From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4EA9A3EAC84 for ; Wed, 20 May 2026 14:41:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779288094; cv=none; b=TsshEvUcCsVGY8Qk8q6RsF7U3SE3Hij9bioR/UIz+C3d/d4eQGywBFrtaI56StN62pu1SYgqBbJNAZ5Ws++nYslNpfUATsfc+qH4gHBamxgDhh2NEiVbeQkurQTPTmvo9Ri5TMv19RYsB2V13JiUQUyswucmOfvj8CfgyQVxDTA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779288094; c=relaxed/simple; bh=ydJNnepADQ5HXYnYz3dz7LFiTmHxb3yIj1jxuyR+JIo=; h=Subject:To:Cc:From:Date:Message-ID:MIME-Version:Content-Type; b=c8hm/ruslCUfUL1hPyfjlyeydabxkQ4SUB+QxK0OpCiWHyvHuUmkJYCjV8n6XMW6m+g/69hZkx6gsZuY7XamkBmD3sq1j3WOdCPDbVBRwcXVExYJS7GlOYLZ1Xagan7gBB1LNYDad9kkmCzP4gMhZhIVEoassoPQOVgu2LbFvx8= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=nRsDNdn+; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="nRsDNdn+" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 713761F00899; Wed, 20 May 2026 14:41:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1779288092; bh=A2xIX6AFBT/CZtAYQR25l1zAKine3+tfSEXIFVD7OJk=; h=Subject:To:Cc:From:Date; b=nRsDNdn+HHLc5Mmf1+dY8w07Tc3fcHulym1iDhIX2XM1eSdZDDd15j0K940pHjwK6 0XpX43S25Qfad1Ms8Ls+x/LjvGC6xCG+hQIdaUcnSr5wvOCFDkCTOpPuiSTI7/MgmR 04WNhuDBbnrURKbwTfilmiI6EhurmBaoasP6CEUk= Subject: FAILED: patch "[PATCH] io-wq: check that the predecessor is hashed in" failed to apply to 6.1-stable tree To: nicholas@carlini.com,axboe@kernel.dk Cc: From: Date: Wed, 20 May 2026 16:41:36 +0200 Message-ID: <2026052036-abiding-paper-2842@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit The patch below does not apply to the 6.1-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.1.y git checkout FETCH_HEAD git cherry-pick -x d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc # git commit -s git send-email --to '' --in-reply-to '2026052036-abiding-paper-2842@gregkh' --subject-prefix 'PATCH 6.1.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From d6a2d7b04b5a093021a7a0e2e69e9d5237dfa8cc Mon Sep 17 00:00:00 2001 From: Nicholas Carlini Date: Mon, 11 May 2026 18:02:16 +0000 Subject: [PATCH] io-wq: check that the predecessor is hashed in io_wq_remove_pending() io_wq_remove_pending() needs to fix up wq->hash_tail[] if the cancelled work was the tail of its hash bucket. When doing this, it checks whether the preceding entry in acct->work_list has the same hash value, but never checks that the predecessor is hashed at all. io_get_work_hash() is simply atomic_read(&work->flags) >> IO_WQ_HASH_SHIFT, and the hash bits are never set for non-hashed work, so it returns 0. Thus, when a hashed bucket-0 work is cancelled while a non-hashed work is its list predecessor, the check spuriously passes and a pointer to the non-hashed io_kiocb is stored in wq->hash_tail[0]. Because non-hashed work is dequeued via the fast path in io_get_next_work(), which never touches hash_tail[], the stale pointer is never cleared. Therefore, after the non-hashed io_kiocb completes and is freed back to req_cachep, wq->hash_tail[0] is a dangling pointer. The io_wq is per-task (tctx->io_wq) and survives ring open/close, so the dangling pointer persists for the lifetime of the task; the next hashed bucket-0 enqueue dereferences it in io_wq_insert_work() and wq_list_add_after() writes through freed memory. Add the missing io_wq_is_hashed() check so a non-hashed predecessor never inherits a hash_tail[] slot. Cc: stable@vger.kernel.org Fixes: 204361a77f40 ("io-wq: fix hang after cancelling pending hashed work") Signed-off-by: Nicholas Carlini Signed-off-by: Jens Axboe diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c index 7a9f94a0ce6f..8cc7b47d3089 100644 --- a/io_uring/io-wq.c +++ b/io_uring/io-wq.c @@ -1124,7 +1124,8 @@ static inline void io_wq_remove_pending(struct io_wq *wq, if (io_wq_is_hashed(work) && work == wq->hash_tail[hash]) { if (prev) prev_work = container_of(prev, struct io_wq_work, list); - if (prev_work && io_get_work_hash(prev_work) == hash) + if (prev_work && io_wq_is_hashed(prev_work) && + io_get_work_hash(prev_work) == hash) wq->hash_tail[hash] = prev_work; else wq->hash_tail[hash] = NULL;