Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp4432752pxa; Mon, 10 Aug 2020 08:58:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx9B/3oG+NSfhAXwK+ZCPjdkZX+LAxhbrvBgaQR0k9jjDiX2jybK/eEr9Ap3YPPuABf0/hU X-Received: by 2002:a17:906:fad1:: with SMTP id lu17mr21812158ejb.127.1597075094700; Mon, 10 Aug 2020 08:58:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597075094; cv=none; d=google.com; s=arc-20160816; b=L0NGi1Xc0FxsZ/eu6QvbzmHmC2yeRR5aWH3dQXN41CRr0rQzSQrcSa9Imd06OsEiP/ j3bRkqfo38N1+FwaiwwMvbYercIvBOlggmLAZii1bgIHPziJz/V29L2lTHjzQLbIKSbj aYFFkfmKoBIGXseZE+mvFpU6l+0NUiM4zNTWxlmBHY8Lt3MUiy8BAr4MAmi+lKKwJ92x lvBUbN9HHx+ASedgTPg3VAaU0Ha7UVDWEVoE8afFhPBCc5RzJ0NUgrb/qReqn9i/3vS+ hccSgGoZ9KsR/sKxsE6VF8L04WgBIXoGHuy+KBaHpzHFexEBb52ZCbsPFTHghLm65Yx9 ooug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature; bh=zhOM5a+db+03fu+9y+KxnwpweHHDcuys502DsmoxXhA=; b=psK4LAN/5ZGyPdTshv7IUcm6cTuL6C+YRo6O2MY58/bAmdnKqpTzi2/PMYWZaBc3/x 4klCWd0IzsfKKUI84Wmro9zpVV/lo5EkzZeb7NOcP8Grhzte0n23qTu2nrmmPnpguV9m Pdslj9dAE/x0A9GpzfZWurfJ1ghGWnL+CeNa5+zp3a4er31SNKa6+In2dUXeMgcRdkq4 1Ra99+Y0Ei0oqKRUL3s10NMngfQYr6qAg1elakLFpAd2/sDUZ5wc6GcQ2jKNn7LSqviP 43OSLZc9OZbkoc2VVx6AaCkOt38Uso+LUT8GMdRbLuN/Zinfr2U3U/6+KtbPzEi3OaTx 14mQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=RvBExdkm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f24si10885278edm.305.2020.08.10.08.57.50; Mon, 10 Aug 2020 08:58:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=RvBExdkm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726284AbgHJPzV (ORCPT + 99 others); Mon, 10 Aug 2020 11:55:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40394 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725862AbgHJPzU (ORCPT ); Mon, 10 Aug 2020 11:55:20 -0400 Received: from mail-pl1-x644.google.com (mail-pl1-x644.google.com [IPv6:2607:f8b0:4864:20::644]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4BBB8C061756 for ; Mon, 10 Aug 2020 08:55:20 -0700 (PDT) Received: by mail-pl1-x644.google.com with SMTP id bh1so5119171plb.12 for ; Mon, 10 Aug 2020 08:55:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=zhOM5a+db+03fu+9y+KxnwpweHHDcuys502DsmoxXhA=; b=RvBExdkmAnkEgOU6Nk2vKZAwFQtYELi1S05QGaY2btfkBADpiYjpkJ7NP5nf0OsOa4 UQM/FJqfeF+8Wa8px8VUNM1HFR1xfquXIGgc1HGYIeCGWPzy35fia4JArsDV98K8vu7D LvpzHFUSJ3Cr3ZdwkymRADgiY2ZI2BLDxjcMsR9UJ+Up6xwwNzh+c1qUWauE/l9KM6u6 LYAS2XW1wns6e7aSBI4M5yjsgixUuRivdxtxmhuxm6MqnbTcc5m0Mzm1a5QbabZgBcdV vm5N9gAjWyyepf7xoba8s/OH/wop7ELxgVk/cVuJOgVVHkP7qbu0XeOPDd+pLnmo42xP udRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=zhOM5a+db+03fu+9y+KxnwpweHHDcuys502DsmoxXhA=; b=m5bbbgnlNmkyE1YTDGF178R+DyAlSmr6MHz+hNMeSdpUwpzzJ2/l9Bw3cugH254tyZ +IFObbbtVToxfIBDGIuxaz7g2FEBnXbxeCuuensAB2s2Nzxg/w7TSPHEr7xWaFhkCNON 768o0XwEQZCt1MIvuOJ1FvAdg//ghEyfUGtN/C/jAimsJ75gIwelLMPVPtnh80wOASMa tjU8MHeNALGI3yJ2GHn8pZ+vdqj7d2eVkpdexGPqNw85s27bxS2nMBY/hegSlZ8QOmdT 1U4D8hzRIjEk1b1K1KYdfX8xtVbwJDHryYKjPMOotNmE68OrdZVWnTj9Xew3ZRtViHI/ QkeQ== X-Gm-Message-State: AOAM532NxX19NEfrww4NkkiL5/ANOrXjwjR3cZbyKiJ74X1yX6YrZheP WMejAkXRFNsZrp4t84xBy8jayA== X-Received: by 2002:a17:90a:4e42:: with SMTP id t2mr8373707pjl.121.1597074919593; Mon, 10 Aug 2020 08:55:19 -0700 (PDT) Received: from [192.168.1.182] ([66.219.217.173]) by smtp.gmail.com with ESMTPSA id x22sm22145374pfn.41.2020.08.10.08.55.18 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 10 Aug 2020 08:55:19 -0700 (PDT) Subject: Re: possible deadlock in __io_queue_deferred To: syzbot , io-uring@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk References: <00000000000035fdf505ac87b7f9@google.com> From: Jens Axboe Message-ID: <76cc7c43-2ebb-180d-c2c8-912972a3f258@kernel.dk> Date: Mon, 10 Aug 2020 09:55:17 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 MIME-Version: 1.0 In-Reply-To: <00000000000035fdf505ac87b7f9@google.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/10/20 9:36 AM, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 449dc8c9 Merge tag 'for-v5.9' of git://git.kernel.org/pub/.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=14d41e02900000 > kernel config: https://syzkaller.appspot.com/x/.config?x=9d25235bf0162fbc > dashboard link: https://syzkaller.appspot.com/bug?extid=996f91b6ec3812c48042 > compiler: clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=133c9006900000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1191cb1a900000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+996f91b6ec3812c48042@syzkaller.appspotmail.com Thanks, the below should fix this one. diff --git a/fs/io_uring.c b/fs/io_uring.c index 443eecdfeda9..f9be665d1c5e 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -898,6 +898,7 @@ static void io_put_req(struct io_kiocb *req); static void io_double_put_req(struct io_kiocb *req); static void __io_double_put_req(struct io_kiocb *req); static struct io_kiocb *io_prep_linked_timeout(struct io_kiocb *req); +static void __io_queue_linked_timeout(struct io_kiocb *req); static void io_queue_linked_timeout(struct io_kiocb *req); static int __io_sqe_files_update(struct io_ring_ctx *ctx, struct io_uring_files_update *ip, @@ -1179,7 +1180,7 @@ static void io_prep_async_link(struct io_kiocb *req) io_prep_async_work(cur); } -static void __io_queue_async_work(struct io_kiocb *req) +static struct io_kiocb *__io_queue_async_work(struct io_kiocb *req) { struct io_ring_ctx *ctx = req->ctx; struct io_kiocb *link = io_prep_linked_timeout(req); @@ -1187,16 +1188,19 @@ static void __io_queue_async_work(struct io_kiocb *req) trace_io_uring_queue_async_work(ctx, io_wq_is_hashed(&req->work), req, &req->work, req->flags); io_wq_enqueue(ctx->io_wq, &req->work); - - if (link) - io_queue_linked_timeout(link); + return link; } static void io_queue_async_work(struct io_kiocb *req) { + struct io_kiocb *link; + /* init ->work of the whole link before punting */ io_prep_async_link(req); - __io_queue_async_work(req); + link = __io_queue_async_work(req); + + if (link) + io_queue_linked_timeout(link); } static void io_kill_timeout(struct io_kiocb *req) @@ -1229,12 +1233,19 @@ static void __io_queue_deferred(struct io_ring_ctx *ctx) do { struct io_defer_entry *de = list_first_entry(&ctx->defer_list, struct io_defer_entry, list); + struct io_kiocb *link; if (req_need_defer(de->req, de->seq)) break; list_del_init(&de->list); /* punt-init is done before queueing for defer */ - __io_queue_async_work(de->req); + link = __io_queue_async_work(de->req); + if (link) { + __io_queue_linked_timeout(link); + /* drop submission reference */ + link->flags |= REQ_F_COMP_LOCKED; + io_put_req(link); + } kfree(de); } while (!list_empty(&ctx->defer_list)); } @@ -5945,15 +5956,12 @@ static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer) return HRTIMER_NORESTART; } -static void io_queue_linked_timeout(struct io_kiocb *req) +static void __io_queue_linked_timeout(struct io_kiocb *req) { - struct io_ring_ctx *ctx = req->ctx; - /* * If the list is now empty, then our linked request finished before * we got a chance to setup the timer */ - spin_lock_irq(&ctx->completion_lock); if (!list_empty(&req->link_list)) { struct io_timeout_data *data = &req->io->timeout; @@ -5961,6 +5969,14 @@ static void io_queue_linked_timeout(struct io_kiocb *req) hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode); } +} + +static void io_queue_linked_timeout(struct io_kiocb *req) +{ + struct io_ring_ctx *ctx = req->ctx; + + spin_lock_irq(&ctx->completion_lock); + __io_queue_linked_timeout(req); spin_unlock_irq(&ctx->completion_lock); /* drop submission reference */ -- Jens Axboe