Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp2826414pxb;
        Mon, 1 Nov 2021 02:37:42 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwluUdx+8wS19GGmkzFBAD7/SzODbRLyXEu/R9sQr+9ET3YBKEhZMZ1Zmv9ax/nb7z5+zL4
X-Received: by 2002:a05:6402:280f:: with SMTP id h15mr7292162ede.286.1635759462660;
        Mon, 01 Nov 2021 02:37:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1635759462; cv=none;
        d=google.com; s=arc-20160816;
        b=rhb6KS7anDf0rgXZ6CSFueuLzwYhc7l/euLacDBnkmSgE+V98iyLW8v097oSQw6klV
         pCDI0FmuVkNkAnjJyO4RAC7zNNLktkdrVlJ0qOd9OW+jiiAPHm+o09hTZuUVXWHl5C/d
         v5tqoZkoW25C44D+GN1mEA50Vxas6lHeG5bic8Ea1oYOiub+ulyt2KWZkGhzan8CDqOC
         B8mnF0O1GB0JLfPxFcHcunqZ7C7OxKlxZ6g08uHxIQTNxD/blvEHyRYssgQdYV210p+z
         wRu0KIe0Q7yosJrpfbKm8kbBRtKq7xxWonueruHAtpSZQwtHTjZdceZd0i6ScQDW/t4U
         wAfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=+Bb/yr7bybFsHLaDP3JcbHjOFBtAMRIy9xi+XlMhyUo=;
        b=SpJO9Ji5DhR20zOY6SJWmsAeYRJITNxMON3D24rUX0KgFSGykVcjcFfGkg9g3G8o1m
         GGoneQvHphEObn0NqavyPvXvxeRCe6rxBaBu/SNrN3DmyP4Y7L/js6TWlSVH6cbUntWs
         2fHKHWL1/qJkLdMxiSJmWCvLVFNhIbndSxYy1re45wJuHzdzTzPkcN8RZZYFqLFx3Y3n
         h844kXWEPwk3sAb4xgZs377A6KQ0PcDXL7K11wpf6+r/G8Nyd7nhRoOG71wlJwll+HmE
         aVK9WJT4iIzLr4JU5mtB32LViZZ4GwLg88DIXr3RvtvTJCOE50WWyrmGWRjH8nAoeME4
         MBQA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="UmB/z2FE";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ho42si1389584ejc.531.2021.11.01.02.37.09;
        Mon, 01 Nov 2021 02:37:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="UmB/z2FE";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233635AbhKAJhp (ORCPT <rfc822;ly15351151@gmail.com> + 99 others);
        Mon, 1 Nov 2021 05:37:45 -0400
Received: from mail.kernel.org ([198.145.29.99]:43768 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S233706AbhKAJeH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 1 Nov 2021 05:34:07 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id B75426128B;
        Mon,  1 Nov 2021 09:25:34 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1635758735;
        bh=72CK97Xrjel599Lx2KS4P54xwnzuxi5evua6EzzzAvM=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=UmB/z2FEXIbJ/cc4O4Eq9mKcySBlTZCbKnICAk+yStPsFttdKCjkz61e0CXmFln/2
         qdL4ohZLW4rlF6A0OMlcfMcWxmNCn+MxNLIteX2LYiZtUtQYtMgKFj+1tRDZ2oHrV1
         kmCL4LHVYNihl1L2GVrWOk/1U3JzX+bdbcZbUNBo=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Abaci <abaci@linux.alibaba.com>,
        Hao Xu <haoxu@linux.alibaba.com>,
        Pavel Begunkov <asml.silence@gmail.com>,
        Jens Axboe <axboe@kernel.dk>,
        syzbot+59d8a1f4e60c20c066cf@syzkaller.appspotmail.com,
        Lee Jones <lee.jones@linaro.org>
Subject: [PATCH 5.10 07/77] io_uring: dont take uring_lock during iowq cancel
Date:   Mon,  1 Nov 2021 10:16:55 +0100
Message-Id: <20211101082513.463556151@linuxfoundation.org>
X-Mailer: git-send-email 2.33.1
In-Reply-To: <20211101082511.254155853@linuxfoundation.org>
References: <20211101082511.254155853@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Pavel Begunkov <asml.silence@gmail.com>

commit 792bb6eb862333658bf1bd2260133f0507e2da8d upstream.

[   97.866748] a.out/2890 is trying to acquire lock:
[   97.867829] ffff8881046763e8 (&ctx->uring_lock){+.+.}-{3:3}, at:
io_wq_submit_work+0x155/0x240
[   97.869735]
[   97.869735] but task is already holding lock:
[   97.871033] ffff88810dfe0be8 (&ctx->uring_lock){+.+.}-{3:3}, at:
__x64_sys_io_uring_enter+0x3f0/0x5b0
[   97.873074]
[   97.873074] other info that might help us debug this:
[   97.874520]  Possible unsafe locking scenario:
[   97.874520]
[   97.875845]        CPU0
[   97.876440]        ----
[   97.877048]   lock(&ctx->uring_lock);
[   97.877961]   lock(&ctx->uring_lock);
[   97.878881]
[   97.878881]  *** DEADLOCK ***
[   97.878881]
[   97.880341]  May be due to missing lock nesting notation
[   97.880341]
[   97.881952] 1 lock held by a.out/2890:
[   97.882873]  #0: ffff88810dfe0be8 (&ctx->uring_lock){+.+.}-{3:3}, at:
__x64_sys_io_uring_enter+0x3f0/0x5b0
[   97.885108]
[   97.885108] stack backtrace:
[   97.890457] Call Trace:
[   97.891121]  dump_stack+0xac/0xe3
[   97.891972]  __lock_acquire+0xab6/0x13a0
[   97.892940]  lock_acquire+0x2c3/0x390
[   97.894894]  __mutex_lock+0xae/0x9f0
[   97.901101]  io_wq_submit_work+0x155/0x240
[   97.902112]  io_wq_cancel_cb+0x162/0x490
[   97.904126]  io_async_find_and_cancel+0x3b/0x140
[   97.905247]  io_issue_sqe+0x86d/0x13e0
[   97.909122]  __io_queue_sqe+0x10b/0x550
[   97.913971]  io_queue_sqe+0x235/0x470
[   97.914894]  io_submit_sqes+0xcce/0xf10
[   97.917872]  __x64_sys_io_uring_enter+0x3fb/0x5b0
[   97.921424]  do_syscall_64+0x2d/0x40
[   97.922329]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

While holding uring_lock, e.g. from inline execution, async cancel
request may attempt cancellations through io_wq_submit_work, which may
try to grab a lock. Delay it to task_work, so we do it from a clean
context and don't have to worry about locking.

Cc: <stable@vger.kernel.org> # 5.5+
Fixes: c07e6719511e ("io_uring: hold uring_lock while completing failed polled io in io_wq_submit_work()")
Reported-by: Abaci <abaci@linux.alibaba.com>
Reported-by: Hao Xu <haoxu@linux.alibaba.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[Lee: The first hunk solves a different (double free) issue in v5.10.
      Only the first hunk of the original patch is relevant to v5.10 AND
      the first hunk of the original patch is only relevant to v5.10]
Reported-by: syzbot+59d8a1f4e60c20c066cf@syzkaller.appspotmail.com
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/io_uring.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2075,7 +2075,9 @@ static void io_req_task_cancel(struct ca
 	struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
 	struct io_ring_ctx *ctx = req->ctx;
 
+	mutex_lock(&ctx->uring_lock);
 	__io_req_task_cancel(req, -ECANCELED);
+	mutex_unlock(&ctx->uring_lock);
 	percpu_ref_put(&ctx->refs);
 }