From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A52B8C433FE for ; Wed, 20 Apr 2022 12:41:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237767AbiDTMoX (ORCPT ); Wed, 20 Apr 2022 08:44:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1353706AbiDTMoW (ORCPT ); Wed, 20 Apr 2022 08:44:22 -0400 Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 67D6C1FA6F for ; Wed, 20 Apr 2022 05:41:35 -0700 (PDT) Received: by mail-wm1-x32c.google.com with SMTP id x3so1102627wmj.5 for ; Wed, 20 Apr 2022 05:41:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=hZaqkOYN8V4/tygHN+VWNlDrUZU7vl+4ZOM0cYCufok=; b=WocsgN7m9tRhwSBPxWqJPTrQqO8qPjTL7i21Pvf7wh1L64yI3wYOcKV1m+jq0iH2Fs plqjjyJOeaiN5hh52tasf1JjI1pzKDbv7uHS4uUZfRa7EExZih9jjaq6UO++iXmTIinx sV7qIy+0BZnkJE+PR2OVppZihxvqfw5XyNDHaaz5u/QgnXtO4C1rdjsnGkWxKUGVfHzF pregCR+kpmrFAVeTOmA+AeX4hj36IVANNYUI5WZoXzOLy2q0dDQPit+blLh+bnVIwlOH KwsaRV9bwL6hMaSjYXFjUwxa9PvPVcu7ftodnZmbrbmyaVX6Kg8rqIyaewp1dy0WIxwE x6tA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hZaqkOYN8V4/tygHN+VWNlDrUZU7vl+4ZOM0cYCufok=; b=rQadbWb5/WnB6Re2AdnEvJY4y0LBB+s3ewX/Mf5nJcc/vM+SJILCb8quX5j81gU1iB k7nkrkPzRgcmxnax9jYAvezSo9cRyElEN0YsAKDlB3II1U4VfwROfxYNH13rkSOAwR0z NFka/HoTd7uvSOhUbyTQnueFpb77gwgxCe5ktYZgjUzvqLzaUIh36XjhIx++/otu8FmW NbQkgyBilOUkT2sH4DA920B5oRBy5P/MhkSqMDA6E9tjRCHGxZ28N60AcRegl9zO87b6 l31ZOAJXQIe8F+aX27mIqiGhNAMxR3n7Cgpg8PHb7B6Tc6ZmC6AF+yWQs0y7yLydYYXT KtzQ== X-Gm-Message-State: AOAM5325Wri2y4ADHv1MNizeI4oSJ2Asshndmx8TejSpTbj0j9RmMuqp O9MWW+JL4X9yd5suPxfus7QOlnujrAQ= X-Google-Smtp-Source: ABdhPJyKdeLL55yZPCwUEVzIpOC4dWaF57JKrn1q/KvOMtz+519yUy/C1Qvj2oDBJGonbKtbTKMOPg== X-Received: by 2002:a7b:c0d5:0:b0:38e:ca29:f40 with SMTP id s21-20020a7bc0d5000000b0038eca290f40mr3511153wmh.205.1650458493767; Wed, 20 Apr 2022 05:41:33 -0700 (PDT) Received: from 127.0.0.1localhost (82-132-244-154.dab.02.net. [82.132.244.154]) by smtp.gmail.com with ESMTPSA id v11-20020adfa1cb000000b0020ab21e1e61sm971322wrv.51.2022.04.20.05.41.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 20 Apr 2022 05:41:33 -0700 (PDT) From: Pavel Begunkov To: io-uring@vger.kernel.org Cc: Jens Axboe , asml.silence@gmail.com, syzbot+57e67273f92d7f5f1931@syzkaller.appspotmail.com Subject: [PATCH 1/3] io_uring: fix nested timeout locking on disarming Date: Wed, 20 Apr 2022 13:40:53 +0100 Message-Id: <6fe65900e689b8f5b8d60ba3fa95108138b9fb9f.1650458197.git.asml.silence@gmail.com> X-Mailer: git-send-email 2.36.0 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org WARNING: possible recursive locking detected syz-executor162/3588 is trying to acquire lock: ffff888011a453d8 (&ctx->timeout_lock){....}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:379 [inline] ffff888011a453d8 (&ctx->timeout_lock){....}-{2:2}, at: io_disarm_next+0x545/0xaa0 fs/io_uring.c:2452 but task is already holding lock: ffff888011a453d8 (&ctx->timeout_lock){....}-{2:2}, at: spin_lock_irq include/linux/spinlock.h:379 [inline] ffff888011a453d8 (&ctx->timeout_lock){....}-{2:2}, at: io_kill_timeouts+0x4c/0x227 fs/io_uring.c:10432 Call Trace: ... spin_lock_irq include/linux/spinlock.h:379 [inline] io_disarm_next+0x545/0xaa0 fs/io_uring.c:2452 __io_req_complete_post+0x794/0xd90 fs/io_uring.c:2200 io_kill_timeout fs/io_uring.c:1815 [inline] io_kill_timeout+0x210/0x21d fs/io_uring.c:1803 io_kill_timeouts+0xe2/0x227 fs/io_uring.c:10435 io_ring_ctx_wait_and_kill+0x1eb/0x360 fs/io_uring.c:10462 io_uring_release+0x42/0x46 fs/io_uring.c:10483 __fput+0x277/0x9d0 fs/file_table.c:317 task_work_run+0xdd/0x1a0 kernel/task_work.c:164 ... Return tw deferred putting back, it's easier than looking after all potential nested locking. However, instead of filling an CQE on the spot as it was before delay it as well by io_req_complete_post() via tw. Reported-by: syzbot+57e67273f92d7f5f1931@syzkaller.appspotmail.com Fixes: 78bfbdd1a497 ("io_uring: kill io_put_req_deferred()") Signed-off-by: Pavel Begunkov --- fs/io_uring.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 3905b3ec87b8..2b9a3af9ff42 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -1214,6 +1214,7 @@ static int io_close_fixed(struct io_kiocb *req, unsigned int issue_flags); static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer); static void io_eventfd_signal(struct io_ring_ctx *ctx); +static void io_req_tw_post_queue(struct io_kiocb *req, s32 res, u32 cflags); static struct kmem_cache *req_cachep; @@ -1782,7 +1783,7 @@ static void io_kill_timeout(struct io_kiocb *req, int status) atomic_set(&req->ctx->cq_timeouts, atomic_read(&req->ctx->cq_timeouts) + 1); list_del_init(&req->timeout.list); - __io_req_complete_post(req, status, 0); + io_req_tw_post_queue(req, status, 0); } } @@ -2367,7 +2368,7 @@ static bool io_kill_linked_timeout(struct io_kiocb *req) link->timeout.head = NULL; if (hrtimer_try_to_cancel(&io->timer) != -1) { list_del(&link->timeout.list); - __io_req_complete_post(link, -ECANCELED, 0); + io_req_tw_post_queue(link, -ECANCELED, 0); return true; } } @@ -2413,7 +2414,7 @@ static bool io_disarm_next(struct io_kiocb *req) req->flags &= ~REQ_F_ARM_LTIMEOUT; if (link && link->opcode == IORING_OP_LINK_TIMEOUT) { io_remove_next_linked(req); - __io_req_complete_post(link, -ECANCELED, 0); + io_req_tw_post_queue(link, -ECANCELED, 0); posted = true; } } else if (req->flags & REQ_F_LINK_TIMEOUT) { @@ -2632,6 +2633,19 @@ static void io_req_task_work_add(struct io_kiocb *req, bool priority) } } +static void io_req_tw_post(struct io_kiocb *req, bool *locked) +{ + io_req_complete_post(req, req->cqe.res, req->cqe.flags); +} + +static void io_req_tw_post_queue(struct io_kiocb *req, s32 res, u32 cflags) +{ + req->cqe.res = res; + req->cqe.flags = cflags; + req->io_task_work.func = io_req_tw_post; + io_req_task_work_add(req, false); +} + static void io_req_task_cancel(struct io_kiocb *req, bool *locked) { /* not needed for normal modes, but SQPOLL depends on it */ -- 2.36.0