Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3698807pxv; Mon, 26 Jul 2021 09:40:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwO173tnZw16NDJGkSi0niTLZ43vzLZ7f/yqmz9KdsRXUNhQZFEJKX1WN+SMhVh+QyNci3x X-Received: by 2002:a17:906:9b1:: with SMTP id q17mr17487064eje.546.1627317511625; Mon, 26 Jul 2021 09:38:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627317511; cv=none; d=google.com; s=arc-20160816; b=gzB5RzAn+t6aXATM+IZ3QQVsxIspQBk2tWe/bTVnSh+dLau0r7nXiBHGs3Xb8WyeUf ZhAeBCatNM18DN2Cz4Qj9sn8y50N5dg7f2kgdZup1nf8UihjSmY0oDtV+hGmnSRQ7k5p sZNBo6Mh9wqkZGqJe32tE0UFBQypwcSfgns5sZO5puSNi4uLJ8cHcR3LJBF8riVfyA6W Vd2jBQLvTh6OoHtegRg1NKi7zZJHbHLRjgZqjUBuk5Eksv8SYWyUDrnMtnOLAR6N2P4H xgfyzx3RUAcBbjsRh7tv5YfvFNFbExPBHuI0I5nRAVlnwQZ54mIYevZl8+IGl2afHkRk Fwww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=DfWhsX3/A63Qz6xZ5qmHHedAHImXJHIkTWvbVZf7Eks=; b=Hz4nTtvVMg594rlTzUo2tLte+ZYY5Y/3DQ1QtR/JAhTvOPE2Do+tUTLOZr7Fy6BHkZ 2kAHkvrMpWjRlT6LSgV0Ab9/IJInn/DVUwy8q5UZUEFIdFUgqSNUxXHaiq4OenWsDkss HO/ZNcFFQfhfDySJY7h/IQY325o3QVG54hf1RkywQ2w1/DLY4QLU7x4E69Oo9anMXcpG GmCM5n4T/CDp19pkODDBCqJ6nrHRxTOGmugSjwQ0Cl0FLfHP+nPcf+x0OuFLcURGUHAQ RW+FyDRaMYfPwBlSvakvdsMtrjcZeDUYb9UCFjTASEmDExx9ZeEt4S58Mr2Q1KsP4C4v KW2A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=BSxncV7g; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ay20si459216edb.3.2021.07.26.09.38.08; Mon, 26 Jul 2021 09:38:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=BSxncV7g; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240291AbhGZPzN (ORCPT + 99 others); Mon, 26 Jul 2021 11:55:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:51786 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237637AbhGZPen (ORCPT ); Mon, 26 Jul 2021 11:34:43 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4B78B6056B; Mon, 26 Jul 2021 16:15:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1627316110; bh=BV2JIX1TXBIW4Hu6V4wKq8hgavAFgPAtQQq/kq6tOiU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BSxncV7gFxlOHcFAb9XnZLNHjV2YeaRLNjNAe5VyO4v6BZKAKJHYnC9lL3R/+zj0w Ab7e9koJ5qYblrLAu1NEHbxzjw+/xjnoJR8GwoZsbvGf6gI49kTjDXnEev1ZkSGzUX saZEtsxIoaIlP983r+FglidD5Ej8iL46b9M+8Ei8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pavel Begunkov , Jens Axboe , syzbot+ac957324022b7132accf@syzkaller.appspotmail.com Subject: [PATCH 5.13 193/223] io_uring: remove double poll entry on arm failure Date: Mon, 26 Jul 2021 17:39:45 +0200 Message-Id: <20210726153852.507980438@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210726153846.245305071@linuxfoundation.org> References: <20210726153846.245305071@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Begunkov commit 46fee9ab02cb24979bbe07631fc3ae95ae08aa3e upstream. __io_queue_proc() can enqueue both poll entries and still fail afterwards, so the callers trying to cancel it should also try to remove the second poll entry (if any). For example, it may leave the request alive referencing a io_uring context but not accessible for cancellation: [ 282.599913][ T1620] task:iou-sqp-23145 state:D stack:28720 pid:23155 ppid: 8844 flags:0x00004004 [ 282.609927][ T1620] Call Trace: [ 282.613711][ T1620] __schedule+0x93a/0x26f0 [ 282.634647][ T1620] schedule+0xd3/0x270 [ 282.638874][ T1620] io_uring_cancel_generic+0x54d/0x890 [ 282.660346][ T1620] io_sq_thread+0xaac/0x1250 [ 282.696394][ T1620] ret_from_fork+0x1f/0x30 Cc: stable@vger.kernel.org Fixes: 18bceab101add ("io_uring: allow POLL_ADD with double poll_wait() users") Reported-and-tested-by: syzbot+ac957324022b7132accf@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/0ec1228fc5eda4cb524eeda857da8efdc43c331c.1626774457.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- fs/io_uring.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -5121,6 +5121,8 @@ static __poll_t __io_arm_poll_handler(st ipt->error = -EINVAL; spin_lock_irq(&ctx->completion_lock); + if (ipt->error) + io_poll_remove_double(req); if (likely(poll->head)) { spin_lock(&poll->head->lock); if (unlikely(list_empty(&poll->wait.entry))) {