[PATCH 5.4 11/16] io_uring: dont drop completion lock before timer is fully initialized

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Jens Axboe <axboe@kernel.dk>,
	Lee Jones <lee@kernel.org>
Subject: [PATCH 5.4 11/16] io_uring: dont drop completion lock before timer is fully initialized
Date: Thu,  1 Jun 2023 14:21:06 +0100	[thread overview]
Message-ID: <20230601131932.484137917@linuxfoundation.org> (raw)
In-Reply-To: <20230601131931.947241286@linuxfoundation.org>

From: Jens Axboe <axboe@kernel.dk>

No upstream commit exists for this patch.

If we drop the lock right after adding it to the timeout list, then
someone attempting to kill timeouts will find it in an indeterminate
state. That means that cancelation could attempt to cancel and remove
a timeout, and then io_timeout() proceeds to init and add the timer
afterwards.

Ensure the timeout request is fully setup before we drop the
completion lock, which guards cancelation as well.

Reported-and-tested-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/io_uring.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2079,12 +2079,12 @@ static int io_timeout(struct io_kiocb *r
 	req->sequence -= span;
 add:
 	list_add(&req->list, entry);
-	spin_unlock_irq(&ctx->completion_lock);
 
 	hrtimer_init(&req->timeout.timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
 	req->timeout.timer.function = io_timeout_fn;
 	hrtimer_start(&req->timeout.timer, timespec64_to_ktime(ts),
 			HRTIMER_MODE_REL);
+	spin_unlock_irq(&ctx->completion_lock);
 	return 0;
 }

next prev parent reply	other threads:[~2023-06-01 13:22 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-01 13:20 [PATCH 5.4 00/16] 5.4.245-rc1 review Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.4 01/16] cdc_ncm: Implement the 32-bit version of NCM Transfer Block Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.4 02/16] net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.4 03/16] power: supply: bq27xxx: After charger plug in/out wait 0.5s for things to stabilize Greg Kroah-Hartman
2023-06-01 13:20 ` [PATCH 5.4 04/16] power: supply: core: Refactor power_supply_set_input_current_limit_from_supplier() Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.4 05/16] power: supply: bq24190: Call power_supply_changed() after updating input current Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.4 06/16] fs: fix undefined behavior in bit shift for SB_NOUSER Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.4 07/16] net/mlx5: devcom only supports 2 ports Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.4 08/16] net/mlx5: Devcom, serialize devcom registration Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.4 09/16] cdc_ncm: Fix the build warning Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.4 10/16] io_uring: always grab lock in io_cancel_async_work() Greg Kroah-Hartman
2023-06-01 13:21 ` Greg Kroah-Hartman [this message]
2023-06-01 13:21 ` [PATCH 5.4 12/16] io_uring: have io_kill_timeout() honor the request references Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.4 13/16] bluetooth: Add cmd validity checks at the start of hci_sock_ioctl() Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.4 14/16] binder: fix UAF caused by faulty buffer cleanup Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.4 15/16] ipv{4,6}/raw: fix output xfrm lookup wrt protocol Greg Kroah-Hartman
2023-06-01 13:21 ` [PATCH 5.4 16/16] netfilter: ctnetlink: Support offloaded conntrack entry deletion Greg Kroah-Hartman
2023-06-01 15:58 ` [PATCH 5.4 00/16] 5.4.245-rc1 review Florian Fainelli
2023-06-01 20:53 ` Shuah Khan
2023-06-02  8:45 ` Jon Hunter
2023-06-02 10:10 ` Naresh Kamboju
2023-06-02 15:47 ` Harshit Mogalapalli
2023-06-02 22:33 ` Guenter Roeck
2023-06-05  9:16 ` Chris Paterson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230601131932.484137917@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=axboe@kernel.dk \
    --cc=lee@kernel.org \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.