From: gregkh@linuxfoundation.org
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
syzbot+81d17233a2b02eafba33@syzkaller.appspotmail.com,
Pavel Begunkov <asml.silence@gmail.com>,
Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 5.11 02/36] io_uring: fix inconsistent lock state
Date: Wed, 10 Mar 2021 14:23:15 +0100 [thread overview]
Message-ID: <20210310132320.590163668@linuxfoundation.org> (raw)
In-Reply-To: <20210310132320.510840709@linuxfoundation.org>
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
From: Pavel Begunkov <asml.silence@gmail.com>
commin 9ae1f8dd372e0e4c020b345cf9e09f519265e981 upstream
WARNING: inconsistent lock state
inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage.
syz-executor217/8450 [HC1[1]:SC0[0]:HE0:SE1] takes:
ffff888023d6e620 (&fs->lock){?.+.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
ffff888023d6e620 (&fs->lock){?.+.}-{2:2}, at: io_req_clean_work fs/io_uring.c:1398 [inline]
ffff888023d6e620 (&fs->lock){?.+.}-{2:2}, at: io_dismantle_req+0x66f/0xf60 fs/io_uring.c:2029
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&fs->lock);
<Interrupt>
lock(&fs->lock);
*** DEADLOCK ***
1 lock held by syz-executor217/8450:
#0: ffff88802417c3e8 (&ctx->uring_lock){+.+.}-{3:3}, at: __do_sys_io_uring_enter+0x1071/0x1f30 fs/io_uring.c:9442
stack backtrace:
CPU: 1 PID: 8450 Comm: syz-executor217 Not tainted 5.11.0-rc5-next-20210129-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
[...]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:354 [inline]
io_req_clean_work fs/io_uring.c:1398 [inline]
io_dismantle_req+0x66f/0xf60 fs/io_uring.c:2029
__io_free_req+0x3d/0x2e0 fs/io_uring.c:2046
io_free_req fs/io_uring.c:2269 [inline]
io_double_put_req fs/io_uring.c:2392 [inline]
io_put_req+0xf9/0x570 fs/io_uring.c:2388
io_link_timeout_fn+0x30c/0x480 fs/io_uring.c:6497
__run_hrtimer kernel/time/hrtimer.c:1519 [inline]
__hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583
hrtimer_interrupt+0x334/0x940 kernel/time/hrtimer.c:1645
local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1085 [inline]
__sysvec_apic_timer_interrupt+0x146/0x540 arch/x86/kernel/apic/apic.c:1102
asm_call_irq_on_stack+0xf/0x20
</IRQ>
__run_sysvec_on_irqstack arch/x86/include/asm/irq_stack.h:37 [inline]
run_sysvec_on_irqstack_cond arch/x86/include/asm/irq_stack.h:89 [inline]
sysvec_apic_timer_interrupt+0xbd/0x100 arch/x86/kernel/apic/apic.c:1096
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:629
RIP: 0010:__raw_spin_unlock_irq include/linux/spinlock_api_smp.h:169 [inline]
RIP: 0010:_raw_spin_unlock_irq+0x25/0x40 kernel/locking/spinlock.c:199
spin_unlock_irq include/linux/spinlock.h:404 [inline]
io_queue_linked_timeout+0x194/0x1f0 fs/io_uring.c:6525
__io_queue_sqe+0x328/0x1290 fs/io_uring.c:6594
io_queue_sqe+0x631/0x10d0 fs/io_uring.c:6639
io_queue_link_head fs/io_uring.c:6650 [inline]
io_submit_sqe fs/io_uring.c:6697 [inline]
io_submit_sqes+0x19b5/0x2720 fs/io_uring.c:6960
__do_sys_io_uring_enter+0x107d/0x1f30 fs/io_uring.c:9443
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Don't free requests from under hrtimer context (softirq) as it may sleep
or take spinlocks improperly (e.g. non-irq versions).
Cc: stable@vger.kernel.org # 5.6+
Reported-by: syzbot+81d17233a2b02eafba33@syzkaller.appspotmail.com
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/io_uring.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6506,9 +6506,10 @@ static enum hrtimer_restart io_link_time
if (prev) {
req_set_fail_links(prev);
io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME);
- io_put_req(prev);
+ io_put_req_deferred(prev, 1);
} else {
- io_req_complete(req, -ETIME);
+ io_cqring_add_event(req, -ETIME, 0);
+ io_put_req_deferred(req, 1);
}
return HRTIMER_NORESTART;
}
next prev parent reply other threads:[~2021-03-10 13:24 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-10 13:23 [PATCH 5.11 00/36] 5.11.6-rc1 review gregkh
2021-03-10 13:23 ` [PATCH 5.11 01/36] ACPICA: Fix race in generic_serial_bus (I2C) and GPIO op_region parameter handling gregkh
2021-03-10 13:23 ` gregkh [this message]
2021-03-10 13:23 ` [PATCH 5.11 03/36] io_uring: deduplicate core cancellations sequence gregkh
2021-03-10 13:23 ` [PATCH 5.11 04/36] io_uring: unpark SQPOLL thread for cancelation gregkh
2021-03-10 13:23 ` [PATCH 5.11 05/36] io_uring: deduplicate failing task_work_add gregkh
2021-03-10 13:23 ` [PATCH 5.11 06/36] fs: provide locked helper variant of close_fd_get_file() gregkh
2021-03-10 13:23 ` [PATCH 5.11 07/36] io_uring: get rid of intermediate IORING_OP_CLOSE stage gregkh
2021-03-10 13:23 ` [PATCH 5.11 08/36] io_uring/io-wq: kill off now unused IO_WQ_WORK_NO_CANCEL gregkh
2021-03-10 13:23 ` [PATCH 5.11 09/36] io_uring/io-wq: return 2-step work swap scheme gregkh
2021-03-10 13:23 ` [PATCH 5.11 10/36] io_uring: dont take uring_lock during iowq cancel gregkh
2021-03-10 13:23 ` [PATCH 5.11 11/36] media: cedrus: Remove checking for required controls gregkh
2021-03-10 13:23 ` [PATCH 5.11 12/36] nvme-pci: mark Kingston SKC2000 as not supporting the deepest power state gregkh
2021-03-10 13:23 ` [PATCH 5.11 13/36] parisc: Enable -mlong-calls gcc option with CONFIG_COMPILE_TEST gregkh
2021-03-10 13:23 ` [PATCH 5.11 14/36] arm64: Make CPU_BIG_ENDIAN depend on ld.bfd or ld.lld 13.0.0+ gregkh
2021-03-10 13:23 ` [PATCH 5.11 15/36] btrfs: export and rename qgroup_reserve_meta gregkh
2021-03-10 13:23 ` [PATCH 5.11 16/36] btrfs: dont flush from btrfs_delayed_inode_reserve_metadata gregkh
2021-03-10 13:23 ` [PATCH 5.11 17/36] iommu/amd: Fix sleeping in atomic in increase_address_space() gregkh
2021-03-10 13:23 ` [PATCH 5.11 18/36] scsi: ufs-mediatek: Enable UFSHCI_QUIRK_SKIP_MANUAL_WB_FLUSH_CTRL gregkh
2021-03-10 13:23 ` [PATCH 5.11 19/36] scsi: ufs: Add a quirk to permit overriding UniPro defaults gregkh
2021-03-10 13:23 ` [PATCH 5.11 20/36] misc: eeprom_93xx46: Add quirk to support Microchip 93LC46B eeprom gregkh
2021-03-10 13:23 ` [PATCH 5.11 21/36] scsi: ufs: Introduce a quirk to allow only page-aligned sg entries gregkh
2021-03-10 13:23 ` [PATCH 5.11 22/36] scsi: ufs: ufs-exynos: Apply vendor-specific values for three timeouts gregkh
2021-03-10 13:23 ` [PATCH 5.11 23/36] scsi: ufs: ufs-exynos: Use UFSHCD_QUIRK_ALIGN_SG_WITH_PAGE_SIZE gregkh
2021-03-10 13:23 ` [PATCH 5.11 24/36] drm/msm/a5xx: Remove overwriting A5XX_PC_DBG_ECO_CNTL register gregkh
2021-03-10 13:23 ` [PATCH 5.11 25/36] mmc: sdhci-of-dwcmshc: set SDHCI_QUIRK2_PRESET_VALUE_BROKEN gregkh
2021-03-10 13:23 ` [PATCH 5.11 26/36] HID: i2c-hid: Add I2C_HID_QUIRK_NO_IRQ_AFTER_RESET for ITE8568 EC on Voyo Winpad A15 gregkh
2021-03-10 13:23 ` [PATCH 5.11 27/36] ALSA: usb-audio: Add DJM750 to Pioneer mixer quirk gregkh
2021-03-10 13:23 ` [PATCH 5.11 28/36] ALSA: usb-audio: add mixer quirks for Pioneer DJM-900NXS2 gregkh
2021-03-10 13:23 ` [PATCH 5.11 29/36] HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch 10E gregkh
2021-03-10 13:23 ` [PATCH 5.11 30/36] PCI: cadence: Retrain Link to work around Gen2 training defect gregkh
2021-03-10 13:23 ` [PATCH 5.11 31/36] ASoC: Intel: sof_sdw: reorganize quirks by generation gregkh
2021-03-10 13:23 ` [PATCH 5.11 32/36] ASoC: Intel: sof_sdw: add quirk for HP Spectre x360 convertible gregkh
2021-03-10 13:23 ` [PATCH 5.11 33/36] scsi: ufs: Fix a duplicate dev quirk number gregkh
2021-03-10 13:23 ` [PATCH 5.11 34/36] KVM: SVM: Clear the CR4 register on reset gregkh
2021-03-10 13:23 ` [PATCH 5.11 35/36] nvme-pci: mark Seagate Nytro XM1440 as QUIRK_NO_NS_DESC_LIST gregkh
2021-03-10 13:23 ` [PATCH 5.11 36/36] nvme-pci: add quirks for Lexar 256GB SSD gregkh
2021-03-10 21:59 ` [PATCH 5.11 00/36] 5.11.6-rc1 review Shuah Khan
2021-03-11 17:37 ` Greg KH
2021-03-10 23:53 ` Guenter Roeck
2021-03-11 17:37 ` Greg KH
2021-03-11 3:21 ` Naresh Kamboju
2021-03-11 17:38 ` Greg Kroah-Hartman
2021-03-11 4:09 ` Ross Schmidt
2021-03-11 17:39 ` Greg KH
2021-03-11 7:59 ` Jon Hunter
2021-03-11 17:39 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210310132320.590163668@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+81d17233a2b02eafba33@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.