* [PATCH 0/2] two 5.8 fixes
@ 2020-07-24 17:07 Pavel Begunkov
2020-07-24 17:07 ` [PATCH 1/2] io_uring: fix ->work corruption with poll_add Pavel Begunkov
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Pavel Begunkov @ 2020-07-24 17:07 UTC (permalink / raw)
To: Jens Axboe, io-uring
[2/2] is actually fixed in 5.9, but apparently it wasn't just a
speculation but rather an actual issue. It fixes locally, by moving
put out of lock, because don't see a reason why it's there.
Pavel Begunkov (2):
io_uring: fix ->work corruption with poll_add
io_uring: fix lockup in io_fail_links()
fs/io_uring.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--
2.24.0
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH 1/2] io_uring: fix ->work corruption with poll_add
2020-07-24 17:07 [PATCH 0/2] two 5.8 fixes Pavel Begunkov
@ 2020-07-24 17:07 ` Pavel Begunkov
2020-07-24 17:15 ` Pavel Begunkov
2020-07-24 17:07 ` [PATCH 2/2] io_uring: fix lockup in io_fail_links() Pavel Begunkov
2020-07-24 19:23 ` [PATCH 0/2] two 5.8 fixes Jens Axboe
2 siblings, 1 reply; 5+ messages in thread
From: Pavel Begunkov @ 2020-07-24 17:07 UTC (permalink / raw)
To: Jens Axboe, io-uring
req->work might be already initialised by the time it gets into
__io_arm_poll_handler(), which will corrupt it be using fields that are
in an union with req->work. Luckily, the only side effect is missing
put_creds(). Clean req->work before going there.
Suggested-by: Jens Axboe <[email protected]>
Signed-off-by: Pavel Begunkov <[email protected]>
---
fs/io_uring.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 32b0064f806e..98e8079e67e7 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4658,6 +4658,10 @@ static int io_poll_add(struct io_kiocb *req)
struct io_poll_table ipt;
__poll_t mask;
+ /* ->work is in union with hash_node and others */
+ io_req_work_drop_env(req);
+ req->flags &= ~REQ_F_WORK_INITIALIZED;
+
INIT_HLIST_NODE(&req->hash_node);
INIT_LIST_HEAD(&req->list);
ipt.pt._qproc = io_poll_queue_proc;
--
2.24.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 1/2] io_uring: fix ->work corruption with poll_add
2020-07-24 17:07 ` [PATCH 1/2] io_uring: fix ->work corruption with poll_add Pavel Begunkov
@ 2020-07-24 17:15 ` Pavel Begunkov
0 siblings, 0 replies; 5+ messages in thread
From: Pavel Begunkov @ 2020-07-24 17:15 UTC (permalink / raw)
To: Jens Axboe, io-uring
On 24/07/2020 20:07, Pavel Begunkov wrote:
> req->work might be already initialised by the time it gets into
> __io_arm_poll_handler(), which will corrupt it be using fields that are
s/be using/by using/
Jens, could you please fold it in, if the patch would do? Or let me know
and I'll resend.
> in an union with req->work. Luckily, the only side effect is missing
> put_creds(). Clean req->work before going there.
>
> Suggested-by: Jens Axboe <[email protected]>
> Signed-off-by: Pavel Begunkov <[email protected]>
> ---
> fs/io_uring.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 32b0064f806e..98e8079e67e7 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -4658,6 +4658,10 @@ static int io_poll_add(struct io_kiocb *req)
> struct io_poll_table ipt;
> __poll_t mask;
>
> + /* ->work is in union with hash_node and others */
> + io_req_work_drop_env(req);
> + req->flags &= ~REQ_F_WORK_INITIALIZED;
> +
> INIT_HLIST_NODE(&req->hash_node);
> INIT_LIST_HEAD(&req->list);
> ipt.pt._qproc = io_poll_queue_proc;
>
--
Pavel Begunkov
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH 2/2] io_uring: fix lockup in io_fail_links()
2020-07-24 17:07 [PATCH 0/2] two 5.8 fixes Pavel Begunkov
2020-07-24 17:07 ` [PATCH 1/2] io_uring: fix ->work corruption with poll_add Pavel Begunkov
@ 2020-07-24 17:07 ` Pavel Begunkov
2020-07-24 19:23 ` [PATCH 0/2] two 5.8 fixes Jens Axboe
2 siblings, 0 replies; 5+ messages in thread
From: Pavel Begunkov @ 2020-07-24 17:07 UTC (permalink / raw)
To: Jens Axboe, io-uring
io_fail_links() doesn't consider REQ_F_COMP_LOCKED leading to nested
spin_lock(completion_lock) and lockup.
[ 197.680409] rcu: INFO: rcu_preempt detected expedited stalls on
CPUs/tasks: { 6-... } 18239 jiffies s: 1421 root: 0x40/.
[ 197.680411] rcu: blocking rcu_node structures:
[ 197.680412] Task dump for CPU 6:
[ 197.680413] link-timeout R running task 0 1669
1 0x8000008a
[ 197.680414] Call Trace:
[ 197.680420] ? io_req_find_next+0xa0/0x200
[ 197.680422] ? io_put_req_find_next+0x2a/0x50
[ 197.680423] ? io_poll_task_func+0xcf/0x140
[ 197.680425] ? task_work_run+0x67/0xa0
[ 197.680426] ? do_exit+0x35d/0xb70
[ 197.680429] ? syscall_trace_enter+0x187/0x2c0
[ 197.680430] ? do_group_exit+0x43/0xa0
[ 197.680448] ? __x64_sys_exit_group+0x18/0x20
[ 197.680450] ? do_syscall_64+0x52/0xa0
[ 197.680452] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
Signed-off-by: Pavel Begunkov <[email protected]>
---
fs/io_uring.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 98e8079e67e7..493e5047e67c 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4199,10 +4199,9 @@ static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt)
hash_del(&req->hash_node);
io_poll_complete(req, req->result, 0);
- req->flags |= REQ_F_COMP_LOCKED;
- io_put_req_find_next(req, nxt);
spin_unlock_irq(&ctx->completion_lock);
+ io_put_req_find_next(req, nxt);
io_cqring_ev_posted(ctx);
}
--
2.24.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH 0/2] two 5.8 fixes
2020-07-24 17:07 [PATCH 0/2] two 5.8 fixes Pavel Begunkov
2020-07-24 17:07 ` [PATCH 1/2] io_uring: fix ->work corruption with poll_add Pavel Begunkov
2020-07-24 17:07 ` [PATCH 2/2] io_uring: fix lockup in io_fail_links() Pavel Begunkov
@ 2020-07-24 19:23 ` Jens Axboe
2 siblings, 0 replies; 5+ messages in thread
From: Jens Axboe @ 2020-07-24 19:23 UTC (permalink / raw)
To: Pavel Begunkov, io-uring
On 7/24/20 11:07 AM, Pavel Begunkov wrote:
> [2/2] is actually fixed in 5.9, but apparently it wasn't just a
> speculation but rather an actual issue. It fixes locally, by moving
> put out of lock, because don't see a reason why it's there.
Thanks, I applied with the fixed spelling, and shuffled things around
a bit.
--
Jens Axboe
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-07-24 19:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-07-24 17:07 [PATCH 0/2] two 5.8 fixes Pavel Begunkov
2020-07-24 17:07 ` [PATCH 1/2] io_uring: fix ->work corruption with poll_add Pavel Begunkov
2020-07-24 17:15 ` Pavel Begunkov
2020-07-24 17:07 ` [PATCH 2/2] io_uring: fix lockup in io_fail_links() Pavel Begunkov
2020-07-24 19:23 ` [PATCH 0/2] two 5.8 fixes Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox