[PATCH AUTOSEL 5.5 41/41] io_uring: fix lockup with timeouts

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Pavel Begunkov <asml.silence@gmail.com>,
	Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>,
	linux-fsdevel@vger.kernel.org, io-uring@vger.kernel.org
Subject: [PATCH AUTOSEL 5.5 41/41] io_uring: fix lockup with timeouts
Date: Sun, 15 Mar 2020 22:33:19 -0400	[thread overview]
Message-ID: <20200316023319.749-41-sashal@kernel.org> (raw)
In-Reply-To: <20200316023319.749-1-sashal@kernel.org>

From: Pavel Begunkov <asml.silence@gmail.com>

[ Upstream commit f0e20b8943509d81200cef5e30af2adfddba0f5c ]

There is a recipe to deadlock the kernel: submit a timeout sqe with a
linked_timeout (e.g.  test_single_link_timeout_ception() from liburing),
and SIGKILL the process.

Then, io_kill_timeouts() takes @ctx->completion_lock, but the timeout
isn't flagged with REQ_F_COMP_LOCKED, and will try to double grab it
during io_put_free() to cancel the linked timeout. Probably, the same
can happen with another io_kill_timeout() call site, that is
io_commit_cqring().

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/io_uring.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 60a4832089982..fd28f85677225 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -688,6 +688,7 @@ static void io_kill_timeout(struct io_kiocb *req)
 	if (ret != -1) {
 		atomic_inc(&req->ctx->cq_timeouts);
 		list_del_init(&req->list);
+		req->flags |= REQ_F_COMP_LOCKED;
 		io_cqring_fill_event(req, 0);
 		io_put_req(req);
 	}
-- 
2.20.1

next prev parent reply	other threads:[~2020-03-16  2:40 UTC|newest]

Thread overview: 87+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-16  2:32 [PATCH AUTOSEL 5.5 01/41] spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x Sasha Levin
2020-03-16  2:32 ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 02/41] spi: spi-omap2-mcspi: Support probe deferral for DMA channels Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 03/41] drm/mediatek: Find the cursor plane instead of hard coding it Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 04/41] drm/mediatek: Ensure the cursor plane is on top of other overlays Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 05/41] ARM: dts: imx6dl-colibri-eval-v3: fix sram compatible properties Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  7:21   ` Johan Hovold
2020-03-16  7:21     ` Johan Hovold
2020-03-22 12:54     ` Sasha Levin
2020-03-22 12:54       ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 06/41] phy: ti: gmii-sel: fix set of copy-paste errors Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 07/41] phy: ti: gmii-sel: do not fail in case of gmii Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 08/41] ARM: dts: dra7-l4: mark timer13-16 as pwm capable Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 09/41] ASoC: meson: g12a: add tohdmitx reset Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 10/41] spi: qup: call spi_qup_pm_resume_runtime before suspending Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 11/41] powerpc: Include .BTF section Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 12/41] cifs: fix potential mismatch of UNC paths Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 13/41] cifs: add missing mount option to /proc/mounts Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 14/41] ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 15/41] spi: pxa2xx: Add CS control clock quirk Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 16/41] spi/zynqmp: remove entry that causes a cs glitch Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 17/41] ARM: dts: bcm283x: Add missing properties to the PWR LED Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 18/41] drm/exynos: dsi: propagate error value and silence meaningless warning Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 19/41] drm/exynos: dsi: fix workaround for the legacy clock name Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 20/41] drm/exynos: hdmi: don't leak enable HDMI_EN regulator if probe fails Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:32 ` [PATCH AUTOSEL 5.5 21/41] drivers/perf: fsl_imx8_ddr: Correct the CLEAR bit definition Sasha Levin
2020-03-16  2:32   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 22/41] drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 23/41] io-wq: fix IO_WQ_WORK_NO_CANCEL cancellation Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 24/41] ARM: bcm2835_defconfig: Explicitly restore CONFIG_DEBUG_FS Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 25/41] altera-stapl: altera_get_note: prevent write beyond end of 'key' Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 26/41] dm bio record: save/restore bi_end_io and bi_integrity Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 27/41] dm integrity: use dm_bio_record and dm_bio_restore Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 28/41] riscv: avoid the PIC offset of static percpu data in module beyond 2G limits Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 29/41] ASoC: stm32: sai: manage rebind issue Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 30/41] spi: spi_register_controller(): free bus id on error paths Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 31/41] riscv: Force flat memory model with no-mmu Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 32/41] riscv: Fix range looking for kernel image memblock Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 33/41] drm/amdgpu: clean wptr on wb when gpu recovery Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 34/41] drm/amd/display: Clear link settings on MST disable connector Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 35/41] drm/amd/display: fix dcc swath size calculations on dcn1 Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [Xen-devel] [PATCH AUTOSEL 5.5 36/41] xenbus: req->body should be updated before req->state Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [Xen-devel] [PATCH AUTOSEL 5.5 37/41] xenbus: req->err " Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 38/41] riscv: fix seccomp reject syscall code path Sasha Levin
2020-03-16  2:33   ` Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 39/41] block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group() Sasha Levin
2020-03-16  2:33 ` [PATCH AUTOSEL 5.5 40/41] parse-maintainers: Mark as executable Sasha Levin
2020-03-16  2:33 ` Sasha Levin [this message]
     [not found] ` <20200316023319.749-1-sashal-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2020-03-16 11:50   ` [PATCH AUTOSEL 5.5 01/41] spi: spi-omap2-mcspi: Handle DMA size restriction on AM65x Mark Brown
2020-03-16 11:50     ` Mark Brown
     [not found]     ` <20200316115057.GB5010-GFdadSzt00ze9xe1eoZjHA@public.gmane.org>
2020-03-22 19:37       ` Sasha Levin
2020-03-22 19:37         ` Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:60a483208998 dfblob:fd28f8567722 )
 OR (
bs:"[PATCH AUTOSEL 5.5 41/41] io_uring: fix lockup with timeouts" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200316023319.749-41-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=io-uring@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.