From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.1 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6C38BC433DF for ; Thu, 23 Jul 2020 18:14:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3EDA520714 for ; Thu, 23 Jul 2020 18:14:32 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="j5t85reo" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726500AbgGWSOc (ORCPT ); Thu, 23 Jul 2020 14:14:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56028 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726473AbgGWSOb (ORCPT ); Thu, 23 Jul 2020 14:14:31 -0400 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 882BAC0619DC for ; Thu, 23 Jul 2020 11:14:31 -0700 (PDT) Received: by mail-wm1-x32b.google.com with SMTP id o8so5789361wmh.4 for ; Thu, 23 Jul 2020 11:14:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=81phQ+/ZbvSnxXgc1bohAvgipWCDUO/ghvX8O6RisWQ=; b=j5t85reoznJo3LEC362oVcZWULipFBQTM+YNX3I2wsiZJUAUpO9mW69ghXOkbcPEBC YDc5MV0gBuF3k1ot4goke+lwSP1xOgDQLr04gbqZJYYtj7FEC20dD3Y1tXOVAkYmEspy +fMinhD94woaY4ycHpUUQJtSQylsNWRPuQgWTfoCXrWE5acSSFZbv3GZcHxsmyXC7RQH OsP79E58tSmsAKH56o1LgeqWFM/K63/owfWNxCzGjJzX3LH4+AvDdNvXPgjs2Zbvg5bO qpeXaKVfYOiYFRCX2R69sW15rZQ9UAc8Xlgh3zBGPbOrlpHL+hVd0IuQNkq1UJsT4gMs 2K5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=81phQ+/ZbvSnxXgc1bohAvgipWCDUO/ghvX8O6RisWQ=; b=lnNSQveab1Crp7lqIxiFb5elt/Wl/VSopPoHD6xxUNwL9QdAjFk0C63SPbPC32GleS jYBAca0ijrD6Ldutte29V8pshlUzl2QiusINCvylyOgfi113U3oUvkDC/fGv7QlnMm41 ryvqiJvnVpeK/XX21/QJHG9wCTgUBUQ8yISfJMezPfHeYv9+of32pwAZd9ifR6oidQ6N TJw4x6z0yf3Szb46svqJV0s+aJHu3+fpDEfXQFkaEsm+8zdK6s2mCbr/tVdfG07IDuqk IuaRJiQdskeNcG+5pS4A/jqXBt7wi8y+crfP8ohzTMfAgLa+PIfyxK0BBMeNv23h25L7 Vuuw== X-Gm-Message-State: AOAM533bwmhAT4dy3RT1dvzcjGw7GABurvzSFod8dbctEysW66hiraQB mdBfw4rXPpfVwgprhruTwjzgQrCr X-Google-Smtp-Source: ABdhPJylyyck0Hg3GM6OQJEw3PDytliHY1AWpc8wdcatcprJrkN79JsTH26yiunj5JROibUMdO+1tQ== X-Received: by 2002:a1c:a757:: with SMTP id q84mr2902437wme.1.1595528070212; Thu, 23 Jul 2020 11:14:30 -0700 (PDT) Received: from localhost.localdomain ([5.100.193.69]) by smtp.gmail.com with ESMTPSA id 33sm5077714wri.16.2020.07.23.11.14.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 23 Jul 2020 11:14:29 -0700 (PDT) From: Pavel Begunkov To: Jens Axboe , io-uring@vger.kernel.org Subject: [RFC][BUG] io_uring: fix work corruption for poll_add Date: Thu, 23 Jul 2020 21:12:30 +0300 Message-Id: X-Mailer: git-send-email 2.24.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: io-uring-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: io-uring@vger.kernel.org poll_add can have req->work initialised, which will be overwritten in __io_arm_poll_handler() because of the union. Luckily, hash_node is zeroed in the end, so the damage is limited to lost put for work.creds, and probably corrupted work.list. That's the easiest and really dirty fix, which rearranges members in the union, arm_poll*() modifies and zeroes only work.files and work.mm, which are never taken for poll add. note: io_kiocb is exactly 4 cachelines now. Signed-off-by: Pavel Begunkov --- fs/io_uring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 32b0064f806e..58e6f7d938b6 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -669,12 +669,12 @@ struct io_kiocb { * restore the work, if needed. */ struct { - struct callback_head task_work; - struct hlist_node hash_node; struct async_poll *apoll; + struct hlist_node hash_node; }; struct io_wq_work work; }; + struct callback_head task_work; }; #define IO_PLUG_THRESHOLD 2 -- 2.24.0