* [PATCH AUTOSEL 5.8 07/64] io_uring: fix req->work corruption
[not found] <[email protected]>
@ 2020-08-10 19:08 ` Sasha Levin
2020-08-10 19:08 ` [PATCH AUTOSEL 5.8 61/64] io_uring: fix racy overflow count reporting Sasha Levin
2020-08-10 19:08 ` [PATCH AUTOSEL 5.8 62/64] io_uring: fix stalled deferred requests Sasha Levin
2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2020-08-10 19:08 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Pavel Begunkov, Jens Axboe, Sasha Levin, io-uring, linux-fsdevel
From: Pavel Begunkov <[email protected]>
[ Upstream commit 8ef77766ba8694968ed4ba24311b4bacee14f235 ]
req->work and req->task_work are in a union, so io_req_task_queue() screws
everything that was in work. De-union them for now.
[ 704.367253] BUG: unable to handle page fault for address:
ffffffffaf7330d0
[ 704.367256] #PF: supervisor write access in kernel mode
[ 704.367256] #PF: error_code(0x0003) - permissions violation
[ 704.367261] CPU: 6 PID: 1654 Comm: io_wqe_worker-0 Tainted: G
I 5.8.0-rc2-00038-ge28d0bdc4863-dirty #498
[ 704.367265] RIP: 0010:_raw_spin_lock+0x1e/0x36
...
[ 704.367276] __alloc_fd+0x35/0x150
[ 704.367279] __get_unused_fd_flags+0x25/0x30
[ 704.367280] io_openat2+0xcb/0x1b0
[ 704.367283] io_issue_sqe+0x36a/0x1320
[ 704.367294] io_wq_submit_work+0x58/0x160
[ 704.367295] io_worker_handle_work+0x2a3/0x430
[ 704.367296] io_wqe_worker+0x2a0/0x350
[ 704.367301] kthread+0x136/0x180
[ 704.367304] ret_from_fork+0x22/0x30
Signed-off-by: Pavel Begunkov <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/io_uring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 493e5047e67c9..acd98df1f7d44 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -669,12 +669,12 @@ struct io_kiocb {
* restore the work, if needed.
*/
struct {
- struct callback_head task_work;
struct hlist_node hash_node;
struct async_poll *apoll;
};
struct io_wq_work work;
};
+ struct callback_head task_work;
};
#define IO_PLUG_THRESHOLD 2
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH AUTOSEL 5.8 61/64] io_uring: fix racy overflow count reporting
[not found] <[email protected]>
2020-08-10 19:08 ` [PATCH AUTOSEL 5.8 07/64] io_uring: fix req->work corruption Sasha Levin
@ 2020-08-10 19:08 ` Sasha Levin
2020-08-10 19:08 ` [PATCH AUTOSEL 5.8 62/64] io_uring: fix stalled deferred requests Sasha Levin
2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2020-08-10 19:08 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Pavel Begunkov, Jens Axboe, Sasha Levin, io-uring, linux-fsdevel
From: Pavel Begunkov <[email protected]>
[ Upstream commit b2bd1cf99f3e7c8fbf12ea07af2c6998e1209e25 ]
All ->cq_overflow modifications should be under completion_lock,
otherwise it can report a wrong number to the userspace. Fix it in
io_uring_cancel_files().
Signed-off-by: Pavel Begunkov <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/io_uring.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index acd98df1f7d44..73f5e0a9bf2bd 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -7529,10 +7529,9 @@ static void io_uring_cancel_files(struct io_ring_ctx *ctx,
clear_bit(0, &ctx->cq_check_overflow);
ctx->rings->sq_flags &= ~IORING_SQ_CQ_OVERFLOW;
}
- spin_unlock_irq(&ctx->completion_lock);
-
WRITE_ONCE(ctx->rings->cq_overflow,
atomic_inc_return(&ctx->cached_cq_overflow));
+ spin_unlock_irq(&ctx->completion_lock);
/*
* Put inflight ref and overflow ref. If that's
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH AUTOSEL 5.8 62/64] io_uring: fix stalled deferred requests
[not found] <[email protected]>
2020-08-10 19:08 ` [PATCH AUTOSEL 5.8 07/64] io_uring: fix req->work corruption Sasha Levin
2020-08-10 19:08 ` [PATCH AUTOSEL 5.8 61/64] io_uring: fix racy overflow count reporting Sasha Levin
@ 2020-08-10 19:08 ` Sasha Levin
2 siblings, 0 replies; 3+ messages in thread
From: Sasha Levin @ 2020-08-10 19:08 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Pavel Begunkov, Jens Axboe, Sasha Levin, linux-fsdevel, io-uring
From: Pavel Begunkov <[email protected]>
[ Upstream commit dd9dfcdf5a603680458f5e7b0d2273c66e5417db ]
Always do io_commit_cqring() after completing a request, even if it was
accounted as overflowed on the CQ side. Failing to do that may lead to
not to pushing deferred requests when needed, and so stalling the whole
ring.
Signed-off-by: Pavel Begunkov <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/io_uring.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 73f5e0a9bf2bd..be790f3f13b5c 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -7531,6 +7531,7 @@ static void io_uring_cancel_files(struct io_ring_ctx *ctx,
}
WRITE_ONCE(ctx->rings->cq_overflow,
atomic_inc_return(&ctx->cached_cq_overflow));
+ io_commit_cqring(ctx);
spin_unlock_irq(&ctx->completion_lock);
/*
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread