Re: [PATCH] io_uring: fix link timeout refs

From: Pavel Begunkov <asml.silence@gmail.com>
To: stable@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>,
	Sudip Mukherjee <sudipm.mukherjee@gmail.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	syzbot+a2910119328ce8e7996f@syzkaller.appspotmail.com
Subject: Re: [PATCH] io_uring: fix link timeout refs
Date: Mon, 26 Jul 2021 16:22:06 +0100	[thread overview]
Message-ID: <6564af0e-72b0-5308-4561-706ec4026385@gmail.com> (raw)
In-Reply-To: <caf9dc2dc29367bb38fee4064b7d562d9837e441.1627312513.git.asml.silence@gmail.com>

On 7/26/21 4:17 PM, Pavel Begunkov wrote:
> [ Upstream commit a298232ee6b9a1d5d732aa497ff8be0d45b5bd82 ]

Looking at it, it just reverts the backported patch,
i.e. 0b2a990e5d2f76d020cb840c456e6ec5f0c27530.
Wasn't needed in 5.10 in the first place.

Sudip, would be great if you can try it out

> WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28
> Call Trace:
>  __refcount_sub_and_test include/linux/refcount.h:283 [inline]
>  __refcount_dec_and_test include/linux/refcount.h:315 [inline]
>  refcount_dec_and_test include/linux/refcount.h:333 [inline]
>  io_put_req fs/io_uring.c:2140 [inline]
>  io_queue_linked_timeout fs/io_uring.c:6300 [inline]
>  __io_queue_sqe+0xbef/0xec0 fs/io_uring.c:6354
>  io_submit_sqe fs/io_uring.c:6534 [inline]
>  io_submit_sqes+0x2bbd/0x7c50 fs/io_uring.c:6660
>  __do_sys_io_uring_enter fs/io_uring.c:9240 [inline]
>  __se_sys_io_uring_enter+0x256/0x1d60 fs/io_uring.c:9182
> 
> io_link_timeout_fn() should put only one reference of the linked timeout
> request, however in case of racing with the master request's completion
> first io_req_complete() puts one and then io_put_req_deferred() is
> called.
> 
> Cc: stable@vger.kernel.org # 5.12+
> Fixes: 9ae1f8dd372e0 ("io_uring: fix inconsistent lock state")
> Reported-by: syzbot+a2910119328ce8e7996f@syzkaller.appspotmail.com
> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> Link: https://lore.kernel.org/r/ff51018ff29de5ffa76f09273ef48cb24c720368.1620417627.git.asml.silence@gmail.com
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> ---
>  fs/io_uring.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 42153106b7bc..42439838eaf7 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -6260,7 +6260,6 @@ static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
>  	if (prev) {
>  		io_async_find_and_cancel(ctx, req, prev->user_data, -ETIME);
>  		io_put_req_deferred(prev, 1);
> -		io_put_req_deferred(req, 1);
>  	} else {
>  		io_cqring_add_event(req, -ETIME, 0);
>  		io_put_req_deferred(req, 1);
> 

-- 
Pavel Begunkov