Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2660825pxa; Mon, 17 Aug 2020 15:50:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxAw7oFQFP7taaQLI72R5tQmll7CIFGLG4wHXQsHT1upw7obylyaLWnhN4osa2Wy5a8m4My X-Received: by 2002:a17:906:80d3:: with SMTP id a19mr18162901ejx.217.1597704603509; Mon, 17 Aug 2020 15:50:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597704603; cv=none; d=google.com; s=arc-20160816; b=fB9PUXjJWjLYGVX6tth1OgC870gu1+hoCjdhD2uGGLgDfr/3V4/+DcOz9FLQ9pZCO7 41ZBVFsWvfr9wTvIbVgFhY4lTY3+cOaReK8l06hxInOmScJKUoltGXPX8eF1O1NDp+Et umyLJBMoAwC6un6XZZS3eqeXWnakANiGgAbAF8NUkgps/oBzqDMxm1G2DVXBFx8rFd3o Sa5dSsxJbpTd1nh8VnOSLgE0CTiZQkowpaVK7eAxieLSpZjGzSEEKDixumhVceSYDqX2 C5Z7tbgu01eyT5Z5TONWXukyMa4eTHQ1UiTZakaQ2NUuVxkMVDwVeP8Xp3UpUEMQ2Fv6 KtRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Hg1CmmVxEV7i91K4FgkxJZSPJHgAYxFDVRZHRkuJHdE=; b=St5MKakLezM/EfY6pYZwNOaSrSssVQxBNwhsCzWXBjwMLaEYjKwsGlKPqbptuve+cx cYBOirK/wq+qe8Ol6qfXDD1qMX0j73HGmhSOkoRndvyEgpqkv/TLMirxMPVPifQDCuqo 9DsrDZXlJ2dvOdGDYpLcPFMgMBVfafQhWiddrVAJKhbd8e6pYJWBG2FKmfCeInw4Uwio 1tvnstgmVTBA7wkdwAoIWhBAQ1UGyGtdZ1K/uAnAnDOXhzcUDxCGNrOC4dYmruWSAWNf lmCsq4OUWnnIxOak4HiA7ZaBDydTtxfzsfpLbIB5nDymampQ1c5XJqEqXVHGqy1t7Z1X xryQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Kw2h9G5Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h14si11724982eds.339.2020.08.17.15.49.39; Mon, 17 Aug 2020 15:50:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Kw2h9G5Q; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731901AbgHQTOe (ORCPT + 99 others); Mon, 17 Aug 2020 15:14:34 -0400 Received: from mail.kernel.org ([198.145.29.99]:48798 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387478AbgHQPkM (ORCPT ); Mon, 17 Aug 2020 11:40:12 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0C05A23123; Mon, 17 Aug 2020 15:40:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597678806; bh=9kbtJj5MZYdGlCALe7/YrBS+f1CSatDlU2VRx8ZXG9Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Kw2h9G5QiA5WPid7AuhXMyrnvMiITD2so0R1f+h/bNO0WIBV+rbDSMOQGf3PtwQtG rCSgbzzKdszIcyFgP89vv5EoYF0VGv5PsawRB8qz+7avmREoNjilqtmP9hj7ODFyc/ jmfZxn2ZFQd5uGobfNGKiRGqvUa4Nx0SOEfqPRu0= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com, Jens Axboe Subject: [PATCH 5.8 461/464] io_uring: hold ctx reference around task_work queue + execute Date: Mon, 17 Aug 2020 17:16:54 +0200 Message-Id: <20200817143855.860533637@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200817143833.737102804@linuxfoundation.org> References: <20200817143833.737102804@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jens Axboe commit 6d816e088c359866f9867057e04f244c608c42fe upstream. We're holding the request reference, but we need to go one higher to ensure that the ctx remains valid after the request has finished. If the ring is closed with pending task_work inflight, and the given io_kiocb finishes sync during issue, then we need a reference to the ring itself around the task_work execution cycle. Cc: stable@vger.kernel.org # v5.7+ Reported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- fs/io_uring.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -4140,6 +4140,8 @@ static int __io_async_wake(struct io_kio tsk = req->task; req->result = mask; init_task_work(&req->task_work, func); + percpu_ref_get(&req->ctx->refs); + /* * If this fails, then the task is exiting. When a task exits, the * work gets canceled, so just cancel this request as well instead @@ -4239,6 +4241,7 @@ static void io_poll_task_handler(struct static void io_poll_task_func(struct callback_head *cb) { struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work); + struct io_ring_ctx *ctx = req->ctx; struct io_kiocb *nxt = NULL; io_poll_task_handler(req, &nxt); @@ -4249,6 +4252,7 @@ static void io_poll_task_func(struct cal __io_queue_sqe(nxt, NULL); mutex_unlock(&ctx->uring_lock); } + percpu_ref_put(&ctx->refs); } static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode, @@ -4365,6 +4369,7 @@ static void io_async_task_func(struct ca if (io_poll_rewait(req, &apoll->poll)) { spin_unlock_irq(&ctx->completion_lock); + percpu_ref_put(&ctx->refs); return; } @@ -4402,6 +4407,7 @@ end_req: req_set_fail_links(req); io_double_put_req(req); } + percpu_ref_put(&ctx->refs); } static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,