From: gregkh@linuxfoundation.org
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+28abd693db9e92c160d8@syzkaller.appspotmail.com,
Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 5.11 22/44] io_uring: ignore double poll add on the same waitqueue head
Date: Mon, 8 Mar 2021 13:35:00 +0100 [thread overview]
Message-ID: <20210308122719.669881575@linuxfoundation.org> (raw)
In-Reply-To: <20210308122718.586629218@linuxfoundation.org>
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
From: Jens Axboe <axboe@kernel.dk>
commit 1c3b3e6527e57156bf4082f11c2151957560fe6a upstream.
syzbot reports a deadlock, attempting to lock the same spinlock twice:
============================================
WARNING: possible recursive locking detected
5.11.0-syzkaller #0 Not tainted
--------------------------------------------
swapper/1/0 is trying to acquire lock:
ffff88801b2b1130 (&runtime->sleep){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:354 [inline]
ffff88801b2b1130 (&runtime->sleep){..-.}-{2:2}, at: io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960
but task is already holding lock:
ffff88801b2b3130 (&runtime->sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&runtime->sleep);
lock(&runtime->sleep);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by swapper/1/0:
#0: ffff888147474908 (&group->lock){..-.}-{2:2}, at: _snd_pcm_stream_lock_irqsave+0x9f/0xd0 sound/core/pcm_native.c:170
#1: ffff88801b2b3130 (&runtime->sleep){..-.}-{2:2}, at: __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:137
stack backtrace:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:79 [inline]
dump_stack+0xfa/0x151 lib/dump_stack.c:120
print_deadlock_bug kernel/locking/lockdep.c:2829 [inline]
check_deadlock kernel/locking/lockdep.c:2872 [inline]
validate_chain kernel/locking/lockdep.c:3661 [inline]
__lock_acquire.cold+0x14c/0x3b4 kernel/locking/lockdep.c:4900
lock_acquire kernel/locking/lockdep.c:5510 [inline]
lock_acquire+0x1ab/0x730 kernel/locking/lockdep.c:5475
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:354 [inline]
io_poll_double_wake+0x25f/0x6a0 fs/io_uring.c:4960
__wake_up_common+0x147/0x650 kernel/sched/wait.c:108
__wake_up_common_lock+0xd0/0x130 kernel/sched/wait.c:138
snd_pcm_update_state+0x46a/0x540 sound/core/pcm_lib.c:203
snd_pcm_update_hw_ptr0+0xa75/0x1a50 sound/core/pcm_lib.c:464
snd_pcm_period_elapsed+0x160/0x250 sound/core/pcm_lib.c:1805
dummy_hrtimer_callback+0x94/0x1b0 sound/drivers/dummy.c:378
__run_hrtimer kernel/time/hrtimer.c:1519 [inline]
__hrtimer_run_queues+0x609/0xe40 kernel/time/hrtimer.c:1583
hrtimer_run_softirq+0x17b/0x360 kernel/time/hrtimer.c:1600
__do_softirq+0x29b/0x9f6 kernel/softirq.c:345
invoke_softirq kernel/softirq.c:221 [inline]
__irq_exit_rcu kernel/softirq.c:422 [inline]
irq_exit_rcu+0x134/0x200 kernel/softirq.c:434
sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1100
</IRQ>
asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
RIP: 0010:native_save_fl arch/x86/include/asm/irqflags.h:29 [inline]
RIP: 0010:arch_local_save_flags arch/x86/include/asm/irqflags.h:70 [inline]
RIP: 0010:arch_irqs_disabled arch/x86/include/asm/irqflags.h:137 [inline]
RIP: 0010:acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline]
RIP: 0010:acpi_idle_do_entry+0x1c9/0x250 drivers/acpi/processor_idle.c:516
Code: dd 38 6e f8 84 db 75 ac e8 54 32 6e f8 e8 0f 1c 74 f8 e9 0c 00 00 00 e8 45 32 6e f8 0f 00 2d 4e 4a c5 00 e8 39 32 6e f8 fb f4 <9c> 5b 81 e3 00 02 00 00 fa 31 ff 48 89 de e8 14 3a 6e f8 48 85 db
RSP: 0018:ffffc90000d47d18 EFLAGS: 00000293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff8880115c3780 RSI: ffffffff89052537 RDI: 0000000000000000
RBP: ffff888141127064 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff81794168 R11: 0000000000000000 R12: 0000000000000001
R13: ffff888141127000 R14: ffff888141127064 R15: ffff888143331804
acpi_idle_enter+0x361/0x500 drivers/acpi/processor_idle.c:647
cpuidle_enter_state+0x1b1/0xc80 drivers/cpuidle/cpuidle.c:237
cpuidle_enter+0x4a/0xa0 drivers/cpuidle/cpuidle.c:351
call_cpuidle kernel/sched/idle.c:158 [inline]
cpuidle_idle_call kernel/sched/idle.c:239 [inline]
do_idle+0x3e1/0x590 kernel/sched/idle.c:300
cpu_startup_entry+0x14/0x20 kernel/sched/idle.c:397
start_secondary+0x274/0x350 arch/x86/kernel/smpboot.c:272
secondary_startup_64_no_verify+0xb0/0xbb
which is due to the driver doing poll_wait() twice on the same
wait_queue_head. That is perfectly valid, but from checking the rest
of the kernel tree, it's the only driver that does this.
We can handle this just fine, we just need to ignore the second addition
as we'll get woken just fine on the first one.
Cc: stable@vger.kernel.org # 5.8+
Fixes: 18bceab101ad ("io_uring: allow POLL_ADD with double poll_wait() users")
Reported-by: syzbot+28abd693db9e92c160d8@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/io_uring.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5316,6 +5316,9 @@ static void __io_queue_proc(struct io_po
pt->error = -EINVAL;
return;
}
+ /* double add on the same waitqueue head, ignore */
+ if (poll->head == head)
+ return;
poll = kmalloc(sizeof(*poll), GFP_ATOMIC);
if (!poll) {
pt->error = -ENOMEM;
next prev parent reply other threads:[~2021-03-08 12:36 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-08 12:34 [PATCH 5.11 00/44] 5.11.5-rc1 review gregkh
2021-03-08 12:34 ` [PATCH 5.11 01/44] ALSA: hda/realtek: Enable headset mic of Acer SWIFT with ALC256 gregkh
2021-03-08 12:34 ` [PATCH 5.11 02/44] ALSA: usb-audio: use Corsair Virtuoso mapping for Corsair Virtuoso SE gregkh
2021-03-08 12:34 ` [PATCH 5.11 03/44] ALSA: usb-audio: Dont abort even if the clock rate differs gregkh
2021-03-08 12:34 ` [PATCH 5.11 04/44] ALSA: usb-audio: Drop bogus dB range in too low level gregkh
2021-03-08 12:34 ` [PATCH 5.11 05/44] ALSA: usb-audio: Allow modifying parameters with succeeding hw_params calls gregkh
2021-03-08 12:34 ` [PATCH 5.11 06/44] tpm, tpm_tis: Decorate tpm_tis_gen_interrupt() with request_locality() gregkh
2021-03-08 12:34 ` [PATCH 5.11 07/44] tpm, tpm_tis: Decorate tpm_get_timeouts() " gregkh
2021-03-08 12:34 ` [PATCH 5.11 08/44] btrfs: avoid double put of block group when emptying cluster gregkh
2021-03-08 12:34 ` [PATCH 5.11 09/44] btrfs: fix raid6 qstripe kmap gregkh
2021-03-08 12:34 ` [PATCH 5.11 10/44] btrfs: fix race between writes to swap files and scrub gregkh
2021-03-08 12:34 ` [PATCH 5.11 11/44] btrfs: fix race between swap file activation and snapshot creation gregkh
2021-03-08 12:34 ` [PATCH 5.11 12/44] btrfs: fix stale data exposure after cloning a hole with NO_HOLES enabled gregkh
2021-03-08 12:34 ` [PATCH 5.11 13/44] btrfs: tree-checker: do not error out if extent ref hash doesnt match gregkh
2021-03-08 12:34 ` [PATCH 5.11 14/44] btrfs: fix race between extent freeing/allocation when using bitmaps gregkh
2021-03-08 12:34 ` [PATCH 5.11 15/44] btrfs: validate qgroup inherit for SNAP_CREATE_V2 ioctl gregkh
2021-03-08 12:34 ` [PATCH 5.11 16/44] btrfs: free correct amount of space in btrfs_delayed_inode_reserve_metadata gregkh
2021-03-08 12:34 ` [PATCH 5.11 17/44] btrfs: fix spurious free_space_tree remount warning gregkh
2021-03-08 12:34 ` [PATCH 5.11 18/44] btrfs: unlock extents in btrfs_zero_range in case of quota reservation errors gregkh
2021-03-08 12:34 ` [PATCH 5.11 19/44] btrfs: fix warning when creating a directory with smack enabled gregkh
2021-03-08 12:34 ` [PATCH 5.11 20/44] PM: runtime: Update device status before letting suppliers suspend gregkh
2021-03-08 12:34 ` [PATCH 5.11 21/44] ring-buffer: Force before_stamp and write_stamp to be different on discard gregkh
2021-03-08 12:35 ` gregkh [this message]
2021-03-08 12:35 ` [PATCH 5.11 23/44] dm bufio: subtract the number of initial sectors in dm_bufio_get_device_size gregkh
2021-03-08 12:35 ` [PATCH 5.11 24/44] dm verity: fix FEC for RS roots unaligned to block size gregkh
2021-03-08 12:35 ` [PATCH 5.11 25/44] drm/amd/pm: correct Arcturus mmTHM_BACO_CNTL register address gregkh
2021-03-08 12:35 ` [PATCH 5.11 26/44] drm/amdgpu:disable VCN for Navi12 SKU gregkh
2021-03-08 12:35 ` [PATCH 5.11 27/44] drm/amdgpu: Only check for S0ix if AMD_PMC is configured gregkh
2021-03-08 12:35 ` [PATCH 5.11 28/44] drm/amdgpu: fix parameter error of RREG32_PCIE() in amdgpu_regs_pcie gregkh
2021-03-08 12:35 ` [PATCH 5.11 29/44] crypto - shash: reduce minimum alignment of shash_desc structure gregkh
2021-03-08 12:35 ` [PATCH 5.11 30/44] ALSA: ctxfi: cthw20k2: fix mask on conf to allow 4 bits gregkh
2021-03-08 12:35 ` [PATCH 5.11 31/44] ALSA: usb-audio: Fix Pioneer DJM devices URB_CONTROL request direction to set samplerate gregkh
2021-03-08 12:35 ` [PATCH 5.11 32/44] RDMA/cm: Fix IRQ restore in ib_send_cm_sidr_rep gregkh
2021-03-08 12:35 ` [PATCH 5.11 33/44] RDMA/rxe: Fix missing kconfig dependency on CRYPTO gregkh
2021-03-08 12:35 ` [PATCH 5.11 34/44] IB/mlx5: Add missing error code gregkh
2021-03-08 12:35 ` [PATCH 5.11 35/44] ALSA: hda: intel-nhlt: verify config type gregkh
2021-03-08 12:35 ` [PATCH 5.11 36/44] ftrace: Have recordmcount use w8 to read relp->r_info in arm64_is_fake_mcount gregkh
2021-03-08 12:35 ` [PATCH 5.11 37/44] ia64: dont call handle_signal() unless theres actually a signal queued gregkh
2021-03-08 12:35 ` [PATCH 5.11 38/44] rsxx: Return -EFAULT if copy_to_user() fails gregkh
2021-03-08 12:35 ` [PATCH 5.11 39/44] iommu/tegra-smmu: Fix mc errors on tegra124-nyan gregkh
2021-03-08 12:35 ` [PATCH 5.11 40/44] iommu: Dont use lazy flush for untrusted device gregkh
2021-03-08 12:35 ` [PATCH 5.11 41/44] iommu/vt-d: Fix status code for Allocate/Free PASID command gregkh
2021-03-08 12:35 ` [PATCH 5.11 42/44] btrfs: zoned: use sector_t for zone sectors gregkh
2021-03-08 12:35 ` [PATCH 5.11 43/44] tomoyo: recognize kernel threads correctly gregkh
2021-03-08 12:35 ` [PATCH 5.11 44/44] r8169: fix resuming from suspend on RTL8105e if machine runs on battery gregkh
2021-03-08 22:29 ` [PATCH 5.11 00/44] 5.11.5-rc1 review Guenter Roeck
2021-03-09 10:26 ` Greg KH
2021-03-09 4:22 ` Naresh Kamboju
2021-03-09 10:26 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210308122719.669881575@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+28abd693db9e92c160d8@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).