[ Upstream commit a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 ]
WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] io_put_req fs/io_uring.c:2140 [inline] io_queue_linked_timeout fs/io_uring.c:6300 [inline] __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354 io_submit_sqe fs/io_uring.c:6534 [inline] io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660 __do_sys_io_uring_enter fs/io_uring.c:9240 [inline] __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182
io_link_timeout_fn() should put only one reference of the linked timeout request, however in case of racing with the master request's completion first io_req_complete() puts one and then io_put_req_deferred() is called.
Cc: stable@vger.kernel.org # 5.12+ Fixes: 9ae1f8dd372e0 ("io_uring: fix inconsistent lock state") Reported-by: syzbot+a2910119328ce8e7996f@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov asml.silence@gmail.com Link: https://lore.kernel.org/r/ff51018ff29de5ffa76f09273ef48cb24c720368.162041762... Signed-off-by: Jens Axboe axboe@kernel.dk --- fs/io_uring.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c index 42153106b7bc..42439838eaf7 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -6260,7 +6260,6 @@ static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer) if (prev) { io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME); io_put_req_deferred(prev, 1); - io_put_req_deferred(req, 1); } else { io_cqring_add_event(req, -ETIME, 0); io_put_req_deferred(req, 1);
On 7/26/21 4:17 PM, Pavel Begunkov wrote:
[ Upstream commit a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 ]
Looking at it, it just reverts the backported patch, i.e. 0b2a990e5d2f76d020cb840c456e6ec5f0c27530. Wasn't needed in 5.10 in the first place.
Sudip, would be great if you can try it out
WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 Call Trace: __refcount_sub_and_test include/linux/refcount.h:283 [inline] __refcount_dec_and_test include/linux/refcount.h:315 [inline] refcount_dec_and_test include/linux/refcount.h:333 [inline] io_put_req fs/io_uring.c:2140 [inline] io_queue_linked_timeout fs/io_uring.c:6300 [inline] __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354 io_submit_sqe fs/io_uring.c:6534 [inline] io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660 __do_sys_io_uring_enter fs/io_uring.c:9240 [inline] __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182
io_link_timeout_fn() should put only one reference of the linked timeout request, however in case of racing with the master request's completion first io_req_complete() puts one and then io_put_req_deferred() is called.
Cc: stable@vger.kernel.org # 5.12+ Fixes: 9ae1f8dd372e0 ("io_uring: fix inconsistent lock state") Reported-by: syzbot+a2910119328ce8e7996f@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov asml.silence@gmail.com Link: https://lore.kernel.org/r/ff51018ff29de5ffa76f09273ef48cb24c720368.162041762... Signed-off-by: Jens Axboe axboe@kernel.dk
fs/io_uring.c | 1 - 1 file changed, 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c index 42153106b7bc..42439838eaf7 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -6260,7 +6260,6 @@ static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer) if (prev) { io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME); io_put_req_deferred(prev, 1);
io_put_req_deferred(req, 1);
On Mon, Jul 26, 2021 at 4:22 PM Pavel Begunkov asml.silence@gmail.com wrote:
On 7/26/21 4:17 PM, Pavel Begunkov wrote:
[ Upstream commit a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 ]
Looking at it, it just reverts the backported patch, i.e. 0b2a990e5d2f76d020cb840c456e6ec5f0c27530. Wasn't needed in 5.10 in the first place.
Sudip, would be great if you can try it out
Applied on top of v5.10.54-rc2 and tested, issue not reproduced. Thanks Pavel.
Tested-by: Sudip Mukherjee sudip.mukherjee@codethink.co.uk
On Mon, Jul 26, 2021 at 06:07:52PM +0100, Sudip Mukherjee wrote:
On Mon, Jul 26, 2021 at 4:22 PM Pavel Begunkov asml.silence@gmail.com wrote:
On 7/26/21 4:17 PM, Pavel Begunkov wrote:
[ Upstream commit a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 ]
Looking at it, it just reverts the backported patch, i.e. 0b2a990e5d2f76d020cb840c456e6ec5f0c27530. Wasn't needed in 5.10 in the first place.
Sudip, would be great if you can try it out
Applied on top of v5.10.54-rc2 and tested, issue not reproduced. Thanks Pavel.
Tested-by: Sudip Mukherjee sudip.mukherjee@codethink.co.uk
So this is all good in the latest 5.10.54 release, right?
thanks,
greg k-h
On 7/28/21 5:13 PM, Greg Kroah-Hartman wrote:
On Mon, Jul 26, 2021 at 06:07:52PM +0100, Sudip Mukherjee wrote:
On Mon, Jul 26, 2021 at 4:22 PM Pavel Begunkov asml.silence@gmail.com wrote:
On 7/26/21 4:17 PM, Pavel Begunkov wrote:
[ Upstream commit a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 ]
Looking at it, it just reverts the backported patch, i.e. 0b2a990e5d2f76d020cb840c456e6ec5f0c27530. Wasn't needed in 5.10 in the first place.
Sudip, would be great if you can try it out
Applied on top of v5.10.54-rc2 and tested, issue not reproduced. Thanks Pavel.
Tested-by: Sudip Mukherjee sudip.mukherjee@codethink.co.uk
So this is all good in the latest 5.10.54 release, right?
Right. And you can either take this or revert 0b2a990e5d2f76d0, both ways are identical.
On Wed, Jul 28, 2021 at 05:30:22PM +0100, Pavel Begunkov wrote:
On 7/28/21 5:13 PM, Greg Kroah-Hartman wrote:
On Mon, Jul 26, 2021 at 06:07:52PM +0100, Sudip Mukherjee wrote:
On Mon, Jul 26, 2021 at 4:22 PM Pavel Begunkov asml.silence@gmail.com wrote:
On 7/26/21 4:17 PM, Pavel Begunkov wrote:
[ Upstream commit a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 ]
Looking at it, it just reverts the backported patch, i.e. 0b2a990e5d2f76d020cb840c456e6ec5f0c27530. Wasn't needed in 5.10 in the first place.
Sudip, would be great if you can try it out
Applied on top of v5.10.54-rc2 and tested, issue not reproduced. Thanks Pavel.
Tested-by: Sudip Mukherjee sudip.mukherjee@codethink.co.uk
So this is all good in the latest 5.10.54 release, right?
Right. And you can either take this or revert 0b2a990e5d2f76d0, both ways are identical.
Ah, I missed this, for some reason I thought this was already address. Ok, now queued up. Hopefully this is now fixed...
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Pavel Begunkov -
Sudip Mukherjee