• P
    io_uring: fix io_try_cancel_userdata race for iowq · dadebc35
    Pavel Begunkov 提交于
    WARNING: CPU: 1 PID: 5870 at fs/io_uring.c:5975 io_try_cancel_userdata+0x30f/0x540 fs/io_uring.c:5975
    CPU: 0 PID: 5870 Comm: iou-wrk-5860 Not tainted 5.14.0-rc6-next-20210820-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    RIP: 0010:io_try_cancel_userdata+0x30f/0x540 fs/io_uring.c:5975
    Call Trace:
     io_async_cancel fs/io_uring.c:6014 [inline]
     io_issue_sqe+0x22d5/0x65a0 fs/io_uring.c:6407
     io_wq_submit_work+0x1dc/0x300 fs/io_uring.c:6511
     io_worker_handle_work+0xa45/0x1840 fs/io-wq.c:533
     io_wqe_worker+0x2cc/0xbb0 fs/io-wq.c:582
     ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
    
    io_try_cancel_userdata() can be called from io_async_cancel() executing
    in the io-wq context, so the warning fires, which is there to alert
    anyone accessing task->io_uring->io_wq in a racy way. However,
    io_wq_put_and_exit() always first waits for all threads to complete,
    so the only detail left is to zero tctx->io_wq after the context is
    removed.
    
    note: one little assumption is that when IO_WQ_WORK_CANCEL, the executor
    won't touch ->io_wq, because io_wq_destroy() might cancel left pending
    requests in such a way.
    
    Cc: stable@vger.kernel.org
    Reported-by: syzbot+b0c9d1588ae92866515f@syzkaller.appspotmail.com
    Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
    Link: https://lore.kernel.org/r/dfdd37a80cfa9ffd3e59538929c99cdd55d8699e.1629721757.git.asml.silence@gmail.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
    dadebc35
io_uring.c 255.2 KB