Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp1754449pxb; Thu, 16 Sep 2021 14:57:41 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwFhHn+CRbU2FpyejRBh5/H4tIQFPPkfWIJkq9HVJzXtrR8xdNDpVGqEDdrG4iVx18yANhV X-Received: by 2002:a02:661f:: with SMTP id k31mr4543874jac.40.1631829460879; Thu, 16 Sep 2021 14:57:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631829460; cv=none; d=google.com; s=arc-20160816; b=szb8kjqmI/FYd3C/qd6pwu/CMkFFZ4ywcJwzqJ1OWP60nRtKMp8PCGXntJMgCTPJQa ZKRVKeSoM24+anb+Mf271i2Vk9O4ohe8cZoAE+bTt322iXYNK/2B5FGefDIpE221Agum YHN8fKD9D7wg1pdgj3T0itd8rnIvtKQws0M0SQZeH61KxxJU+ChO6JQ/7NCpZBUiSpR4 mUCMbcb1s0Gn3hcJor+TClzA3Qxc3rVhF/yAmMlCVVgrmYwa3XCvlAwEdVrVOL9TD809 4Z1f38l/5hQnnU1KNuQRFKcAUGZzeRomsha/SNJKOfs8918/cRDrHr3h6i8cRCW7rNeB YvYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0jKiFfIgSnsBMTmMc3F86D+ys6p+R1saOEiWXLA8MfY=; b=OkXrijkqxoAvuvbCvEQ7encXNgZeg3nhNkZhH2sgNdZ/eJOPJ6LZE7NSd4IQIq1B7q M0MNRWIYO1l54OCMV0GOOkxplk3P1oyVoeACaFF9xxlCQQhrzuYB3WKfzFDI3ejL7vI/ WuwCMFsShgEoLeWhQ3Cj4Nm3qn/FXZWTJ2UHJMxmsok68h6nbHsK+eFQxMJ+ZzotRA32 5i6cfc1nUC5BqxfP997nRjOajzU59b9nispW/dS0ncu8oPyShnEz6R26tgcwm/MPpoQ2 g3NvwI7tvY7J5USttvDRo6hNQdQEyQ39KYVqOTXmV9KbUtIzF49Q80kbgrUuH7FdmHfO 32dA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=V2i0DZt4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v3si3362541jao.112.2021.09.16.14.57.23; Thu, 16 Sep 2021 14:57:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=V2i0DZt4; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243807AbhIPQjB (ORCPT + 99 others); Thu, 16 Sep 2021 12:39:01 -0400 Received: from mail.kernel.org ([198.145.29.99]:44350 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241721AbhIPQbL (ORCPT ); Thu, 16 Sep 2021 12:31:11 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 63012613B3; Thu, 16 Sep 2021 16:19:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631809160; bh=9qzOOVlXj9CvbQk0c20wZuNl8a+gAvsb6TB4E+j+PDI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=V2i0DZt4BEcnWJK7FmkCgumU6//d1yb/zZ+tRmcSwUNfU12cEMK9JzvL5xFtSfFmh x1Jk3cyJ3J1cC2u3fZ4laZ9QlzX2jkPSEP/biUGU/u8mU0q4cbHMbyUmQcKfebgsDM uscM3ffUpF7uJN2eqkOTQa6mD70isjV/07qm6UVU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+b0c9d1588ae92866515f@syzkaller.appspotmail.com, Pavel Begunkov , Jens Axboe Subject: [PATCH 5.13 053/380] io_uring: fix io_try_cancel_userdata race for iowq Date: Thu, 16 Sep 2021 17:56:50 +0200 Message-Id: <20210916155805.788018933@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210916155803.966362085@linuxfoundation.org> References: <20210916155803.966362085@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Begunkov commit dadebc350da2bef62593b1df007a6e0b90baf42a upstream. WARNING: CPU: 1 PID: 5870 at fs/io_uring.c:5975 io_try_cancel_userdata+0x30f/0x540 fs/io_uring.c:5975 CPU: 0 PID: 5870 Comm: iou-wrk-5860 Not tainted 5.14.0-rc6-next-20210820-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:io_try_cancel_userdata+0x30f/0x540 fs/io_uring.c:5975 Call Trace: io_async_cancel fs/io_uring.c:6014 [inline] io_issue_sqe+0x22d5/0x65a0 fs/io_uring.c:6407 io_wq_submit_work+0x1dc/0x300 fs/io_uring.c:6511 io_worker_handle_work+0xa45/0x1840 fs/io-wq.c:533 io_wqe_worker+0x2cc/0xbb0 fs/io-wq.c:582 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 io_try_cancel_userdata() can be called from io_async_cancel() executing in the io-wq context, so the warning fires, which is there to alert anyone accessing task->io_uring->io_wq in a racy way. However, io_wq_put_and_exit() always first waits for all threads to complete, so the only detail left is to zero tctx->io_wq after the context is removed. note: one little assumption is that when IO_WQ_WORK_CANCEL, the executor won't touch ->io_wq, because io_wq_destroy() might cancel left pending requests in such a way. Cc: stable@vger.kernel.org Reported-by: syzbot+b0c9d1588ae92866515f@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/dfdd37a80cfa9ffd3e59538929c99cdd55d8699e.1629721757.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- fs/io_uring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -6289,6 +6289,7 @@ static void io_wq_submit_work(struct io_ if (timeout) io_queue_linked_timeout(timeout); + /* either cancelled or io-wq is dying, so don't touch tctx->iowq */ if (work->flags & IO_WQ_WORK_CANCEL) ret = -ECANCELED; @@ -9098,8 +9099,8 @@ static void io_uring_clean_tctx(struct i * Must be after io_uring_del_task_file() (removes nodes under * uring_lock) to avoid race with io_uring_try_cancel_iowq(). */ - tctx->io_wq = NULL; io_wq_put_and_exit(wq); + tctx->io_wq = NULL; } }