1. 06 11月, 2020 2 次提交
    • J
      io_uring: use correct pointer for io_uring_show_cred() · 6b47ab81
      Jens Axboe 提交于
      Previous commit changed how we index the registered credentials, but
      neglected to update one spot that is used when the personalities are
      iterated through ->show_fdinfo(). Ensure we use the right struct type
      for the iteration.
      
      Reported-by: syzbot+a6d494688cdb797bdfce@syzkaller.appspotmail.com
      Fixes: 1e6fa521 ("io_uring: COW io_identity on mismatch")
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      6b47ab81
    • P
      io_uring: don't forget to task-cancel drained reqs · ef9865a4
      Pavel Begunkov 提交于
      If there is a long-standing request of one task locking up execution of
      deferred requests, and the defer list contains requests of another task
      (all files-less), then a potential execution of __io_uring_task_cancel()
      by that another task will sleep until that first long-standing request
      completion, and that may take long.
      
      E.g.
      tsk1: req1/read(empty_pipe) -> tsk2: req(DRAIN)
      Then __io_uring_task_cancel(tsk2) waits for req1 completion.
      
      It seems we even can manufacture a complicated case with many tasks
      sharing many rings that can lock them forever.
      
      Cancel deferred requests for __io_uring_task_cancel() as well.
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      ef9865a4
  2. 05 11月, 2020 4 次提交
    • P
      io_uring: fix overflowed cancel w/ linked ->files · 99b32808
      Pavel Begunkov 提交于
      Current io_match_files() check in io_cqring_overflow_flush() is useless
      because requests drop ->files before going to the overflow list, however
      linked to it request do not, and we don't check them.
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      99b32808
    • J
      io_uring: drop req/tctx io_identity separately · cb8a8ae3
      Jens Axboe 提交于
      We can't bundle this into one operation, as the identity may not have
      originated from the tctx to begin with. Drop one ref for each of them
      separately, if they don't match the static assignment. If we don't, then
      if the identity is a lookup from registered credentials, we could be
      freeing that identity as we're dropping a reference assuming it came from
      the tctx. syzbot reports this as a use-after-free, as the identity is
      still referencable from idr lookup:
      
      ==================================================================
      BUG: KASAN: use-after-free in instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
      BUG: KASAN: use-after-free in atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
      BUG: KASAN: use-after-free in __refcount_add include/linux/refcount.h:193 [inline]
      BUG: KASAN: use-after-free in __refcount_inc include/linux/refcount.h:250 [inline]
      BUG: KASAN: use-after-free in refcount_inc include/linux/refcount.h:267 [inline]
      BUG: KASAN: use-after-free in io_init_req fs/io_uring.c:6700 [inline]
      BUG: KASAN: use-after-free in io_submit_sqes+0x15a9/0x25f0 fs/io_uring.c:6774
      Write of size 4 at addr ffff888011e08e48 by task syz-executor165/8487
      
      CPU: 1 PID: 8487 Comm: syz-executor165 Not tainted 5.10.0-rc1-next-20201102-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x107/0x163 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
       __kasan_report mm/kasan/report.c:545 [inline]
       kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
       check_memory_region_inline mm/kasan/generic.c:186 [inline]
       check_memory_region+0x13d/0x180 mm/kasan/generic.c:192
       instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
       atomic_fetch_add_relaxed include/asm-generic/atomic-instrumented.h:142 [inline]
       __refcount_add include/linux/refcount.h:193 [inline]
       __refcount_inc include/linux/refcount.h:250 [inline]
       refcount_inc include/linux/refcount.h:267 [inline]
       io_init_req fs/io_uring.c:6700 [inline]
       io_submit_sqes+0x15a9/0x25f0 fs/io_uring.c:6774
       __do_sys_io_uring_enter+0xc8e/0x1b50 fs/io_uring.c:9159
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x440e19
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 0f fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fff644ff178 EFLAGS: 00000246 ORIG_RAX: 00000000000001aa
      RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000440e19
      RDX: 0000000000000000 RSI: 000000000000450c RDI: 0000000000000003
      RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000022b4850
      R13: 0000000000000010 R14: 0000000000000000 R15: 0000000000000000
      
      Allocated by task 8487:
       kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
       kasan_set_track mm/kasan/common.c:56 [inline]
       __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461
       kmalloc include/linux/slab.h:552 [inline]
       io_register_personality fs/io_uring.c:9638 [inline]
       __io_uring_register fs/io_uring.c:9874 [inline]
       __do_sys_io_uring_register+0x10f0/0x40a0 fs/io_uring.c:9924
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Freed by task 8487:
       kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
       kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
       kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
       __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422
       slab_free_hook mm/slub.c:1544 [inline]
       slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577
       slab_free mm/slub.c:3140 [inline]
       kfree+0xdb/0x360 mm/slub.c:4122
       io_identity_cow fs/io_uring.c:1380 [inline]
       io_prep_async_work+0x903/0xbc0 fs/io_uring.c:1492
       io_prep_async_link fs/io_uring.c:1505 [inline]
       io_req_defer fs/io_uring.c:5999 [inline]
       io_queue_sqe+0x212/0xed0 fs/io_uring.c:6448
       io_submit_sqe fs/io_uring.c:6542 [inline]
       io_submit_sqes+0x14f6/0x25f0 fs/io_uring.c:6784
       __do_sys_io_uring_enter+0xc8e/0x1b50 fs/io_uring.c:9159
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The buggy address belongs to the object at ffff888011e08e00
       which belongs to the cache kmalloc-96 of size 96
      The buggy address is located 72 bytes inside of
       96-byte region [ffff888011e08e00, ffff888011e08e60)
      The buggy address belongs to the page:
      page:00000000a7104751 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e08
      flags: 0xfff00000000200(slab)
      raw: 00fff00000000200 ffffea00004f8540 0000001f00000002 ffff888010041780
      raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff888011e08d00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
       ffff888011e08d80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
      > ffff888011e08e00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                                                    ^
       ffff888011e08e80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
       ffff888011e08f00: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc
      ==================================================================
      
      Reported-by: syzbot+625ce3bb7835b63f7f3d@syzkaller.appspotmail.com
      Fixes: 1e6fa521 ("io_uring: COW io_identity on mismatch")
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      cb8a8ae3
    • J
      io_uring: ensure consistent view of original task ->mm from SQPOLL · 4b70cf9d
      Jens Axboe 提交于
      Ensure we get a valid view of the task mm, by using task_lock() when
      attempting to grab the original task mm.
      
      Reported-by: syzbot+b57abf7ee60829090495@syzkaller.appspotmail.com
      Fixes: 2aede0e4 ("io_uring: stash ctx task reference for SQPOLL")
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      4b70cf9d
    • J
      io_uring: properly handle SQPOLL request cancelations · fdaf083c
      Jens Axboe 提交于
      Track if a given task io_uring context contains SQPOLL instances, so we
      can iterate those for cancelation (and request counts). This ensures that
      we properly wait on SQPOLL contexts, and find everything that needs
      canceling.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      fdaf083c
  3. 26 10月, 2020 1 次提交
  4. 24 10月, 2020 7 次提交
  5. 23 10月, 2020 1 次提交
    • J
      io_uring: make loop_rw_iter() use original user supplied pointers · 4017eb91
      Jens Axboe 提交于
      We jump through a hoop for fixed buffers, where we first map these to
      a bvec(), then kmap() the bvec to obtain the pointer we copy to/from.
      This was always a bit ugly, and with the set_fs changes, it ends up
      being practically problematic as well.
      
      There's no need to jump through these hoops, just use the original user
      pointers and length for the non iter based read/write.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      4017eb91
  6. 22 10月, 2020 2 次提交
  7. 21 10月, 2020 1 次提交
  8. 20 10月, 2020 8 次提交
  9. 19 10月, 2020 2 次提交
    • J
      io_uring: use blk_queue_nowait() to check if NOWAIT supported · 9ba0d0c8
      Jeffle Xu 提交于
      commit 021a2446 ("block: add QUEUE_FLAG_NOWAIT") adds a new helper
      function blk_queue_nowait() to check if the bdev supports handling of
      REQ_NOWAIT or not. Since then bio-based dm device can also support
      REQ_NOWAIT, and currently only dm-linear supports that since
      commit 6abc4946 ("dm: add support for REQ_NOWAIT and enable it for
      linear target").
      Signed-off-by: NJeffle Xu <jefflexu@linux.alibaba.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      9ba0d0c8
    • M
      mm/madvise: pass mm to do_madvise · 0726b01e
      Minchan Kim 提交于
      Patch series "introduce memory hinting API for external process", v9.
      
      Now, we have MADV_PAGEOUT and MADV_COLD as madvise hinting API.  With
      that, application could give hints to kernel what memory range are
      preferred to be reclaimed.  However, in some platform(e.g., Android), the
      information required to make the hinting decision is not known to the app.
      Instead, it is known to a centralized userspace daemon(e.g.,
      ActivityManagerService), and that daemon must be able to initiate reclaim
      on its own without any app involvement.
      
      To solve the concern, this patch introduces new syscall -
      process_madvise(2).  Bascially, it's same with madvise(2) syscall but it
      has some differences.
      
      1. It needs pidfd of target process to provide the hint
      
      2. It supports only MADV_{COLD|PAGEOUT|MERGEABLE|UNMEREABLE} at this
         moment.  Other hints in madvise will be opened when there are explicit
         requests from community to prevent unexpected bugs we couldn't support.
      
      3. Only privileged processes can do something for other process's
         address space.
      
      For more detail of the new API, please see "mm: introduce external memory
      hinting API" description in this patchset.
      
      This patch (of 3):
      
      In upcoming patches, do_madvise will be called from external process
      context so we shouldn't asssume "current" is always hinted process's
      task_struct.
      
      Furthermore, we must not access mm_struct via task->mm, but obtain it via
      access_mm() once (in the following patch) and only use that pointer [1],
      so pass it to do_madvise() as well.  Note the vma->vm_mm pointers are
      safe, so we can use them further down the call stack.
      
      And let's pass current->mm as arguments of do_madvise so it shouldn't
      change existing behavior but prepare next patch to make review easy.
      
      [vbabka@suse.cz: changelog tweak]
      [minchan@kernel.org: use current->mm for io_uring]
        Link: http://lkml.kernel.org/r/20200423145215.72666-1-minchan@kernel.org
      [akpm@linux-foundation.org: fix it for upstream changes]
      [akpm@linux-foundation.org: whoops]
      [rdunlap@infradead.org: add missing includes]
      Signed-off-by: NMinchan Kim <minchan@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: NSuren Baghdasaryan <surenb@google.com>
      Reviewed-by: NVlastimil Babka <vbabka@suse.cz>
      Acked-by: NDavid Rientjes <rientjes@google.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Jann Horn <jannh@google.com>
      Cc: Tim Murray <timmurray@google.com>
      Cc: Daniel Colascione <dancol@google.com>
      Cc: Sandeep Patil <sspatil@google.com>
      Cc: Sonny Rao <sonnyrao@google.com>
      Cc: Brian Geffon <bgeffon@google.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Shakeel Butt <shakeelb@google.com>
      Cc: John Dias <joaodias@google.com>
      Cc: Joel Fernandes <joel@joelfernandes.org>
      Cc: Alexander Duyck <alexander.h.duyck@linux.intel.com>
      Cc: SeongJae Park <sj38.park@gmail.com>
      Cc: Christian Brauner <christian@brauner.io>
      Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
      Cc: Oleksandr Natalenko <oleksandr@redhat.com>
      Cc: SeongJae Park <sjpark@amazon.de>
      Cc: Christian Brauner <christian.brauner@ubuntu.com>
      Cc: Florian Weimer <fw@deneb.enyo.de>
      Cc: <linux-man@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20200901000633.1920247-1-minchan@kernel.org
      Link: http://lkml.kernel.org/r/20200622192900.22757-1-minchan@kernel.org
      Link: http://lkml.kernel.org/r/20200302193630.68771-2-minchan@kernel.org
      Link: http://lkml.kernel.org/r/20200622192900.22757-2-minchan@kernel.org
      Link: https://lkml.kernel.org/r/20200901000633.1920247-2-minchan@kernel.orgSigned-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      0726b01e
  10. 18 10月, 2020 1 次提交
    • J
      task_work: cleanup notification modes · 91989c70
      Jens Axboe 提交于
      A previous commit changed the notification mode from true/false to an
      int, allowing notify-no, notify-yes, or signal-notify. This was
      backwards compatible in the sense that any existing true/false user
      would translate to either 0 (on notification sent) or 1, the latter
      which mapped to TWA_RESUME. TWA_SIGNAL was assigned a value of 2.
      
      Clean this up properly, and define a proper enum for the notification
      mode. Now we have:
      
      - TWA_NONE. This is 0, same as before the original change, meaning no
        notification requested.
      - TWA_RESUME. This is 1, same as before the original change, meaning
        that we use TIF_NOTIFY_RESUME.
      - TWA_SIGNAL. This uses TIF_SIGPENDING/JOBCTL_TASK_WORK for the
        notification.
      
      Clean up all the callers, switching their 0/1/false/true to using the
      appropriate TWA_* mode for notifications.
      
      Fixes: e91b4816 ("task_work: teach task_work_add() to do signal_wake_up()")
      Reviewed-by: NThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      91989c70
  11. 17 10月, 2020 11 次提交
    • P
      io_uring: fix double poll mask init · 58852d4d
      Pavel Begunkov 提交于
      __io_queue_proc() is used by both, poll reqs and apoll. Don't use
      req->poll.events to copy poll mask because for apoll it aliases with
      private data of the request.
      Signed-off-by: NPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      58852d4d
    • J
      io-wq: inherit audit loginuid and sessionid · 4ea33a97
      Jens Axboe 提交于
      Make sure the async io-wq workers inherit the loginuid and sessionid from
      the original task, and restore them to unset once we're done with the
      async work item.
      
      While at it, disable the ability for kernel threads to write to their own
      loginuid.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      4ea33a97
    • J
      io_uring: use percpu counters to track inflight requests · d8a6df10
      Jens Axboe 提交于
      Even though we place the req_issued and req_complete in separate
      cachelines, there's considerable overhead in doing the atomics
      particularly on the completion side.
      
      Get rid of having the two counters, and just use a percpu_counter for
      this. That's what it was made for, after all. This considerably
      reduces the overhead in __io_free_req().
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      d8a6df10
    • J
      io_uring: assign new io_identity for task if members have changed · 500a373d
      Jens Axboe 提交于
      This avoids doing a copy for each new async IO, if some parts of the
      io_identity has changed. We avoid reference counting for the normal
      fast path of nothing ever changing.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      500a373d
    • J
      io_uring: store io_identity in io_uring_task · 5c3462cf
      Jens Axboe 提交于
      This is, by definition, a per-task structure. So store it in the
      task context, instead of doing carrying it in each io_kiocb. We're being
      a bit inefficient if members have changed, as that requires an alloc and
      copy of a new io_identity struct. The next patch will fix that up.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      5c3462cf
    • J
      io_uring: COW io_identity on mismatch · 1e6fa521
      Jens Axboe 提交于
      If the io_identity doesn't completely match the task, then create a
      copy of it and use that. The existing copy remains valid until the last
      user of it has gone away.
      
      This also changes the personality lookup to be indexed by io_identity,
      instead of creds directly.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      1e6fa521
    • J
      io_uring: move io identity items into separate struct · 98447d65
      Jens Axboe 提交于
      io-wq contains a pointer to the identity, which we just hold in io_kiocb
      for now. This is in preparation for putting this outside io_kiocb. The
      only exception is struct files_struct, which we'll need different rules
      for to avoid a circular dependency.
      
      No functional changes in this patch.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      98447d65
    • J
      io_uring: rely solely on work flags to determine personality. · dfead8a8
      Jens Axboe 提交于
      We solely rely on work->work_flags now, so use that for proper checking
      and clearing/dropping of various identity items.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      dfead8a8
    • J
      io_uring: pass required context in as flags · 0f203765
      Jens Axboe 提交于
      We have a number of bits that decide what context to inherit. Set up
      io-wq flags for these instead. This is in preparation for always having
      the various members set, but not always needing them for all requests.
      
      No intended functional changes in this patch.
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      0f203765
    • J
      io_uring: fix error path cleanup in io_sqe_files_register() · 55cbc256
      Jens Axboe 提交于
      syzbot reports the following crash:
      
      general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
      CPU: 1 PID: 8927 Comm: syz-executor.3 Not tainted 5.9.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:io_file_from_index fs/io_uring.c:5963 [inline]
      RIP: 0010:io_sqe_files_register fs/io_uring.c:7369 [inline]
      RIP: 0010:__io_uring_register fs/io_uring.c:9463 [inline]
      RIP: 0010:__do_sys_io_uring_register+0x2fd2/0x3ee0 fs/io_uring.c:9553
      Code: ec 03 49 c1 ee 03 49 01 ec 49 01 ee e8 57 61 9c ff 41 80 3c 24 00 0f 85 9b 09 00 00 4d 8b af b8 01 00 00 4c 89 e8 48 c1 e8 03 <80> 3c 28 00 0f 85 76 09 00 00 49 8b 55 00 89 d8 c1 f8 09 48 98 4c
      RSP: 0018:ffffc90009137d68 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc9000ef2a000
      RDX: 0000000000040000 RSI: ffffffff81d81dd9 RDI: 0000000000000005
      RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffffed1012882a37
      R13: 0000000000000000 R14: ffffed1012882a38 R15: ffff888094415000
      FS:  00007f4266f3c700(0000) GS:ffff8880ae500000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000000000118c000 CR3: 000000008e57d000 CR4: 00000000001506e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45de59
      Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f4266f3bc78 EFLAGS: 00000246 ORIG_RAX: 00000000000001ab
      RAX: ffffffffffffffda RBX: 00000000000083c0 RCX: 000000000045de59
      RDX: 0000000020000280 RSI: 0000000000000002 RDI: 0000000000000005
      RBP: 000000000118bf68 R08: 0000000000000000 R09: 0000000000000000
      R10: 40000000000000a1 R11: 0000000000000246 R12: 000000000118bf2c
      R13: 00007fff2fa4f12f R14: 00007f4266f3c9c0 R15: 000000000118bf2c
      Modules linked in:
      ---[ end trace 2a40a195e2d5e6e6 ]---
      RIP: 0010:io_file_from_index fs/io_uring.c:5963 [inline]
      RIP: 0010:io_sqe_files_register fs/io_uring.c:7369 [inline]
      RIP: 0010:__io_uring_register fs/io_uring.c:9463 [inline]
      RIP: 0010:__do_sys_io_uring_register+0x2fd2/0x3ee0 fs/io_uring.c:9553
      Code: ec 03 49 c1 ee 03 49 01 ec 49 01 ee e8 57 61 9c ff 41 80 3c 24 00 0f 85 9b 09 00 00 4d 8b af b8 01 00 00 4c 89 e8 48 c1 e8 03 <80> 3c 28 00 0f 85 76 09 00 00 49 8b 55 00 89 d8 c1 f8 09 48 98 4c
      RSP: 0018:ffffc90009137d68 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc9000ef2a000
      RDX: 0000000000040000 RSI: ffffffff81d81dd9 RDI: 0000000000000005
      RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffffed1012882a37
      R13: 0000000000000000 R14: ffffed1012882a38 R15: ffff888094415000
      FS:  00007f4266f3c700(0000) GS:ffff8880ae400000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000000000074a918 CR3: 000000008e57d000 CR4: 00000000001506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      
      which is a copy of fget failure condition jumping to cleanup, but the
      cleanup requires ctx->file_data to be assigned. Assign it when setup,
      and ensure that we clear it again for the error path exit.
      
      Fixes: 5398ae69 ("io_uring: clean file_data access in files_register")
      Reported-by: syzbot+f4ebcc98223dafd8991e@syzkaller.appspotmail.com
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      55cbc256
    • J
      Revert "io_uring: mark io_uring_fops/io_op_defs as __read_mostly" · 0918682b
      Jens Axboe 提交于
      This reverts commit 738277ad.
      
      This change didn't make a lot of sense, and as Linus reports, it actually
      fails on clang:
      
         /tmp/io_uring-dd40c4.s:26476: Warning: ignoring changed section
         attributes for .data..read_mostly
      
      The arrays are already marked const so, by definition, they are not
      just read-mostly, they are read-only.
      Reported-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      0918682b