1. 16 6月, 2021 5 次提交
  2. 14 6月, 2021 24 次提交
  3. 11 6月, 2021 2 次提交
  4. 30 5月, 2021 1 次提交
  5. 27 5月, 2021 1 次提交
    • M
      io_uring: fix data race to avoid potential NULL-deref · b16ef427
      Marco Elver 提交于
      Commit ba5ef6dc ("io_uring: fortify tctx/io_wq cleanup") introduced
      setting tctx->io_wq to NULL a bit earlier. This has caused KCSAN to
      detect a data race between accesses to tctx->io_wq:
      
        write to 0xffff88811d8df330 of 8 bytes by task 3709 on cpu 1:
         io_uring_clean_tctx                  fs/io_uring.c:9042 [inline]
         __io_uring_cancel                    fs/io_uring.c:9136
         io_uring_files_cancel                include/linux/io_uring.h:16 [inline]
         do_exit                              kernel/exit.c:781
         do_group_exit                        kernel/exit.c:923
         get_signal                           kernel/signal.c:2835
         arch_do_signal_or_restart            arch/x86/kernel/signal.c:789
         handle_signal_work                   kernel/entry/common.c:147 [inline]
         exit_to_user_mode_loop               kernel/entry/common.c:171 [inline]
         ...
        read to 0xffff88811d8df330 of 8 bytes by task 6412 on cpu 0:
         io_uring_try_cancel_iowq             fs/io_uring.c:8911 [inline]
         io_uring_try_cancel_requests         fs/io_uring.c:8933
         io_ring_exit_work                    fs/io_uring.c:8736
         process_one_work                     kernel/workqueue.c:2276
         ...
      
      With the config used, KCSAN only reports data races with value changes:
      this implies that in the case here we also know that tctx->io_wq was
      non-NULL. Therefore, depending on interleaving, we may end up with:
      
                    [CPU 0]                 |        [CPU 1]
        io_uring_try_cancel_iowq()          | io_uring_clean_tctx()
          if (!tctx->io_wq) // false        |   ...
          ...                               |   tctx->io_wq = NULL
          io_wq_cancel_cb(tctx->io_wq, ...) |   ...
            -> NULL-deref                   |
      
      Note: It is likely that thus far we've gotten lucky and the compiler
      optimizes the double-read into a single read into a register -- but this
      is never guaranteed, and can easily change with a different config!
      
      Fix the data race by restoring the previous behaviour, where both
      setting io_wq to NULL and put of the wq are _serialized_ after
      concurrent io_uring_try_cancel_iowq() via acquisition of the uring_lock
      and removal of the node in io_uring_del_task_file().
      
      Fixes: ba5ef6dc ("io_uring: fortify tctx/io_wq cleanup")
      Suggested-by: NPavel Begunkov <asml.silence@gmail.com>
      Reported-by: syzbot+bf2b3d0435b9b728946c@syzkaller.appspotmail.com
      Signed-off-by: NMarco Elver <elver@google.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Link: https://lore.kernel.org/r/20210527092547.2656514-1-elver@google.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      b16ef427
  6. 26 5月, 2021 1 次提交
    • P
      io_uring/io-wq: close io-wq full-stop gap · 17a91051
      Pavel Begunkov 提交于
      There is an old problem with io-wq cancellation where requests should be
      killed and are in io-wq but are not discoverable, e.g. in @next_hashed
      or @linked vars of io_worker_handle_work(). It adds some unreliability
      to individual request canellation, but also may potentially get
      __io_uring_cancel() stuck. For instance:
      
      1) An __io_uring_cancel()'s cancellation round have not found any
         request but there are some as desribed.
      2) __io_uring_cancel() goes to sleep
      3) Then workers wake up and try to execute those hidden requests
         that happen to be unbound.
      
      As we already cancel all requests of io-wq there, set IO_WQ_BIT_EXIT
      in advance, so preventing 3) from executing unbound requests. The
      workers will initially break looping because of getting a signal as they
      are threads of the dying/exec()'ing user task.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/abfcf8c54cb9e8f7bfbad7e9a0cc5433cc70bdc2.1621781238.git.asml.silence@gmail.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      17a91051
  7. 20 5月, 2021 1 次提交
  8. 17 5月, 2021 1 次提交
  9. 14 5月, 2021 3 次提交
  10. 09 5月, 2021 1 次提交
    • P
      io_uring: fix link timeout refs · a298232e
      Pavel Begunkov 提交于
      WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
      RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
      Call Trace:
       __refcount_sub_and_test include/linux/refcount.h:283 [inline]
       __refcount_dec_and_test include/linux/refcount.h:315 [inline]
       refcount_dec_and_test include/linux/refcount.h:333 [inline]
       io_put_req fs/io_uring.c:2140 [inline]
       io_queue_linked_timeout fs/io_uring.c:6300 [inline]
       __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354
       io_submit_sqe fs/io_uring.c:6534 [inline]
       io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660
       __do_sys_io_uring_enter fs/io_uring.c:9240 [inline]
       __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182
      
      io_link_timeout_fn() should put only one reference of the linked timeout
      request, however in case of racing with the master request's completion
      first io_req_complete() puts one and then io_put_req_deferred() is
      called.
      
      Cc: stable@vger.kernel.org # 5.12+
      Fixes: 9ae1f8dd ("io_uring: fix inconsistent lock state")
      Reported-by: syzbot+a2910119328ce8e7996f@syzkaller.appspotmail.com
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/ff51018ff29de5ffa76f09273ef48cb24c720368.1620417627.git.asml.silence@gmail.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      a298232e