All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pavel Begunkov <asml.silence@gmail.com>
To: stable@vger.kernel.org
Cc: Jens Axboe <axboe@kernel.dk>,
	syzbot+6879187cf57845801267@syzkaller.appspotmail.com
Subject: [PATCH 13/16] io_uring: fix list corruption for splice file_get
Date: Tue,  9 Feb 2021 04:47:47 +0000	[thread overview]
Message-ID: <f3cb58e6def11ded052a0820b5f95dc9c8152ccb.1612845821.git.asml.silence@gmail.com> (raw)
In-Reply-To: <cover.1612845821.git.asml.silence@gmail.com>

[ Upstream commit f609cbb8911e40e15f9055e8f945f926ac906924 ]

kernel BUG at lib/list_debug.c:29!
Call Trace:
 __list_add include/linux/list.h:67 [inline]
 list_add include/linux/list.h:86 [inline]
 io_file_get+0x8cc/0xdb0 fs/io_uring.c:6466
 __io_splice_prep+0x1bc/0x530 fs/io_uring.c:3866
 io_splice_prep fs/io_uring.c:3920 [inline]
 io_req_prep+0x3546/0x4e80 fs/io_uring.c:6081
 io_queue_sqe+0x609/0x10d0 fs/io_uring.c:6628
 io_submit_sqe fs/io_uring.c:6705 [inline]
 io_submit_sqes+0x1495/0x2720 fs/io_uring.c:6953
 __do_sys_io_uring_enter+0x107d/0x1f30 fs/io_uring.c:9353
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

io_file_get() may be called from splice, and so REQ_F_INFLIGHT may
already be set.

Fixes: 02a13674fa0e8 ("io_uring: account io_uring internal files as REQ_F_INFLIGHT")
Cc: stable@vger.kernel.org # 5.9+
Reported-by: syzbot+6879187cf57845801267@syzkaller.appspotmail.com
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
 fs/io_uring.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index b09a59edf6aa..296b4cb44c7d 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6170,7 +6170,8 @@ static struct file *io_file_get(struct io_submit_state *state,
 		file = __io_file_get(state, fd);
 	}
 
-	if (file && file->f_op == &io_uring_fops) {
+	if (file && file->f_op == &io_uring_fops &&
+	    !(req->flags & REQ_F_INFLIGHT)) {
 		io_req_init_async(req);
 		req->flags |= REQ_F_INFLIGHT;
 
-- 
2.24.0


  parent reply	other threads:[~2021-02-09  4:53 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-09  4:47 [PATCH stable 5.10 00/16] stable 5.10 backports Pavel Begunkov
2021-02-09  4:47 ` [PATCH 01/16] io_uring: simplify io_task_match() Pavel Begunkov
2021-02-09  4:47 ` [PATCH 02/16] io_uring: add a {task,files} pair matching helper Pavel Begunkov
2021-02-09  4:47 ` [PATCH 03/16] io_uring: don't iterate io_uring_cancel_files() Pavel Begunkov
2021-02-09  4:47 ` [PATCH 04/16] io_uring: pass files into kill timeouts/poll Pavel Begunkov
2021-02-09  4:47 ` [PATCH 05/16] io_uring: always batch cancel in *cancel_files() Pavel Begunkov
2021-02-09  4:47 ` [PATCH 06/16] io_uring: fix files cancellation Pavel Begunkov
2021-02-09  4:47 ` [PATCH 07/16] io_uring: account io_uring internal files as REQ_F_INFLIGHT Pavel Begunkov
2021-02-09  4:47 ` [PATCH 08/16] io_uring: if we see flush on exit, cancel related tasks Pavel Begunkov
2021-02-09  4:47 ` [PATCH 09/16] io_uring: fix __io_uring_files_cancel() with TASK_UNINTERRUPTIBLE Pavel Begunkov
2021-02-09  4:47 ` [PATCH 10/16] io_uring: replace inflight_wait with tctx->wait Pavel Begunkov
2021-02-09  4:47 ` [PATCH 11/16] io_uring: fix cancellation taking mutex while TASK_UNINTERRUPTIBLE Pavel Begunkov
2021-02-09  4:47 ` [PATCH 12/16] io_uring: fix flush cqring overflow list while TASK_INTERRUPTIBLE Pavel Begunkov
2021-02-09  4:47 ` Pavel Begunkov [this message]
2021-02-09  4:47 ` [PATCH 14/16] io_uring: fix sqo ownership false positive warning Pavel Begunkov
2021-02-09  4:47 ` [PATCH 15/16] io_uring: reinforce cancel on flush during exit Pavel Begunkov
2021-02-09  4:47 ` [PATCH 16/16] io_uring: drop mm/files between task_work_submit Pavel Begunkov
2021-02-10 14:09 ` [PATCH stable 5.10 00/16] stable 5.10 backports Greg KH

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f3cb58e6def11ded052a0820b5f95dc9c8152ccb.1612845821.git.asml.silence@gmail.com \
    --to=asml.silence@gmail.com \
    --cc=axboe@kernel.dk \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+6879187cf57845801267@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.