Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp7284395ybf; Fri, 6 Mar 2020 14:16:50 -0800 (PST) X-Google-Smtp-Source: ADFU+vteuHl4SnpfeL9/9JJYg5+DgsIFaz9/U4xfWqNlYr3hLfMEkTA+rNqNdg+q6TzENYMvjx9c X-Received: by 2002:a05:6808:997:: with SMTP id a23mr4252444oic.176.1583533010255; Fri, 06 Mar 2020 14:16:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583533010; cv=none; d=google.com; s=arc-20160816; b=lmzJCEhA2JKUCXWZOZDR7ir7JApfn7HfUYgHWhvMZh3iv+8BpC1ATnjnjlQxHq+omY BH+bzFVAEyAnIDOZAp/kahx7AjOCGzNfok71XYzZM14viMNfYXhP3N0BC2s0fY1dc3QT A1OYtb8uh5/XX5onL3321VUx59G1iIknMo+z8r+z1UlqlANX1p7y4frN6mLgmRGVaMC7 9cBZMX8vjUxVMvByg9HW/eQmuv7FeVrpilifh+xt5wiZvA1s26IrWrvQAPQOgrHQxwrs qRXYcpS7oljK45mcSnoSieqai59tccqh8CRQixIvwngo+Pjv3TIhqiqh6fDDGN/NKQMY u8cQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:to:from:dkim-signature; bh=/j1T882kpdTB+xU9Pa7Mjqyda6ZI9wU/9+N6UU71UIA=; b=0/8O6ib2smqP3lCEiPYR+yf9lT1WO+RFdEiQg4iHOWJuIc8/5UN8s6gfs2NbgtkIxY 37mkGewhk79WZPG3mjgVVYh4dGAyRZaimySe8J213KxFI+K5Qlnhsbp/pPx4gLlFs76z PNpSA0kMLGhuc11W1os1IPqXa1DCEiO3O9mCTlaSgG1StyxxMk74RkZG7z8cY0GVADaJ 41pGBg1h+2T1tM4i60/LcQwLkK+/m9Age6GCSpO1t2hskP4xFQEL88dtr9gbUccAEigs 7pYLKQw2/rwC3mK6HkdWl9Nsg846kCYpx4Ve9QnYJ4PZVtKde133c49nqB7U/+N26BQ+ ictQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="uSDUuU/P"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h10si375648oie.63.2020.03.06.14.16.38; Fri, 06 Mar 2020 14:16:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="uSDUuU/P"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726894AbgCFWQT (ORCPT + 99 others); Fri, 6 Mar 2020 17:16:19 -0500 Received: from mail-wm1-f65.google.com ([209.85.128.65]:35523 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726368AbgCFWQT (ORCPT ); Fri, 6 Mar 2020 17:16:19 -0500 Received: by mail-wm1-f65.google.com with SMTP id m3so3978679wmi.0; Fri, 06 Mar 2020 14:16:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=/j1T882kpdTB+xU9Pa7Mjqyda6ZI9wU/9+N6UU71UIA=; b=uSDUuU/P6iCMlQKs+oWn+03baStJwUexZeV0BAmAZo0lMI0eozSOhf6o/ZO9rjrJSZ 2jqejJz8gFQoJOVZjcZE2Gem13AwnewQ3t4Qkhw15zz0eWta3ESGvXnk7HU3hwjgP4M0 P1Kg2XVJCIJpPwR8ZR0F3q534uKCa2z3vhTsFMe2PEQX2QXeyQ3G9kZljKooLcllSFIL O9T7w2SPbiTgJFZkvDhQnmTn+/c8xIGyDGleLV5jk8+pQTkESd/UxK6xWUK4CmVRUpMJ WyiyAgluj7kUKlisVu5AyZZFwVAxQMLY7ZTJvHjvVH++wOKEpGuraRhesp3bXpzjJeZl h0Tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=/j1T882kpdTB+xU9Pa7Mjqyda6ZI9wU/9+N6UU71UIA=; b=lARdoLeWJQ/PcPyYz/ibYz8h8r0aPY03jSPz7jn/rrBBPaO4VvvWrlIOh7+y7Lx9pY j6clW0a9bMhCUH3T2nu9E9chVlhNonDT+3uasOgfuHXCtHMHw9RcJ/duVqr0j4Hns21h j0U13nSfzn9FqAAkJJ0ky1fR39lCwNzWUBgQHW7fA7WG2fI3fc/f1SNp9HIq7le4mu1D ZOo+RL/rysBiddxSz13Eh4Kkv399f3x+j/EPFF8+SEDB+W9rt5DySRFYitc/f5c7JAUY u5viCnTzujsoE/+X4DMio5iJ1KAyzTwe1eHY3gyHHdLwplDLNE2wJci8eG/oyyma+fFU oMnw== X-Gm-Message-State: ANhLgQ0m9NPg8Grc3KefEyPb4KGj1hbnAOlmhCc2NepcReZLiyxhhtPe sFP0dsYA6NDZ95isKRSW4UyDqcmU X-Received: by 2002:a7b:c76a:: with SMTP id x10mr6028129wmk.49.1583532977341; Fri, 06 Mar 2020 14:16:17 -0800 (PST) Received: from localhost.localdomain ([109.126.130.242]) by smtp.gmail.com with ESMTPSA id g7sm50350384wrq.21.2020.03.06.14.16.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 06 Mar 2020 14:16:16 -0800 (PST) From: Pavel Begunkov To: Jens Axboe , io-uring@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/1] io_uring: fix lockup with timeouts Date: Sat, 7 Mar 2020 01:15:22 +0300 Message-Id: <54e141c75da11f55f607d53c54943b9fee5bbd70.1583532280.git.asml.silence@gmail.com> X-Mailer: git-send-email 2.24.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There is a recipe to deadlock the kernel: submit a timeout sqe with a linked_timeout (e.g. test_single_link_timeout_ception() from liburing), and SIGKILL the process. Then, io_kill_timeouts() takes @ctx->completion_lock, but the timeout isn't flagged with REQ_F_COMP_LOCKED, and will try to double grab it during io_put_free() to cancel the linked timeout. Probably, the same can happen with another io_kill_timeout() call site, that is io_commit_cqring(). Signed-off-by: Pavel Begunkov --- fs/io_uring.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/io_uring.c b/fs/io_uring.c index 104f76aace29..94eca92d1354 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -1089,6 +1089,7 @@ static void io_kill_timeout(struct io_kiocb *req) if (ret != -1) { atomic_inc(&req->ctx->cq_timeouts); list_del_init(&req->list); + req->flags |= REQ_F_COMP_LOCKED; io_cqring_fill_event(req, 0); io_put_req(req); } -- 2.24.0