diff options
author | Jens Axboe <axboe@kernel.dk> | 2022-05-15 20:19:43 +0300 |
---|---|---|
committer | Jens Axboe <axboe@kernel.dk> | 2022-05-18 15:12:41 +0300 |
commit | e7637a492b9f1ae6b7cfcecf0aed5e4c76efa3bd (patch) | |
tree | 5690c2eabd93f40ea793741e2beb944f8442a1cf /fs | |
parent | 4e86a2c980137f7be1ea600af5f1f5c8342ecc09 (diff) | |
download | linux-e7637a492b9f1ae6b7cfcecf0aed5e4c76efa3bd.tar.xz |
io_uring: fix locking state for empty buffer group
io_provided_buffer_select() must drop the submit lock, if needed, even
in the error handling case. Failure to do so will leave us with the
ctx->uring_lock held, causing spew like:
====================================
WARNING: iou-wrk-366/368 still has locks held!
5.18.0-rc6-00294-gdf8dc7004331 #994 Not tainted
------------------------------------
1 lock held by iou-wrk-366/368:
#0: ffff0000c72598a8 (&ctx->uring_lock){+.+.}-{3:3}, at: io_ring_submit_lock+0x20/0x48
stack backtrace:
CPU: 4 PID: 368 Comm: iou-wrk-366 Not tainted 5.18.0-rc6-00294-gdf8dc7004331 #994
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.part.0+0xa4/0xd4
show_stack+0x14/0x5c
dump_stack_lvl+0x88/0xb0
dump_stack+0x14/0x2c
debug_check_no_locks_held+0x84/0x90
try_to_freeze.isra.0+0x18/0x44
get_signal+0x94/0x6ec
io_wqe_worker+0x1d8/0x2b4
ret_from_fork+0x10/0x20
and triggering later hangs off get_signal() because we attempt to
re-grab the lock.
Reported-by: syzbot+987d7bb19195ae45208c@syzkaller.appspotmail.com
Fixes: 149c69b04a90 ("io_uring: abstract out provided buffer list selection")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/io_uring.c | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c index d4752e192ef9..2322583f9275 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -3467,20 +3467,23 @@ static void __user *io_provided_buffer_select(struct io_kiocb *req, size_t *len, struct io_buffer_list *bl, unsigned int issue_flags) { - struct io_buffer *kbuf; + void __user *ret = ERR_PTR(-ENOBUFS); - if (list_empty(&bl->buf_list)) - return ERR_PTR(-ENOBUFS); + if (!list_empty(&bl->buf_list)) { + struct io_buffer *kbuf; + + kbuf = list_first_entry(&bl->buf_list, struct io_buffer, list); + list_del(&kbuf->list); + if (*len > kbuf->len) + *len = kbuf->len; + req->flags |= REQ_F_BUFFER_SELECTED; + req->kbuf = kbuf; + req->buf_index = kbuf->bid; + ret = u64_to_user_ptr(kbuf->addr); + } - kbuf = list_first_entry(&bl->buf_list, struct io_buffer, list); - list_del(&kbuf->list); - if (*len > kbuf->len) - *len = kbuf->len; - req->flags |= REQ_F_BUFFER_SELECTED; - req->kbuf = kbuf; - req->buf_index = kbuf->bid; io_ring_submit_unlock(req->ctx, issue_flags); - return u64_to_user_ptr(kbuf->addr); + return ret; } static void __user *io_buffer_select(struct io_kiocb *req, size_t *len, |