllen = sizeof(buf);
62
63 cmsg = CMSG_FIRSTHDR(&msg);
64 cmsg->cmsg_level = SOL_SOCKET;
65 cmsg->cmsg_type = SCM_RIGHTS;
66 cmsg->cmsg_len = CMSG_LEN(sizeof(fd));
67
68 memmove(CMSG_DATA(cmsg), &fd, sizeof(fd));
69
70 msg.msg_controllen = CMSG_SPACE(sizeof(fd));
71
72 if (sendmsg(socket, &msg, 0) < 0)
73 perror("sendmsg");
74 }
75
test_iowq_request_cancel(void)76 static int test_iowq_request_cancel(void)
77 {
78 char buffer[128];
79 struct io_uring ring;
80 struct io_uring_sqe *sqe;
81 int ret, fds[2];
82
83 ret = io_uring_queue_init(8, &ring, 0);
84 if (ret < 0) {
85 fprintf(stderr, "failed to init io_uring: %s\n", strerror(-ret));
86 return ret;
87 }
88 if (pipe(fds)) {
89 perror("pipe");
90 return -1;
91 }
92 ret = io_uring_register_files(&ring, fds, 2);
93 if (ret) {
94 fprintf(stderr, "file_register: %d\n", ret);
95 return ret;
96 }
97 close(fds[1]);
98
99 sqe = io_uring_get_sqe(&ring);
100 if (!sqe) {
101 fprintf(stderr, "%s: failed to get sqe\n", __FUNCTION__);
102 return 1;
103 }
104 /* potentially sitting in internal polling */
105 io_uring_prep_read(sqe, 0, buffer, 10, 0);
106 sqe->flags |= IOSQE_FIXED_FILE;
107
108 sqe = io_uring_get_sqe(&ring);
109 if (!sqe) {
110 fprintf(stderr, "%s: failed to get sqe\n", __FUNCTION__);
111 return 1;
112 }
113 /* staying in io-wq */
114 io_uring_prep_read(sqe, 0, buffer, 10, 0);
115 sqe->flags |= IOSQE_FIXED_FILE | IOSQE_ASYNC;
116
117 ret = io_uring_submit(&ring);
118 if (ret != 2) {
119 fprintf(stderr, "%s: got %d, wanted 1\n", __FUNCTION__, ret);
120 return 1;
121 }
122
123 /* should unregister files and close the write fd */
124 io_uring_queue_exit(&ring);
125
126 /*
127 * We're trying to wait for the ring to "really" exit, that will be
128 * done async. For that rely on the registered write end to be closed
129 * after ring quiesce, so failing read from the other pipe end.
130 */
131 ret = read(fds[0], buffer, 10);
132 if (ret < 0)
133 perror("read");
134 close(fds[0]);
135 return 0;
136 }
137
test_scm_cycles(bool update)138 static int test_scm_cycles(bool update)
139 {
140 char buffer[128];
141 struct io_uring ring;
142 int i, ret;
143 int sp[2], fds[2], reg_fds[4];
144
145 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sp) != 0) {
146 perror("Failed to create Unix-domain socket pair\n");
147 return 1;
148 }
149 ret = io_uring_queue_init(8, &ring, 0);
150 if (ret < 0) {
151 fprintf(stderr, "failed to init io_uring: %s\n", strerror(-ret));
152 return ret;
153 }
154 if (pipe(fds)) {
155 perror("pipe");
156 return -1;
157 }
158 send_fd(sp[0], ring.ring_fd);
159
160 /* register an empty set for updates */
161 if (update) {
162 for (i = 0; i < 4; i++)
163 reg_fds[i] = -1;
164 ret = io_uring_register_files(&ring, reg_fds, 4);
165 if (ret) {
166 fprintf(stderr, "file_register: %d\n", ret);
167 return ret;
168 }
169 }
170
171 reg_fds[0] = fds[0];
172 reg_fds[1] = fds[1];
173 reg_fds[2] = sp[0];
174 reg_fds[3] = sp[1];
175 if (update) {
176 ret = io_uring_register_files_update(&ring, 0, reg_fds, 4);
177 if (ret != 4) {
178 fprintf(stderr, "file_register: %d\n", ret);
179 return ret;
180 }
181 } else {
182 ret = io_uring_register_files(&ring, reg_fds, 4);
183 if (ret) {
184 fprintf(stderr, "file_register: %d\n", ret);
185 return ret;
186 }
187 }
188
189 close(fds[1]);
190 close(sp[0]);
191 close(sp[1]);
192
193 /* should unregister files and close the write fd */
194 io_uring_queue_exit(&ring);
195
196 /*
197 * We're trying to wait for the ring to "really" exit, that will be
198 * done async. For that rely on the registered write end to be closed
199 * after ring quiesce, so failing read from the other pipe end.
200 */
201 ret = read(fds[0], buffer, 10);
202 if (ret < 0)
203 perror("read");
204 close(fds[0]);
205 return 0;
206 }
207
main(int argc,char * argv[])208 int main(int argc, char *argv[])
209 {
210 int sp[2], pid, ring_fd, ret;
211 int i;
212
213 if (argc > 1)
214 return 0;
215
216 ret = test_iowq_request_cancel();
217 if (ret) {
218 fprintf(stderr, "test_iowq_request_cancel() failed\n");
219 return 1;
220 }
221
222 for (i = 0; i < 2; i++) {
223 bool update = !!(i & 1);
224
225 ret = test_scm_cycles(update);
226 if (ret) {
227 fprintf(stderr, "test_scm_cycles() failed %i\n",
228 update);
229 return 1;
230 }
231 break;
232 }
233
234 if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sp) != 0) {
235 perror("Failed to create Unix-domain socket pair\n");
236 return 1;
237 }
238
239 ring_fd = get_ring_fd();
240 if (ring_fd < 0)
241 return 1;
242
243 ret = __io_uring_register_files(ring_fd, sp[0], sp[1]);
244 if (ret < 0) {
245 perror("register files");
246 return 1;
247 }
248
249 pid = fork();
250 if (pid)
251 send_fd(sp[0], ring_fd);
252
253 close(ring_fd);
254 close(sp[0]);
255 close(sp[1]);
256 return 0;
257 }
258