iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Pavel Begunkov 6af3f48bf6 io_uring: fix link traversal locking 
WARNING: inconsistent lock state
5.16.0-rc2-syzkaller #0 Not tainted
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
ffff888078e11418 (&ctx->timeout_lock
){?.+.}-{2:2}
, at: io_timeout_fn+0x6f/0x360 fs/io_uring.c:5943
{HARDIRQ-ON-W} state was registered at:
  [...]
  spin_unlock_irq include/linux/spinlock.h:399 [inline]
  __io_poll_remove_one fs/io_uring.c:5669 [inline]
  __io_poll_remove_one fs/io_uring.c:5654 [inline]
  io_poll_remove_one+0x236/0x870 fs/io_uring.c:5680
  io_poll_remove_all+0x1af/0x235 fs/io_uring.c:5709
  io_ring_ctx_wait_and_kill+0x1cc/0x322 fs/io_uring.c:9534
  io_uring_release+0x42/0x46 fs/io_uring.c:9554
  __fput+0x286/0x9f0 fs/file_table.c:280
  task_work_run+0xdd/0x1a0 kernel/task_work.c:164
  exit_task_work include/linux/task_work.h:32 [inline]
  do_exit+0xc14/0x2b40 kernel/exit.c:832

674ee8e1b4a41 ("io_uring: correct link-list traversal locking") fixed a
data race but introduced a possible deadlock and inconsistentcy in irq
states. E.g.

io_poll_remove_all()
    spin_lock_irq(timeout_lock)
    io_poll_remove_one()
        spin_lock/unlock_irq(poll_lock);
    spin_unlock_irq(timeout_lock)

Another type of problem is freeing a request while holding
->timeout_lock, which may leads to a deadlock in
io_commit_cqring() -> io_flush_timeouts() and other places.

Having 3 nested locks is also too ugly. Add io_match_task_safe(), which
would briefly take and release timeout_lock for race prevention inside,
so the actuall request cancellation / free / etc. code doesn't have it
taken.

Reported-by: syzbot+ff49a3059d49b0ca0eec@syzkaller.appspotmail.com
Reported-by: syzbot+847f02ec20a6609a328b@syzkaller.appspotmail.com
Reported-by: syzbot+3368aadcd30425ceb53b@syzkaller.appspotmail.com
Reported-by: syzbot+51ce8887cdef77c9ac83@syzkaller.appspotmail.com
Reported-by: syzbot+3cb756a49d2f394a9ee3@syzkaller.appspotmail.com
Fixes: 674ee8e1b4a41 ("io_uring: correct link-list traversal locking")
Cc: stable@kernel.org # 5.15+
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/397f7ebf3f4171f1abe41f708ac1ecb5766f0b68.1637937097.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-11-26 08:35:57 -07:00
..
9p
netfs, 9p, afs, ceph: Use folios
2021-11-10 21:16:56 +00:00
adfs
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
affs
affs: use bdev_nr_sectors instead of open coding it
2021-10-18 14:43:22 -06:00
afs
afs: Use folios in directory handling
2021-11-10 21:17:09 +00:00
autofs
autofs: fix wait name hash calculation in autofs_wait()
2021-10-20 21:09:02 -04:00
befs
isystem: ship and use stdarg.h
2021-08-19 09:02:55 +09:00
bfs
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
btrfs
Update to zstd-1.4.10
2021-11-13 15:32:30 -08:00
cachefiles
for-5.16/ki_complete-2021-10-29
2021-11-01 10:17:11 -07:00
ceph
One notable change here is that async creates and unlinks introduced
2021-11-13 11:31:07 -08:00
cifs
cifs: do not duplicate fscache cookie for secondary channels
2021-11-12 23:29:08 -06:00
coda
coda: bump module version to 7.2
2021-11-09 10:02:51 -08:00
configfs
configfs: fix a race in configfs_lookup()
2021-08-25 07:58:49 +02:00
cramfs
cramfs: use bdev_nr_bytes instead of open coding it
2021-10-18 14:43:22 -06:00
crypto
fscrypt: improve a few comments
2021-10-25 19:11:50 -07:00
debugfs
debugfs: debugfs_create_file_size(): use IS_ERR to check for error
2021-09-21 09:09:06 +02:00
devpts
dlm
fs: dlm: avoid comms shutdown delay in release_lockspace
2021-09-01 11:29:14 -05:00
ecryptfs
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
efivarfs
efivars: convert to fileattr
2021-04-12 15:04:29 +02:00
efs
erofs
Changes since last update:
2021-11-13 11:27:02 -08:00
exfat
exfat: fix incorrect loading of i_blocks for large files
2021-11-01 07:49:21 +09:00
exportfs
ext2
ext2: fix sleeping in atomic bugs on error
2021-09-22 13:05:23 +02:00
ext4
Only bug fixes and cleanups for ext4 this merge window. Of note are
2021-11-10 17:05:37 -08:00
f2fs
Update to zstd-1.4.10
2021-11-13 15:32:30 -08:00
fat
for-5.16/inode-sync-2021-10-29
2021-11-01 10:25:27 -07:00
freevxfs
fscache
fscache: Remove an unused static variable
2021-10-04 22:13:12 +01:00
fuse
fuse update for 5.16
2021-11-09 10:46:32 -08:00
gfs2
Changes in gfs2:
2021-11-02 12:35:04 -07:00
hfs
Merge branch 'akpm' (patches from Andrew)
2021-11-09 10:11:53 -08:00
hfsplus
Merge branch 'akpm' (patches from Andrew)
2021-11-09 10:11:53 -08:00
hostfs
hostfs: support splice_write
2021-08-26 22:28:02 +02:00
hpfs
treewide: Replace open-coded flex arrays in unions
2021-10-18 12:28:53 -07:00
hugetlbfs
mm,hugetlb: remove mlock ulimit for SHM_HUGETLB
2021-11-09 10:02:48 -08:00
iomap
gfs2: Fix mmap + page fault deadlocks
2021-11-02 12:25:03 -07:00
isofs
isofs: Fix out of bound access for corrupted isofs image
2021-10-19 12:51:02 +02:00
jbd2
jbd2: add sparse annotations for add_transaction_credits()
2021-08-30 23:36:50 -04:00
jffs2
vfs: add rcu argument to ->get_acl() callback
2021-08-18 22:08:24 +02:00
jfs
Just one JFS patch
2021-11-03 09:23:25 -07:00
kernfs
Merge 5.15-rc6 into driver-core-next
2021-10-18 09:43:37 +02:00
ksmbd
ksmbd: Use the SMB3_Create definitions from the shared
2021-11-11 19:22:58 -06:00
lockd
A slow cycle for nfsd: mainly cleanup, including Neil's patch dropping
2021-11-10 16:45:54 -08:00
minix
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
netfs
netfs, 9p, afs, ceph: Use folios
2021-11-10 21:16:56 +00:00
nfs
A slow cycle for nfsd: mainly cleanup, including Neil's patch dropping
2021-11-10 16:45:54 -08:00
nfs_common
nfs: Fix kerneldoc warning shown up by W=1
2021-10-04 22:02:17 +01:00
nfsd
A slow cycle for nfsd: mainly cleanup, including Neil's patch dropping
2021-11-10 16:45:54 -08:00
nilfs2
Merge branch 'akpm' (patches from Andrew)
2021-11-09 10:11:53 -08:00
nls
notify
fanotify: Allow users to request FAN_FS_ERROR events
2021-10-27 12:53:45 +02:00
ntfs
gfs2: Fix mmap + page fault deadlocks
2021-11-02 12:25:03 -07:00
ntfs3
gfs2: Fix mmap + page fault deadlocks
2021-11-02 12:25:03 -07:00
ocfs2
Merge branch 'exit-cleanups-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2021-11-10 16:15:54 -08:00
omfs
mm: require ->set_page_dirty to be explicitly wired up
2021-06-29 10:53:48 -07:00
openpromfs
orangefs
orangefs: three fixes from other folks...
2021-11-09 10:34:06 -08:00
overlayfs
overlayfs update for 5.16
2021-11-09 10:51:12 -08:00
proc
Merge branch 'akpm' (patches from Andrew)
2021-11-09 10:11:53 -08:00
pstore
lib: zstd: Add kernel-specific API
2021-11-08 16:55:21 -08:00
qnx4
qnx4: work around gcc false positive warning bug
2021-09-21 08:36:48 -07:00
qnx6
quota
\n
2021-11-06 16:40:48 -07:00
ramfs
Merge branch 'akpm' (patches from Andrew)
2021-11-09 10:11:53 -08:00
reiserfs
\n
2021-11-06 16:40:48 -07:00
romfs
smbfs_common
cifs: Move SMB2_Create definitions to the shared area
2021-11-05 09:55:36 -05:00
squashfs
lib: zstd: Add kernel-specific API
2021-11-08 16:55:21 -08:00
sysfs
fs/sysfs/dir.c: replace S_IRWXU|S_IRUGO|S_IXUGO with 0755 sysfs_create_dir_ns()
2021-10-05 16:35:05 +02:00
sysv
sysv: use BUILD_BUG_ON instead of runtime check
2021-11-09 10:02:52 -08:00
tracefs
tracefs: Have tracefs directories not set OTH permission bits by default
2021-10-08 18:08:43 -04:00
ubifs
fscrypt: remove fscrypt_operations::max_namelen
2021-09-20 19:32:33 -07:00
udf
udf: use sb_bdev_nr_blocks
2021-10-18 14:43:23 -06:00
ufs
isystem: ship and use stdarg.h
2021-08-19 09:02:55 +09:00
unicode
.gitignore: prefix local generated files with a slash
2021-05-02 00:43:35 +09:00
vboxsf
vboxfs: fix broken legacy mount signature checking
2021-09-27 11:26:21 -07:00
verity
fs-verity: fix signed integer overflow with i_size near S64_MAX
2021-09-22 10:56:34 -07:00
xfs
Minor tweaks for 5.16:
2021-11-14 12:18:22 -08:00
zonefs
gfs2: Fix mmap + page fault deadlocks
2021-11-02 12:25:03 -07:00
aio.c
Various hardening fixes and cleanups for 5.16-rc1
2021-11-01 17:29:10 -07:00
anon_inodes.c
fs: add anon_inode_getfile_secure() similar to anon_inode_getfd_secure()
2021-09-19 22:35:37 -04:00
attr.c
fs: Move notify_change permission checks into may_setattr
2021-08-13 00:41:05 -04:00
bad_inode.c
vfs: add rcu argument to ->get_acl() callback
2021-08-18 22:08:24 +02:00
binfmt_aout.c
binfmt: a.out: Fix bogus semicolon
2021-09-05 10:15:05 -07:00
binfmt_elf_fdpic.c
coredump: Limit coredumps to a single thread group
2021-10-08 12:06:02 -05:00
binfmt_elf.c
Merge branch 'akpm' (patches from Andrew)
2021-11-09 10:11:53 -08:00
binfmt_flat.c
binfmt: remove in-tree usage of MAP_EXECUTABLE
2021-06-29 10:53:50 -07:00
binfmt_misc.c
binfmt_script.c
buffer.c
fs: simplify init_page_buffers
2021-10-18 14:43:22 -06:00
char_dev.c
compat_binfmt_elf.c
coredump.c
coredump: Limit coredumps to a single thread group
2021-10-08 12:06:02 -05:00
d_path.c
d_path: fix Kernel doc validator complaining
2021-11-06 13:30:32 -07:00
dax.c
New code for 5.15:
2021-08-31 11:13:35 -07:00
dcache.c
useful constants: struct qstr for ".."
2021-04-15 22:36:45 -04:00
direct-io.c
fs: get rid of the res2 iocb->ki_complete argument
2021-10-25 10:36:24 -06:00
drop_caches.c
fs: drop_caches: fix skipping over shadow cache inodes
2021-09-03 09:58:10 -07:00
eventfd.c
eventfd: Export eventfd_wake_count to modules
2021-09-06 07:20:56 -04:00
eventpoll.c
ARM development updates for 5.15:
2021-09-09 13:25:49 -07:00
exec.c
Merge branch 'exit-cleanups-for-v5.16' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
2021-11-10 16:15:54 -08:00
fcntl.c
Merge branch 'akpm' (patches from Andrew)
2021-09-03 10:08:28 -07:00
fhandle.c
switch file_open_root() to struct path
2021-04-07 13:56:43 -04:00
file_table.c
file.c
virtio,vdpa,vhost: features, fixes
2021-09-11 14:48:42 -07:00
filesystems.c
fs: simplify get_filesystem_list / get_all_fs_names
2021-08-23 01:25:40 -04:00
fs_context.c
memcg: charge fs_context and legacy_fs_context
2021-09-03 09:58:12 -07:00
fs_parser.c
namei: Standardize callers of filename_lookup()
2021-09-07 16:07:47 -04:00
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c
Various hardening fixes and cleanups for 5.16-rc1
2021-11-01 17:29:10 -07:00
fsopen.c
init.c
inode.c
Merge branch 'akpm' (patches from Andrew)
2021-11-09 10:11:53 -08:00
internal.h
Merge branch 'akpm' (patches from Andrew)
2021-11-09 10:11:53 -08:00
io_uring.c
io_uring: fix link traversal locking
2021-11-26 08:35:57 -07:00
io-wq.c
io-wq: serialize hash clear with wakeup
2021-11-11 17:39:46 -07:00
io-wq.h
io_uring: optimise INIT_WQ_LIST
2021-10-19 05:49:54 -06:00
ioctl.c
New code for 5.15:
2021-08-31 11:06:32 -07:00
Kconfig
4 cifs/smb3 fixes, one for DFS reconnect, and one to begin creating common headers for server and client and the other two to rename the cifs_common directory to smbfs_common to be more consistent ie change use of the name cifs to smb which is more accurate
2021-09-12 10:10:21 -07:00
Kconfig.binfmt
binfmt: remove support for em86 (alpha only)
2021-07-25 22:33:03 -07:00
kernel_read_file.c
vfs: check fd has read access in kernel_read_file_from_fd()
2021-10-18 20:22:03 -10:00
libfs.c
libfs: Support RENAME_EXCHANGE in simple_rename()
2021-11-03 15:43:08 +01:00
locks.c
locks: remove changelog comments
2021-10-19 14:11:39 -04:00
Makefile
4 cifs/smb3 fixes, one for DFS reconnect, and one to begin creating common headers for server and client and the other two to rename the cifs_common directory to smbfs_common to be more consistent ie change use of the name cifs to smb which is more accurate
2021-09-12 10:10:21 -07:00
mbcache.c
mount.h
mpage.c
namei.c
File locking changes for v5.16
2021-11-01 09:06:53 -07:00
namespace.c
Merge branch 'akpm' (patches from Andrew)
2021-09-03 10:08:28 -07:00
no-block.c
nsfs.c
open.c
Merge branch 'akpm' (patches from Andrew)
2021-11-06 14:08:17 -07:00
pipe.c
Revert "mm/gup: remove try_get_page(), call try_get_compound_head() directly"
2021-09-07 11:03:45 -07:00
pnode.c
pnode.h
posix_acl.c
fs/posix_acl.c: avoid -Wempty-body warning
2021-11-06 13:30:32 -07:00
proc_namespace.c
read_write.c
fs: remove leftover comments from mandatory locking removal
2021-10-26 12:20:50 -04:00
readdir.c
readdir: make sure to verify directory entry for legacy interfaces too
2021-04-17 11:39:49 -07:00
remap_range.c
fs: remove mandatory file locking support
2021-08-23 06:15:36 -04:00
select.c
Revert "memcg: enable accounting for pollfd and select bits arrays"
2021-09-07 11:26:23 -07:00
seq_file.c
seq_file: move seq_escape() to a header
2021-11-09 10:02:52 -08:00
signalfd.c
signal: Rename SIL_PERF_EVENT SIL_FAULT_PERF_EVENT for consistency
2021-07-23 13:16:43 -05:00
splice.c
stack.c
stat.c
fs: add generic helper for filling statx attribute flags
2021-08-17 11:47:43 +02:00
statfs.c
super.c
fs: explicitly unregister per-superblock BDIs
2021-11-06 13:30:34 -07:00
sync.c
block: simplify the block device syncing code
2021-10-22 08:36:55 -06:00
timerfd.c
timerfd: Provide timerfd_resume()
2021-08-10 17:57:22 +02:00
userfaultfd.c
userfaultfd: fix a race between writeprotect and exit_mmap()
2021-10-18 20:22:02 -10:00
utimes.c
xattr.c