1. 10 3月, 2022 1 次提交
  2. 23 2月, 2022 1 次提交
  3. 21 2月, 2022 1 次提交
  4. 15 2月, 2022 1 次提交
    • E
      io_uring: add a schedule point in io_add_buffers() · f240762f
      Eric Dumazet 提交于
      Looping ~65535 times doing kmalloc() calls can trigger soft lockups,
      especially with DEBUG features (like KASAN).
      
      [  253.536212] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [b219417889:12575]
      [  253.544433] Modules linked in: vfat fat i2c_mux_pca954x i2c_mux spidev cdc_acm xhci_pci xhci_hcd sha3_generic gq(O)
      [  253.544451] CPU: 64 PID: 12575 Comm: b219417889 Tainted: G S         O      5.17.0-smp-DEV #801
      [  253.544457] RIP: 0010:kernel_text_address (./include/asm-generic/sections.h:192 ./include/linux/kallsyms.h:29 kernel/extable.c:67 kernel/extable.c:98)
      [  253.544464] Code: 0f 93 c0 48 c7 c1 e0 63 d7 a4 48 39 cb 0f 92 c1 20 c1 0f b6 c1 5b 5d c3 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 89 fb <48> c7 c0 00 00 80 a0 41 be 01 00 00 00 48 39 c7 72 0c 48 c7 c0 40
      [  253.544468] RSP: 0018:ffff8882d8baf4c0 EFLAGS: 00000246
      [  253.544471] RAX: 1ffff1105b175e00 RBX: ffffffffa13ef09a RCX: 00000000a13ef001
      [  253.544474] RDX: ffffffffa13ef09a RSI: ffff8882d8baf558 RDI: ffffffffa13ef09a
      [  253.544476] RBP: ffff8882d8baf4d8 R08: ffff8882d8baf5e0 R09: 0000000000000004
      [  253.544479] R10: ffff8882d8baf5e8 R11: ffffffffa0d59a50 R12: ffff8882eab20380
      [  253.544481] R13: ffffffffa0d59a50 R14: dffffc0000000000 R15: 1ffff1105b175eb0
      [  253.544483] FS:  00000000016d3380(0000) GS:ffff88af48c00000(0000) knlGS:0000000000000000
      [  253.544486] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  253.544488] CR2: 00000000004af0f0 CR3: 00000002eabfa004 CR4: 00000000003706e0
      [  253.544491] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  253.544492] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  253.544494] Call Trace:
      [  253.544496]  <TASK>
      [  253.544498] ? io_queue_sqe (fs/io_uring.c:7143)
      [  253.544505] __kernel_text_address (kernel/extable.c:78)
      [  253.544508] unwind_get_return_address (arch/x86/kernel/unwind_frame.c:19)
      [  253.544514] arch_stack_walk (arch/x86/kernel/stacktrace.c:27)
      [  253.544517] ? io_queue_sqe (fs/io_uring.c:7143)
      [  253.544521] stack_trace_save (kernel/stacktrace.c:123)
      [  253.544527] ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515)
      [  253.544531] ? ____kasan_kmalloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:515)
      [  253.544533] ? __kasan_kmalloc (mm/kasan/common.c:524)
      [  253.544535] ? kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567)
      [  253.544541] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)
      [  253.544544] ? __io_queue_sqe (fs/io_uring.c:?)
      [  253.544551] __kasan_kmalloc (mm/kasan/common.c:524)
      [  253.544553] kmem_cache_alloc_trace (./include/linux/kasan.h:270 mm/slab.c:3567)
      [  253.544556] ? io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)
      [  253.544560] io_issue_sqe (fs/io_uring.c:4556 fs/io_uring.c:4589 fs/io_uring.c:6828)
      [  253.544564] ? __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)
      [  253.544567] ? __kasan_slab_alloc (mm/kasan/common.c:39 mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469)
      [  253.544569] ? kmem_cache_alloc_bulk (mm/slab.h:732 mm/slab.c:3546)
      [  253.544573] ? __io_alloc_req_refill (fs/io_uring.c:2078)
      [  253.544578] ? io_submit_sqes (fs/io_uring.c:7441)
      [  253.544581] ? __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096)
      [  253.544584] ? __x64_sys_io_uring_enter (fs/io_uring.c:10096)
      [  253.544587] ? do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
      [  253.544590] ? entry_SYSCALL_64_after_hwframe (??:?)
      [  253.544596] __io_queue_sqe (fs/io_uring.c:?)
      [  253.544600] io_queue_sqe (fs/io_uring.c:7143)
      [  253.544603] io_submit_sqe (fs/io_uring.c:?)
      [  253.544608] io_submit_sqes (fs/io_uring.c:?)
      [  253.544612] __se_sys_io_uring_enter (fs/io_uring.c:10154 fs/io_uring.c:10096)
      [  253.544616] __x64_sys_io_uring_enter (fs/io_uring.c:10096)
      [  253.544619] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)
      [  253.544623] entry_SYSCALL_64_after_hwframe (??:?)
      
      Fixes: ddf0322d ("io_uring: add IORING_OP_PROVIDE_BUFFERS")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Pavel Begunkov <asml.silence@gmail.com>
      Cc: io-uring <io-uring@vger.kernel.org>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Link: https://lore.kernel.org/r/20220215041003.2394784-1-eric.dumazet@gmail.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      f240762f
  5. 07 2月, 2022 2 次提交
  6. 28 1月, 2022 1 次提交
  7. 24 1月, 2022 1 次提交
  8. 19 1月, 2022 1 次提交
  9. 14 1月, 2022 2 次提交
  10. 10 1月, 2022 1 次提交
  11. 06 1月, 2022 3 次提交
  12. 29 12月, 2021 7 次提交
  13. 23 12月, 2021 1 次提交
  14. 14 12月, 2021 1 次提交
  15. 11 12月, 2021 1 次提交
    • J
      io_uring: ensure task_work gets run as part of cancelations · 78a78060
      Jens Axboe 提交于
      If we successfully cancel a work item but that work item needs to be
      processed through task_work, then we can be sleeping uninterruptibly
      in io_uring_cancel_generic() and never process it. Hence we don't
      make forward progress and we end up with an uninterruptible sleep
      warning.
      
      While in there, correct a comment that should be IFF, not IIF.
      
      Reported-and-tested-by: syzbot+21e6887c0be14181206d@syzkaller.appspotmail.com
      Cc: stable@vger.kernel.org
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      78a78060
  16. 09 12月, 2021 1 次提交
  17. 08 12月, 2021 3 次提交
  18. 05 12月, 2021 4 次提交
  19. 29 11月, 2021 1 次提交
  20. 27 11月, 2021 2 次提交
    • Y
      io_uring: Fix undefined-behaviour in io_issue_sqe · f6223ff7
      Ye Bin 提交于
      We got issue as follows:
      ================================================================================
      UBSAN: Undefined behaviour in ./include/linux/ktime.h:42:14
      signed integer overflow:
      -4966321760114568020 * 1000000000 cannot be represented in type 'long long int'
      CPU: 1 PID: 2186 Comm: syz-executor.2 Not tainted 4.19.90+ #12
      Hardware name: linux,dummy-virt (DT)
      Call trace:
       dump_backtrace+0x0/0x3f0 arch/arm64/kernel/time.c:78
       show_stack+0x28/0x38 arch/arm64/kernel/traps.c:158
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x170/0x1dc lib/dump_stack.c:118
       ubsan_epilogue+0x18/0xb4 lib/ubsan.c:161
       handle_overflow+0x188/0x1dc lib/ubsan.c:192
       __ubsan_handle_mul_overflow+0x34/0x44 lib/ubsan.c:213
       ktime_set include/linux/ktime.h:42 [inline]
       timespec64_to_ktime include/linux/ktime.h:78 [inline]
       io_timeout fs/io_uring.c:5153 [inline]
       io_issue_sqe+0x42c8/0x4550 fs/io_uring.c:5599
       __io_queue_sqe+0x1b0/0xbc0 fs/io_uring.c:5988
       io_queue_sqe+0x1ac/0x248 fs/io_uring.c:6067
       io_submit_sqe fs/io_uring.c:6137 [inline]
       io_submit_sqes+0xed8/0x1c88 fs/io_uring.c:6331
       __do_sys_io_uring_enter fs/io_uring.c:8170 [inline]
       __se_sys_io_uring_enter fs/io_uring.c:8129 [inline]
       __arm64_sys_io_uring_enter+0x490/0x980 fs/io_uring.c:8129
       invoke_syscall arch/arm64/kernel/syscall.c:53 [inline]
       el0_svc_common+0x374/0x570 arch/arm64/kernel/syscall.c:121
       el0_svc_handler+0x190/0x260 arch/arm64/kernel/syscall.c:190
       el0_svc+0x10/0x218 arch/arm64/kernel/entry.S:1017
      ================================================================================
      
      As ktime_set only judge 'secs' if big than KTIME_SEC_MAX, but if we pass
      negative value maybe lead to overflow.
      To address this issue, we must check if 'sec' is negative.
      Signed-off-by: NYe Bin <yebin10@huawei.com>
      Link: https://lore.kernel.org/r/20211118015907.844807-1-yebin10@huawei.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      f6223ff7
    • Y
      io_uring: fix soft lockup when call __io_remove_buffers · 1d0254e6
      Ye Bin 提交于
      I got issue as follows:
      [ 567.094140] __io_remove_buffers: [1]start ctx=0xffff8881067bf000 bgid=65533 buf=0xffff8881fefe1680
      [  594.360799] watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [kworker/u32:5:108]
      [  594.364987] Modules linked in:
      [  594.365405] irq event stamp: 604180238
      [  594.365906] hardirqs last  enabled at (604180237): [<ffffffff93fec9bd>] _raw_spin_unlock_irqrestore+0x2d/0x50
      [  594.367181] hardirqs last disabled at (604180238): [<ffffffff93fbbadb>] sysvec_apic_timer_interrupt+0xb/0xc0
      [  594.368420] softirqs last  enabled at (569080666): [<ffffffff94200654>] __do_softirq+0x654/0xa9e
      [  594.369551] softirqs last disabled at (569080575): [<ffffffff913e1d6a>] irq_exit_rcu+0x1ca/0x250
      [  594.370692] CPU: 2 PID: 108 Comm: kworker/u32:5 Tainted: G            L    5.15.0-next-20211112+ #88
      [  594.371891] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
      [  594.373604] Workqueue: events_unbound io_ring_exit_work
      [  594.374303] RIP: 0010:_raw_spin_unlock_irqrestore+0x33/0x50
      [  594.375037] Code: 48 83 c7 18 53 48 89 f3 48 8b 74 24 10 e8 55 f5 55 fd 48 89 ef e8 ed a7 56 fd 80 e7 02 74 06 e8 43 13 7b fd fb bf 01 00 00 00 <e8> f8 78 474
      [  594.377433] RSP: 0018:ffff888101587a70 EFLAGS: 00000202
      [  594.378120] RAX: 0000000024030f0d RBX: 0000000000000246 RCX: 1ffffffff2f09106
      [  594.379053] RDX: 0000000000000000 RSI: ffffffff9449f0e0 RDI: 0000000000000001
      [  594.379991] RBP: ffffffff9586cdc0 R08: 0000000000000001 R09: fffffbfff2effcab
      [  594.380923] R10: ffffffff977fe557 R11: fffffbfff2effcaa R12: ffff8881b8f3def0
      [  594.381858] R13: 0000000000000246 R14: ffff888153a8b070 R15: 0000000000000000
      [  594.382787] FS:  0000000000000000(0000) GS:ffff888399c00000(0000) knlGS:0000000000000000
      [  594.383851] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  594.384602] CR2: 00007fcbe71d2000 CR3: 00000000b4216000 CR4: 00000000000006e0
      [  594.385540] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  594.386474] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  594.387403] Call Trace:
      [  594.387738]  <TASK>
      [  594.388042]  find_and_remove_object+0x118/0x160
      [  594.389321]  delete_object_full+0xc/0x20
      [  594.389852]  kfree+0x193/0x470
      [  594.390275]  __io_remove_buffers.part.0+0xed/0x147
      [  594.390931]  io_ring_ctx_free+0x342/0x6a2
      [  594.392159]  io_ring_exit_work+0x41e/0x486
      [  594.396419]  process_one_work+0x906/0x15a0
      [  594.399185]  worker_thread+0x8b/0xd80
      [  594.400259]  kthread+0x3bf/0x4a0
      [  594.401847]  ret_from_fork+0x22/0x30
      [  594.402343]  </TASK>
      
      Message from syslogd@localhost at Nov 13 09:09:54 ...
      kernel:watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [kworker/u32:5:108]
      [  596.793660] __io_remove_buffers: [2099199]start ctx=0xffff8881067bf000 bgid=65533 buf=0xffff8881fefe1680
      
      We can reproduce this issue by follow syzkaller log:
      r0 = syz_io_uring_setup(0x401, &(0x7f0000000300), &(0x7f0000003000/0x2000)=nil, &(0x7f0000ff8000/0x4000)=nil, &(0x7f0000000280)=<r1=>0x0, &(0x7f0000000380)=<r2=>0x0)
      sendmsg$ETHTOOL_MSG_FEATURES_SET(0xffffffffffffffff, &(0x7f0000003080)={0x0, 0x0, &(0x7f0000003040)={&(0x7f0000000040)=ANY=[], 0x18}}, 0x0)
      syz_io_uring_submit(r1, r2, &(0x7f0000000240)=@IORING_OP_PROVIDE_BUFFERS={0x1f, 0x5, 0x0, 0x401, 0x1, 0x0, 0x100, 0x0, 0x1, {0xfffd}}, 0x0)
      io_uring_enter(r0, 0x3a2d, 0x0, 0x0, 0x0, 0x0)
      
      The reason above issue  is 'buf->list' has 2,100,000 nodes, occupied cpu lead
      to soft lockup.
      To solve this issue, we need add schedule point when do while loop in
      '__io_remove_buffers'.
      After add  schedule point we do regression, get follow data.
      [  240.141864] __io_remove_buffers: [1]start ctx=0xffff888170603000 bgid=65533 buf=0xffff8881116fcb00
      [  268.408260] __io_remove_buffers: [1]start ctx=0xffff8881b92d2000 bgid=65533 buf=0xffff888130c83180
      [  275.899234] __io_remove_buffers: [2099199]start ctx=0xffff888170603000 bgid=65533 buf=0xffff8881116fcb00
      [  296.741404] __io_remove_buffers: [1]start ctx=0xffff8881b659c000 bgid=65533 buf=0xffff8881010fe380
      [  305.090059] __io_remove_buffers: [2099199]start ctx=0xffff8881b92d2000 bgid=65533 buf=0xffff888130c83180
      [  325.415746] __io_remove_buffers: [1]start ctx=0xffff8881b92d1000 bgid=65533 buf=0xffff8881a17d8f00
      [  333.160318] __io_remove_buffers: [2099199]start ctx=0xffff8881b659c000 bgid=65533 buf=0xffff8881010fe380
      ...
      
      Fixes:8bab4c09("io_uring: allow conditional reschedule for intensive iterators")
      Signed-off-by: NYe Bin <yebin10@huawei.com>
      Link: https://lore.kernel.org/r/20211122024737.2198530-1-yebin10@huawei.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      1d0254e6
  21. 26 11月, 2021 4 次提交
    • P
      io_uring: fix link traversal locking · 6af3f48b
      Pavel Begunkov 提交于
      WARNING: inconsistent lock state
      5.16.0-rc2-syzkaller #0 Not tainted
      inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
      ffff888078e11418 (&ctx->timeout_lock
      ){?.+.}-{2:2}
      , at: io_timeout_fn+0x6f/0x360 fs/io_uring.c:5943
      {HARDIRQ-ON-W} state was registered at:
        [...]
        spin_unlock_irq include/linux/spinlock.h:399 [inline]
        __io_poll_remove_one fs/io_uring.c:5669 [inline]
        __io_poll_remove_one fs/io_uring.c:5654 [inline]
        io_poll_remove_one+0x236/0x870 fs/io_uring.c:5680
        io_poll_remove_all+0x1af/0x235 fs/io_uring.c:5709
        io_ring_ctx_wait_and_kill+0x1cc/0x322 fs/io_uring.c:9534
        io_uring_release+0x42/0x46 fs/io_uring.c:9554
        __fput+0x286/0x9f0 fs/file_table.c:280
        task_work_run+0xdd/0x1a0 kernel/task_work.c:164
        exit_task_work include/linux/task_work.h:32 [inline]
        do_exit+0xc14/0x2b40 kernel/exit.c:832
      
      674ee8e1 ("io_uring: correct link-list traversal locking") fixed a
      data race but introduced a possible deadlock and inconsistentcy in irq
      states. E.g.
      
      io_poll_remove_all()
          spin_lock_irq(timeout_lock)
          io_poll_remove_one()
              spin_lock/unlock_irq(poll_lock);
          spin_unlock_irq(timeout_lock)
      
      Another type of problem is freeing a request while holding
      ->timeout_lock, which may leads to a deadlock in
      io_commit_cqring() -> io_flush_timeouts() and other places.
      
      Having 3 nested locks is also too ugly. Add io_match_task_safe(), which
      would briefly take and release timeout_lock for race prevention inside,
      so the actuall request cancellation / free / etc. code doesn't have it
      taken.
      
      Reported-by: syzbot+ff49a3059d49b0ca0eec@syzkaller.appspotmail.com
      Reported-by: syzbot+847f02ec20a6609a328b@syzkaller.appspotmail.com
      Reported-by: syzbot+3368aadcd30425ceb53b@syzkaller.appspotmail.com
      Reported-by: syzbot+51ce8887cdef77c9ac83@syzkaller.appspotmail.com
      Reported-by: syzbot+3cb756a49d2f394a9ee3@syzkaller.appspotmail.com
      Fixes: 674ee8e1 ("io_uring: correct link-list traversal locking")
      Cc: stable@kernel.org # 5.15+
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/397f7ebf3f4171f1abe41f708ac1ecb5766f0b68.1637937097.git.asml.silence@gmail.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      6af3f48b
    • P
      io_uring: fail cancellation for EXITING tasks · 617a8948
      Pavel Begunkov 提交于
      WARNING: CPU: 1 PID: 20 at fs/io_uring.c:6269 io_try_cancel_userdata+0x3c5/0x640 fs/io_uring.c:6269
      CPU: 1 PID: 20 Comm: kworker/1:0 Not tainted 5.16.0-rc1-syzkaller #0
      Workqueue: events io_fallback_req_func
      RIP: 0010:io_try_cancel_userdata+0x3c5/0x640 fs/io_uring.c:6269
      Call Trace:
       <TASK>
       io_req_task_link_timeout+0x6b/0x1e0 fs/io_uring.c:6886
       io_fallback_req_func+0xf9/0x1ae fs/io_uring.c:1334
       process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
       worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
       kthread+0x405/0x4f0 kernel/kthread.c:327
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
       </TASK>
      
      We need original task's context to do cancellations, so if it's dying
      and the callback is executed in a fallback mode, fail the cancellation
      attempt.
      
      Fixes: 89b263f6 ("io_uring: run linked timeouts from task_work")
      Cc: stable@kernel.org # 5.15+
      Reported-by: syzbot+ab0cfe96c2b3cd1c1153@syzkaller.appspotmail.com
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Link: https://lore.kernel.org/r/4c41c5f379c6941ad5a07cd48cb66ed62199cf7e.1637937097.git.asml.silence@gmail.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      617a8948
    • H
      io_uring: better to use REQ_F_IO_DRAIN for req->flags · b6c7db32
      Hao Xu 提交于
      It's better to use REQ_F_IO_DRAIN for req->flags rather than
      IOSQE_IO_DRAIN though they have same value.
      Signed-off-by: NHao Xu <haoxu@linux.alibaba.com>
      Link: https://lore.kernel.org/r/20211125092103.224502-3-haoxu@linux.alibaba.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      b6c7db32
    • H
      io_uring: fix no lock protection for ctx->cq_extra · e302f104
      Hao Xu 提交于
      ctx->cq_extra should be protected by completion lock so that the
      req_need_defer() does the right check.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NHao Xu <haoxu@linux.alibaba.com>
      Link: https://lore.kernel.org/r/20211125092103.224502-2-haoxu@linux.alibaba.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
      e302f104