From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4ED2C10F11 for ; Mon, 22 Apr 2019 16:30:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B611921738 for ; Mon, 22 Apr 2019 16:30:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555950605; bh=UJRO1Oi3ulhye3OpRl6c52a1PNJfYnOMeAX3mVXNJCY=; h=References:In-Reply-To:From:Date:Subject:To:Cc:List-ID:From; b=AZ2saICx0UyHAoL+VDFWwRV8wKXJ+6rQJ5lA4btfGncyro1tJV8PO/JD3eJEmbYJK UBM2pxvb/anlRcjbkIiH9YRFsO+hxvKwHbVUkHXqDfCkrumlhYGUZ8na0S57G1UevD dUEnRhTqqtllmEoNHCaVzQkg73yX8e34DKRcAfKU= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728159AbfDVQaF (ORCPT ); Mon, 22 Apr 2019 12:30:05 -0400 Received: from mail-lf1-f68.google.com ([209.85.167.68]:36363 "EHLO mail-lf1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726305AbfDVQaE (ORCPT ); Mon, 22 Apr 2019 12:30:04 -0400 Received: by mail-lf1-f68.google.com with SMTP id u17so9408117lfi.3 for ; Mon, 22 Apr 2019 09:30:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux-foundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6xSQ2HaBp4VGGOaQ5AmjairlFsxNFXDYMnHC9JTDLQA=; b=Z/pQMMBUlGyOB8H85WuIeuwHzg6mopT5yJKnUmy71VmGvnPUI8qHmOEaXVPHjw1UuX 74v2FHJ84fP3N75pJ0VHJAf23tGCxgFUDbATwWP9Ikz6+ZBZnZz+Rk9/EGEZzc1oR86A d6KibssRcIiW9xsYi8AfO7IFTOIdA5/YHiFsU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6xSQ2HaBp4VGGOaQ5AmjairlFsxNFXDYMnHC9JTDLQA=; b=tM6c8HGtIIFR5vXZezZcJwqL+LR9uoB72CCdz6Jwqw11aKbO4Ai0V+k3Z5/OZHywk+ Sj2ZZMGROvo6CPhlld7XiJJRoqEqESEplzwXwhc/XhK+kut51GgTjI2BvycrdU/FrVxD pgCrLOX8GEeX+AYNnQzfsoNMfFN13bVI0TDWcpE/VYpRAkmhI/CrvTc+ZRfU2mXVbn+7 LiPR7b7vZhQFm9wAuoSDpkVIbjUcaMQesdjBFGhc8O6j68uxI1aJoFHNCdXf6jKqVDhc 4zagrDl8kovESqwH82wCzV9o+5Usc15pMPnOsa/YIqzOau6zDWehYTwy4xMItWHMC0yB NczQ== X-Gm-Message-State: APjAAAUR6LZw4YmevJz3B0U1OhnipnEHgHNXfPxGXRLusBNAVXXGP/7T zop1REerzqtLBoBHY8rjS11eqUxJIxc= X-Google-Smtp-Source: APXvYqzfDivAYN8RI7yd0HZMqtVY1SlG/lM1/hRzGIPnOLz9IcpA1WhxKtjAQIL3YdWQq8sLi7fvKg== X-Received: by 2002:a19:e619:: with SMTP id d25mr11365792lfh.66.1555950602063; Mon, 22 Apr 2019 09:30:02 -0700 (PDT) Received: from mail-lj1-f170.google.com (mail-lj1-f170.google.com. [209.85.208.170]) by smtp.gmail.com with ESMTPSA id d3sm2747720ljc.15.2019.04.22.09.30.01 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 22 Apr 2019 09:30:01 -0700 (PDT) Received: by mail-lj1-f170.google.com with SMTP id q66so10797415ljq.7 for ; Mon, 22 Apr 2019 09:30:01 -0700 (PDT) X-Received: by 2002:a2e:9213:: with SMTP id k19mr10159740ljg.118.1555950249750; Mon, 22 Apr 2019 09:24:09 -0700 (PDT) MIME-Version: 1.0 References: <00000000000043fe9c058720a5d3@google.com> In-Reply-To: <00000000000043fe9c058720a5d3@google.com> From: Linus Torvalds Date: Mon, 22 Apr 2019 09:23:53 -0700 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: WARNING in percpu_ref_kill_and_confirm To: syzbot Cc: Arnd Bergmann , Jens Axboe , Borislav Petkov , "Darrick J. Wong" , Greg Kroah-Hartman , Peter Anvin , Linux API , linux-arch , linux-block , linux-fsdevel , Linux List Kernel Mailing , Andrew Lutomirski , Mathieu Desnoyers , Ingo Molnar , Michael Ellerman , syzkaller-bugs , Thomas Gleixner , Al Viro , "the arch/x86 maintainers" Content-Type: text/plain; charset="UTF-8" Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Mon, Apr 22, 2019 at 9:06 AM syzbot wrote: > > > The bug was bisected to: > > commit 38e7571c07be01f9f19b355a9306a4e3d5cb0f5b > Author: Linus Torvalds > Date: Fri Mar 8 22:48:40 2019 +0000 > > Merge tag 'io_uring-2019-03-06' of git://git.kernel.dk/linux-block > > percpu_ref_kill_and_confirm called more than once on io_ring_ctx_ref_free! So I don't see how that happens in the original code (because __io_uring_register() is called with the uring_lock held), but let's see. HOWEVER. I do see how it happens now as of the latest kernel as of commit b19062a56726 ("io_uring: fix possible deadlock between io_uring_{enter,register}") where the code explicitly drops the mutex in order to wait for other uring users to finish. So Jens, I think that commit was buggy. I suspect that io_uring_register() should perhaps do something like --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2934,7 +2934,10 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode, { int ret; + if (!percpu_ref_tryget(&ctx->refs)) + return -EBUSY; percpu_ref_kill(&ctx->refs); + percpu_ref_put(&ctx->refs); /* * Drop uring mutex before waiting for references to exit. If another to guarantee that it's the *only* case of io_uring_register() doing that kill. Hmm? Linus