From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Hillf Danton <hdanton@sina.com>,
Jens Axboe <axboe@kernel.dk>,
syzbot <syzbot+538d1957ce178382a394@syzkaller.appspotmail.com>
Subject: [PATCH 5.6 37/38] io-uring: drop completion when removing file
Date: Sat, 11 Apr 2020 14:10:14 +0200 [thread overview]
Message-ID: <20200411115503.466914576@linuxfoundation.org> (raw)
In-Reply-To: <20200411115459.324496182@linuxfoundation.org>
From: Hillf Danton <hdanton@sina.com>
commit 4afdb733b1606c6cb86e7833f9335f4870cf7ddd upstream.
A case of task hung was reported by syzbot,
INFO: task syz-executor975:9880 blocked for more than 143 seconds.
Not tainted 5.6.0-rc6-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
syz-executor975 D27576 9880 9878 0x80004000
Call Trace:
schedule+0xd0/0x2a0 kernel/sched/core.c:4154
schedule_timeout+0x6db/0xba0 kernel/time/timer.c:1871
do_wait_for_common kernel/sched/completion.c:83 [inline]
__wait_for_common kernel/sched/completion.c:104 [inline]
wait_for_common kernel/sched/completion.c:115 [inline]
wait_for_completion+0x26a/0x3c0 kernel/sched/completion.c:136
io_queue_file_removal+0x1af/0x1e0 fs/io_uring.c:5826
__io_sqe_files_update.isra.0+0x3a1/0xb00 fs/io_uring.c:5867
io_sqe_files_update fs/io_uring.c:5918 [inline]
__io_uring_register+0x377/0x2c00 fs/io_uring.c:7131
__do_sys_io_uring_register fs/io_uring.c:7202 [inline]
__se_sys_io_uring_register fs/io_uring.c:7184 [inline]
__x64_sys_io_uring_register+0x192/0x560 fs/io_uring.c:7184
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
and bisect pointed to 05f3fb3c5397 ("io_uring: avoid ring quiesce for
fixed file set unregister and update").
It is down to the order that we wait for work done before flushing it
while nobody is likely going to wake us up.
We can drop that completion on stack as flushing work itself is a sync
operation we need and no more is left behind it.
To that end, io_file_put::done is re-used for indicating if it can be
freed in the workqueue worker context.
Reported-and-Inspired-by: syzbot <syzbot+538d1957ce178382a394@syzkaller.appspotmail.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Rename ->done to ->free_pfile
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
fs/io_uring.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5607,7 +5607,7 @@ static void io_ring_file_put(struct io_r
struct io_file_put {
struct llist_node llist;
struct file *file;
- struct completion *done;
+ bool free_pfile;
};
static void io_ring_file_ref_flush(struct fixed_file_data *data)
@@ -5618,9 +5618,7 @@ static void io_ring_file_ref_flush(struc
while ((node = llist_del_all(&data->put_llist)) != NULL) {
llist_for_each_entry_safe(pfile, tmp, node, llist) {
io_ring_file_put(data->ctx, pfile->file);
- if (pfile->done)
- complete(pfile->done);
- else
+ if (pfile->free_pfile)
kfree(pfile);
}
}
@@ -5820,7 +5818,6 @@ static bool io_queue_file_removal(struct
struct file *file)
{
struct io_file_put *pfile, pfile_stack;
- DECLARE_COMPLETION_ONSTACK(done);
/*
* If we fail allocating the struct we need for doing async reomval
@@ -5829,15 +5826,15 @@ static bool io_queue_file_removal(struct
pfile = kzalloc(sizeof(*pfile), GFP_KERNEL);
if (!pfile) {
pfile = &pfile_stack;
- pfile->done = &done;
- }
+ pfile->free_pfile = false;
+ } else
+ pfile->free_pfile = true;
pfile->file = file;
llist_add(&pfile->llist, &data->put_llist);
if (pfile == &pfile_stack) {
percpu_ref_switch_to_atomic(&data->refs, io_atomic_switch);
- wait_for_completion(&done);
flush_work(&data->ref_work);
return false;
}
next prev parent reply other threads:[~2020-04-11 12:22 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-11 12:09 [PATCH 5.6 00/38] 5.6.4-rc1 review Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 01/38] cxgb4: fix MPS index overwrite when setting MAC address Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 02/38] ipv6: dont auto-add link-local address to lag ports Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 03/38] net: dsa: bcm_sf2: Do not register slave MDIO bus with OF Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 04/38] net: dsa: bcm_sf2: Ensure correct sub-node is parsed Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 05/38] net: dsa: mt7530: fix null pointer dereferencing in port5 setup Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 06/38] net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 07/38] net_sched: add a temporary refcnt for struct tcindex_data Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 08/38] net_sched: fix a missing refcnt in tcindex_init() Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 09/38] net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 10/38] slcan: Dont transmit uninitialized stack data in padding Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 11/38] tun: Dont put_page() for all negative return values from XDP program Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 12/38] mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 13/38] r8169: change back SG and TSO to be disabled by default Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 14/38] cxgb4: free MQPRIO resources in shutdown path Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 15/38] net: phy: at803x: fix clock sink configuration on ATH8030 and ATH8035 Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 16/38] s390: prevent leaking kernel address in BEAR Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 17/38] random: always use batched entropy for get_random_u{32,64} Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 18/38] usb: dwc3: gadget: Wrap around when skip TRBs Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 19/38] slub: improve bit diffusion for freelist ptr obfuscation Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 20/38] tools/accounting/getdelays.c: fix netlink attribute length Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 21/38] hwrng: imx-rngc - fix an error path Greg Kroah-Hartman
2020-04-11 12:09 ` [PATCH 5.6 22/38] ACPI: PM: Add acpi_[un]register_wakeup_handler() Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 23/38] platform/x86: intel_int0002_vgpio: Use acpi_register_wakeup_handler() Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 24/38] ASoC: tas2562: Fixed incorrect amp_level setting Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 25/38] ASoC: jz4740-i2s: Fix divider written at incorrect offset in register Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 26/38] IB/hfi1: Call kobject_put() when kobject_init_and_add() fails Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 27/38] IB/hfi1: Fix memory leaks in sysfs registration and unregistration Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 28/38] IB/mlx5: Replace tunnel mpls capability bits for tunnel_offloads Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 29/38] ubi: fastmap: Free unused fastmap anchor peb during detach Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 30/38] RDMA/ucma: Put a lock around every call to the rdma_cm layer Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 31/38] RDMA/cma: Teach lockdep about the order of rtnl and lock Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 32/38] RDMA/siw: Fix passive connection establishment Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 33/38] Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 34/38] RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 35/38] blk-mq: Keep set->nr_hw_queues and set->map[].nr_queues in sync Greg Kroah-Hartman
2020-04-11 12:10 ` [PATCH 5.6 36/38] fbcon: fix null-ptr-deref in fbcon_switch Greg Kroah-Hartman
2020-04-11 12:10 ` Greg Kroah-Hartman [this message]
2020-04-11 12:10 ` [PATCH 5.6 38/38] driver core: Reevaluate dev->links.need_for_probe as suppliers are added Greg Kroah-Hartman
2020-04-11 20:43 ` [PATCH 5.6 00/38] 5.6.4-rc1 review Guenter Roeck
2020-04-12 8:07 ` Greg Kroah-Hartman
2020-04-12 5:38 ` Naresh Kamboju
2020-04-13 8:22 ` Greg Kroah-Hartman
2020-04-14 10:36 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200411115503.466914576@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+538d1957ce178382a394@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).