Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp2001910pxk;
        Tue, 1 Sep 2020 13:04:14 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzbxLfAAXR49m6xW12J91fbrUUA+E9WgRwTnGdQUufh63XRe8FtvbNOjqQdBlCHqGg9t6Oe
X-Received: by 2002:a17:906:d209:: with SMTP id w9mr3072114ejz.93.1598990654336;
        Tue, 01 Sep 2020 13:04:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1598990654; cv=none;
        d=google.com; s=arc-20160816;
        b=iGHFLQTR4TW4iHltIbLjNxCuzBS2WvBthFc1otLU051tEsiKSBK69yWcmWJ505YXzu
         KP0z2h/FUBzN3km5EyMIxP3auJ3TDAKlIMuBGQKki7DhbGHyqlZtC2zTbSDqGg2D70P4
         JKWR7DXiRkD65F+/RpmBVTpMTQwO2CT7G23+AIpeCuNmckOZosaPs7mKhg0GkfU536rf
         QgfwJtb6di9iteoLxUG+P/cPQDIrK0JQhJQ0CBjWLPKDJuPWT8pl+x2k/mJoCdng/fLr
         +BELJFUL9bKb/A/zcBloTPGeyja4kHwfRa4uGgj15m3+iq2MPrT4AWRMtcKm9ee0OEpU
         eldg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:references:cc:to:from:subject:dkim-signature;
        bh=0TFvfjapBtpOjCK3cnf0JVXwOOm9nRjQC9YR5LerqTw=;
        b=rx8YtDH03+xZBfjw7inxpgnfjBOqTLsZjqd40X6pXJjWibxlDlqLseiSktGyqV4G+a
         1UWt+kHzP7xv2/i+zPNlAqaxlm4b6CuSdxTi9OugQgo/AhkRDdQrLUG8gcCKgAjghrlp
         dqrwkF2MoP++OajJ2JZy1VdjSDzp8ENTK62OundHLcODpWzLbjSqDiIVEUIxeH4JEBtz
         xXbe20ekNKzy4VAtavt4kfE0wtWkvOPZRSG75aQ0bdWQ2dxG/JREoWNR8Rxzmr6MVUqD
         VWTGZ27HwVpSKovnStFFaQVIgwPRBZfTzPnULPeKtH+d1xGJmzNMaRIGr7jkgt5MqwS+
         8mEQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=KZizb+Dd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id f27si1286628ejt.420.2020.09.01.13.03.46;
        Tue, 01 Sep 2020 13:04:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=KZizb+Dd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732790AbgIAUCF (ORCPT <rfc822;thunderbird.krnldev@gmail.com>
        + 99 others); Tue, 1 Sep 2020 16:02:05 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39840 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1732568AbgIAUCD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 1 Sep 2020 16:02:03 -0400
Received: from mail-pj1-x1042.google.com (mail-pj1-x1042.google.com [IPv6:2607:f8b0:4864:20::1042])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4DA34C061246
        for <linux-kernel@vger.kernel.org>; Tue,  1 Sep 2020 13:02:03 -0700 (PDT)
Received: by mail-pj1-x1042.google.com with SMTP id ls14so1147760pjb.3
        for <linux-kernel@vger.kernel.org>; Tue, 01 Sep 2020 13:02:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=kernel-dk.20150623.gappssmtp.com; s=20150623;
        h=subject:from:to:cc:references:message-id:date:user-agent
         :mime-version:in-reply-to:content-language:content-transfer-encoding;
        bh=0TFvfjapBtpOjCK3cnf0JVXwOOm9nRjQC9YR5LerqTw=;
        b=KZizb+DdvnIhtxo9NJ/Mj4uCuEuWwUiJI2z2QI8dHInz2CbTiSw03qvl8d7N0gM/VK
         lZouzCV/sW+xZ0kBkq0kvenYq2rqkgf1HiE1wQoFV5I9UkGWHNHNImzOgvpN51xuPvyW
         Q8LffDrfTl4v2t9wFOHvUHZPDnurDYyg2OkTAdWlbQTTjQVdENs5I+//6wTXWNIMPGmk
         PUAUi+KsPluN8g1Gb6uzv0uQJEgtnyeqwNPb4nIOFIp9HTanGC1w2ooJx5O2WatjtOFh
         s+BwRafjpzAi3X+pEXXgTO+TY6Dd1ORudlPnSa6MtteW2sdiz706begthdfAItvuS9PT
         evbA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:from:to:cc:references:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=0TFvfjapBtpOjCK3cnf0JVXwOOm9nRjQC9YR5LerqTw=;
        b=c0aj9O1moVc//ko2DjzaFzwC6DUeYlfcZk/FUiDWGJ1/zpznpp+n1oHCxvFxYKYUZS
         awi0d3xKnKh1gEvmH+IsNLSwuN9MV/Se559Tga78X0ZQpPVNyQjGRk1nL+l9XkskB6rs
         jucysMoJElDYqnJG97WmRH5cuRYWszNN2db7W1Tx6kTqxE4toWVlQDGrBH5GpbpMimX5
         6+J6Hi+uQ1HDY7Iuc4oHjneWB/Dsga2GPYsjGSM2kkeq3UyaCFzjt2mSKX77kPrnF7Jv
         wqW4U1rINarZtC414toaMdMT5iAiJonICxInrk4TtgfZN+UA/EcjDjwZDim8umFUs13L
         L3uA==
X-Gm-Message-State: AOAM531LjS6dUGaIUiLJ5ETHpUa9/0GY79rJAiglsM2KtyYHAXQ7UtfK
        ts+ULHvHGL5eXRXIPNCFEzCQggYgayd+i5hW
X-Received: by 2002:a17:902:6a8b:: with SMTP id n11mr2849235plk.75.1598990522125;
        Tue, 01 Sep 2020 13:02:02 -0700 (PDT)
Received: from [192.168.1.187] ([66.219.217.173])
        by smtp.gmail.com with ESMTPSA id x188sm2851565pfb.37.2020.09.01.13.02.00
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 01 Sep 2020 13:02:01 -0700 (PDT)
Subject: Re: [PATCH] io_uring: Fix NULL pointer dereference in
 io_sq_wq_submit_work()
From:   Jens Axboe <axboe@kernel.dk>
To:     yinxin_1989 <yinxin_1989@aliyun.com>,
        viro <viro@zeniv.linux.org.uk>
Cc:     linux-block <linux-block@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        linux-kernel <linux-kernel@vger.kernel.org>
References: <20200901015442.44831-1-yinxin_1989@aliyun.com>
 <ae9f3887-5205-8aa8-afa7-4e01d03921bc@kernel.dk>
 <67f27d17-81fa-43a8-baa9-429b1ccd65d0.yinxin_1989@aliyun.com>
 <4eeefb43-488c-dc90-f47c-10defe6f9278@kernel.dk>
Message-ID: <98f2cbbf-4f6f-501b-2f4e-1b8b803ce6a6@kernel.dk>
Date:   Tue, 1 Sep 2020 14:01:59 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <4eeefb43-488c-dc90-f47c-10defe6f9278@kernel.dk>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 9/1/20 8:52 AM, Jens Axboe wrote:
> On 8/31/20 10:59 PM, yinxin_1989 wrote:
>>
>>> On 8/31/20 7:54 PM, Xin Yin wrote:
>>>> the commit <1c4404efcf2c0> ("<io_uring: make sure async workqueue
>>>> is canceled on exit>") caused a crash in io_sq_wq_submit_work().
>>>> when io_ring-wq get a req form async_list, which may not have been
>>>> added to task_list. Then try to delete the req from task_list will caused
>>>> a "NULL pointer dereference".
>>>
>>> Hmm, do you have a reproducer for this?
>>
>> I update code to linux5.4.y , and I can reproduce this issue on an arm
>> board and my x86 pc by fio tools.
> 
> Right, I figured this was 5.4 stable, as that's the only version that
> has this patch.

I took a closer look, and I think your patch can basically be boiled down
to this single hunk. If you agree, can you resend your patch with the
description based on that, then I'll get it queued up for 5.4-stable.
Thanks!

diff --git a/fs/io_uring.c b/fs/io_uring.c
index fada14ee1cdc..cbbcd85780c4 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2378,6 +2378,16 @@ static bool io_add_to_prev_work(struct async_list *list, struct io_kiocb *req)
 		list_del_init(&req->list);
 		ret = false;
 	}
+
+	if (ret) {
+		struct io_ring_ctx *ctx = req->ctx;
+		unsigned long flags;
+
+		spin_lock_irqsave(&ctx->task_lock, flags);
+		list_add(&req->task_list, &ctx->task_list);
+		req->work_task = NULL;
+		spin_unlock_irqrestore(&ctx->task_lock, flags);
+	}
 	spin_unlock(&list->lock);
 	return ret;
 }

-- 
Jens Axboe