Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4881347pxj; Wed, 9 Jun 2021 04:20:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxPwZgHYQsOVCaYAtbw4exA4wPoqReNHhXJsXf1QooblhF1DQTLlYaCD1zXp2BTj21oKj6Y X-Received: by 2002:a05:6402:cb4:: with SMTP id cn20mr29534757edb.334.1623237650559; Wed, 09 Jun 2021 04:20:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623237650; cv=none; d=google.com; s=arc-20160816; b=ihaT0e/n+NYY/khYfbeDKBRW/QQekw50cZyFDBxl/OYzG4JCyyfuL43/PyMIf1avb0 jBGseci5izP/ZZdF64tvwxS43MUWWhpZw5aH6So1hW+XY1Z/qPjBAU/LbvD+5Ns0AUz7 xE6PzfGXKiA22SMQO6BWivTNXsAluJV9wHvhkC9Mj6KJ9MGSA249WiNAiYHBVYWm0Cua egpa0oTuFFCCHjSqR1XmYC6qqu8j6F56Cw8HGi0IQtH5SzQdUShFJENZBW/tmXddUE8V 48tzv2RTyttwe+Va6SAR1ws49O/LFzgmha2EALcnNd5zjIKebeXyfeOl/q58p2PF/aBK Z1kg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Q4tQH339bD49XXO4E0t+EHpBti5AHumfC1ltcrWuqe4=; b=AxgL8yVB3GQYaSnuCyznVERWUCKN0UTaYH1N2fkDd8+omI7YZVCfYJz1kMwKiX2tSF bl0JQ6RKuRsoe0sbzTp1LYmLSkedEs3IhFpenziqu5oO2fWEJ6kxTMvYj07Jay6gAfLf 0jzOyXTvSHgItKXeg/DVJtLLFijgyLaxU1lRvOB2tv1X993Fc/VdfGHj0lISEaNpksGh 0hbXS8SJyJA37FToAj8g5KyNT9iM6Ej0EuYHO/3HPrfACZRUL95GLOt54oolWMcBj53r j5cwe3v6aB4diT2UXGE9PDe/B4HcTQmJUVkXwtEA+PJurLtXe/44Ftx3XDYEIfhK6vYs VKdA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=U17GE7+Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s7si2389915ejd.662.2021.06.09.04.20.26; Wed, 09 Jun 2021 04:20:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=U17GE7+Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234769AbhFHT0n (ORCPT + 99 others); Tue, 8 Jun 2021 15:26:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:58764 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236304AbhFHTNz (ORCPT ); Tue, 8 Jun 2021 15:13:55 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id BB27461959; Tue, 8 Jun 2021 18:49:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623178195; bh=weSRea2QOkWVWpA1lEqEn9Cg7/2yqFa+Gce8M538pxQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=U17GE7+YecRSk9hOILi1CbuUZEGLnsIzZLk9p2KSzVtTNxbr025x5G2zyrGsexHt3 eM7La5NoruRYDxO27IpRmXOZCkcngsk/T9/gheYEUh3EagnPlASJ49k/fUyqlmgrT6 6oNxMBvkNr+Mi1ZFV2GHmHFd0f4LBDxG9hgnG4hM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+a2910119328ce8e7996f@syzkaller.appspotmail.com, Pavel Begunkov , Jens Axboe , Sasha Levin Subject: [PATCH 5.12 085/161] io_uring: fix link timeout refs Date: Tue, 8 Jun 2021 20:26:55 +0200 Message-Id: <20210608175948.308619441@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210608175945.476074951@linuxfoundation.org> References: <20210608175945.476074951@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Begunkov [ Upstream commit a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 ] WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] io_put_req fs/io_uring.c:2140 [inline] io_queue_linked_timeout fs/io_uring.c:6300 [inline] __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354 io_submit_sqe fs/io_uring.c:6534 [inline] io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660 __do_sys_io_uring_enter fs/io_uring.c:9240 [inline] __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182 io_link_timeout_fn() should put only one reference of the linked timeout request, however in case of racing with the master request's completion first io_req_complete() puts one and then io_put_req_deferred() is called. Cc: stable@vger.kernel.org # 5.12+ Fixes: 9ae1f8dd372e0 ("io_uring: fix inconsistent lock state") Reported-by: syzbot+a2910119328ce8e7996f@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/ff51018ff29de5ffa76f09273ef48cb24c720368.1620417627.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- fs/io_uring.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/io_uring.c b/fs/io_uring.c index 144056b0cac9..89f4e5e80b9e 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -6272,6 +6272,7 @@ static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer) if (prev) { io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME); io_put_req_deferred(prev, 1); + io_put_req_deferred(req, 1); } else { io_req_complete_post(req, -ETIME, 0); io_put_req_deferred(req, 1); -- 2.30.2