Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2608897yba; Mon, 22 Apr 2019 09:45:25 -0700 (PDT) X-Google-Smtp-Source: APXvYqwx/0CY+n3e88CUkXLub0DqfQXp4yHS0TE9Lvi5oDVvHB6mewS6Xv47SJeqrB97/AFNHtxB X-Received: by 2002:a17:902:7293:: with SMTP id d19mr5662483pll.98.1555951525363; Mon, 22 Apr 2019 09:45:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555951525; cv=none; d=google.com; s=arc-20160816; b=yCZOM8tz14EDDl4Z5l/z/8zEbna4LU6onBievUBj8bPcaIbcAGOec1Is4UJ/7gyvlT I8oHABhnGn0IAMdXhTD+it/IFFyxxh8HY6/iNmCsoG7ArkY9rDxBjAOQjRaGW6dd2HFz 1N9r5p5ghtgGJhrOOxJRyAKsx8m/8ez2dZGLVdgfmfs+muuBs5sbMU8NDnYChmsiDRl3 so9PlqcF/N0WFx1jgAx8QvUGG3nXm34iDXKUk+wAqTg3N0LsApiJnaXSaOn/a6klK9qt qSu1lN8FhSwJltnBRIsqcpmLMAOvSg7ElpFuCkAn3eZ0CfhrhUkG2+UtLdai/DDk/8s7 6QAQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=0YMZftlMUHZo7PBuxCI1tlSTMOcGrZlt8hFWgHl+L+E=; b=c6019z6FmqYdwKCHW+2aPZd5diC9pnfK2jBTPnAxyeC6nYs4B9FidR9DvLG5POQpuo tgxh2a3ZVc2NBxeC5Civ72Jnnsvk6OLNnWZ3bpX6AkP20eHPkD9pzHP6wRO/Zv/aWnyQ uoTsWZhMxMCLBKhWRRFnG/sPpo8Z1DuWWtyi74BaS1MwXCc/zVBLIk0xjAi75I4+FQeZ LPJ2wupb6TwO904Yr337Y7Xhqcsj7gWyUBUJfNLfMeih9MNWQ/rEf0Co/LBgZ8aPTNxl Id+ZTLe2CJW1i4GQaORkxmAy4kLPVweFK7XcLhaNSWd/jr9nreMWJFOquIlsIzEd3YrE OtMQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=k1SOaDoO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z8si12292739pgu.217.2019.04.22.09.45.10; Mon, 22 Apr 2019 09:45:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=k1SOaDoO; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728175AbfDVQ2g (ORCPT + 99 others); Mon, 22 Apr 2019 12:28:36 -0400 Received: from mail-it1-f194.google.com ([209.85.166.194]:52692 "EHLO mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726305AbfDVQ2f (ORCPT ); Mon, 22 Apr 2019 12:28:35 -0400 Received: by mail-it1-f194.google.com with SMTP id x132so18673150itf.2 for ; Mon, 22 Apr 2019 09:28:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=0YMZftlMUHZo7PBuxCI1tlSTMOcGrZlt8hFWgHl+L+E=; b=k1SOaDoOUBGXWP4VwKGtXgfEEyuzmixr1cJ1d4C29trp67nQliQ+3pBmPbjJl3Fh28 eDGqK+5+XTNMXKQmJnQ16lWq7a3CSAZkHCynXnAzOBK3wzIdjfRVQhP4OOHPgMfMMhOo ZkUiLX6JjP24oBas7VZvzqeGy5FD3gjyF5A7KHbeWlK5mNPAGUJLkJAwNBSoOGXPUris AP5jxRtJksBdcNFWVBuaWJHaX1aq4IIiREnINPy5T3OOj3gWfd7Icfke/dAV8H4kqBti yeVHDEzkubxwwzNsODVDrpub8ixtnxhTkt7Ky3t5fyHpqO+4vCjEHXKYB5wrAJx0d/As cQPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=0YMZftlMUHZo7PBuxCI1tlSTMOcGrZlt8hFWgHl+L+E=; b=IlKaiWf6TRokx8x8/qELvAkYbs3sofHgpMUI3nBDMgNGEYpL46HEBAAuAP49cylFeP tUctIt4RD2Y2x4SUmoYSyKAmvcdPOOq0SEBrD5TzeP6hFGlkRKqmXtuFej5D+kQIbewO WgGw3Zmg6OiFtMWC06BP+IayemSV7NmAyeGdn4dn5hBQqCvVnB0dHe81zGvaDEs1RuQI 2+N9WulJ3Ir5D6F89+hu3DTuYSUkIOah3G5xwx9CEXSlDkaX1sAt3PE3gLIRzJlDPlbe u2CQM0wfvRNvWKGVbCUX0DybRzLkMwtqhkn3kD3owXLB5MdecMh9R9cv9HZTwPw/ovk2 GzCw== X-Gm-Message-State: APjAAAUkG+ov8FQjYjNvS5CYFqpOd9FhbsdI1BrRsiKEtBB2GPJN2EJa Zp/G4YyxerV3CTn68DKs8y/QMA== X-Received: by 2002:a02:1649:: with SMTP id a70mr14313951jaa.116.1555950514747; Mon, 22 Apr 2019 09:28:34 -0700 (PDT) Received: from [192.168.1.158] ([216.160.245.98]) by smtp.gmail.com with ESMTPSA id u66sm4500447ioe.74.2019.04.22.09.28.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Apr 2019 09:28:33 -0700 (PDT) Subject: Re: WARNING in percpu_ref_kill_and_confirm To: Linus Torvalds , syzbot Cc: Arnd Bergmann , Borislav Petkov , "Darrick J. Wong" , Greg Kroah-Hartman , Peter Anvin , Linux API , linux-arch , linux-block , linux-fsdevel , Linux List Kernel Mailing , Andrew Lutomirski , Mathieu Desnoyers , Ingo Molnar , Michael Ellerman , syzkaller-bugs , Thomas Gleixner , Al Viro , the arch/x86 maintainers References: <00000000000043fe9c058720a5d3@google.com> From: Jens Axboe Message-ID: <224b0113-979a-01c3-49a0-6170f075cdae@kernel.dk> Date: Mon, 22 Apr 2019 10:28:32 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/22/19 10:23 AM, Linus Torvalds wrote: > On Mon, Apr 22, 2019 at 9:06 AM syzbot > wrote: >> >> >> The bug was bisected to: >> >> commit 38e7571c07be01f9f19b355a9306a4e3d5cb0f5b >> Author: Linus Torvalds >> Date: Fri Mar 8 22:48:40 2019 +0000 >> >> Merge tag 'io_uring-2019-03-06' of git://git.kernel.dk/linux-block >> >> percpu_ref_kill_and_confirm called more than once on io_ring_ctx_ref_free! > > So I don't see how that happens in the original code (because > __io_uring_register() is called with the uring_lock held), but let's > see. > > HOWEVER. > > I do see how it happens now as of the latest kernel as of commit > b19062a56726 ("io_uring: fix possible deadlock between > io_uring_{enter,register}") where the code explicitly drops the mutex > in order to wait for other uring users to finish. > > So Jens, I think that commit was buggy. I suspect that > io_uring_register() should perhaps do something like > > --- a/fs/io_uring.c > +++ b/fs/io_uring.c > @@ -2934,7 +2934,10 @@ static int __io_uring_register(struct > io_ring_ctx *ctx, unsigned opcode, > { > int ret; > > + if (!percpu_ref_tryget(&ctx->refs)) > + return -EBUSY; > percpu_ref_kill(&ctx->refs); > + percpu_ref_put(&ctx->refs); > > /* > * Drop uring mutex before waiting for references to exit. If another > > to guarantee that it's the *only* case of io_uring_register() doing that kill. > > Hmm? Just sent out something as well. I think we can get by with just checking if it's dying, or we can go the route of what you did which is actually very similar to what the earlier versions did. Both versions should fix the issue. I'll test just to be totally sure. -- Jens Axboe