diff mbox series

[5.13,031/104] io_uring: fix io_prep_async_link locking

Message ID	20210802134345.042397812@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Pavel Begunkov <asml.silence@gmail.com>, Jens Axboe <axboe@kernel.dk> Subject: [PATCH 5.13 031/104] io_uring: fix io_prep_async_link locking Date: Mon, 2 Aug 2021 15:44:28 +0200 Message-Id: <20210802134345.042397812@linuxfoundation.org> In-Reply-To: <20210802134344.028226640@linuxfoundation.org> References: <20210802134344.028226640@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.13,003/104] btrfs: fix lost inode on log replay after mix of fsync, rename and inode eviction [5.13,005/104] btrfs: mark compressed range uptodate only if all bio succeed [5.13,006/104] Revert "ACPI: resources: Add checks for ACPI IRQ override" [5.13,011/104] ocfs2: issue zeroout to EOF blocks [5.13,012/104] mm: memcontrol: fix blocking rstat function called from atomic cgroup1 thresholdin... [5.13,015/104] can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF [5.13,016/104] can: peak_usb: pcan_usb_handle_bus_evt(): fix reading rxerr/txerr values [5.13,020/104] can: esd_usb2: fix memory leak [5.13,021/104] alpha: register early reserved memory in memblock [5.13,022/104] HID: wacom: Re-enable touch by default for Cintiq 24HDT / 27QHDT [5.13,024/104] NIU: fix incorrect error return, missed in previous revert [5.13,025/104] drm/amd/display: ensure dentist display clock update finished in DCN20 [5.13,026/104] drm/amdgpu: Check pmops for desired suspend state [5.13,028/104] drm/amdgpu: Fix resource leak on probe error path [5.13,031/104] io_uring: fix io_prep_async_link locking [5.13,033/104] io_uring: fix poll requests leaking second poll entries [5.13,037/104] platform/x86: amd-pmc: Fix SMU firmware reporting mechanism [5.13,039/104] RDMA/rxe: Fix memory leak in error path code [5.13,040/104] netfilter: nf_tables: fix audit memory leak in nf_tables_commit [5.13,041/104] bpf: Fix OOB read when printing XDP link fdinfo [5.13,044/104] netfilter: nft_nat: allow to specify layer 4 protocol NAT only [5.13,045/104] i40e: Fix logic of disabling queues [5.13,047/104] i40e: Fix queue-to-TC mapping on Tx [5.13,048/104] i40e: Fix log TC creation failure when max num of queues is exceeded [5.13,050/104] tipc: fix sleeping in tipc accept routine [5.13,053/104] loop: reintroduce global lock for safe loop_validate_file() traversal [5.13,054/104] net: qrtr: fix memory leaks [5.13,057/104] ionic: remove intr coalesce update from napi [5.13,058/104] ionic: fix up dim accounting for tx and rx [5.13,060/104] can: mcp251xfd: mcp251xfd_irq(): stop timestamping worker in case error in IRQ [5.13,061/104] tipc: do not write skb_shinfo frags when doing decrytion [5.13,062/104] octeontx2-pf: Fix interface down flag on error [5.13,065/104] mlx4: Fix missing error code in mlx4_load_one() [5.13,067/104] drm/i915/bios: Fix ports mask [5.13,068/104] KVM: x86: Check the right feature bit for MSR_KVM_ASYNC_PF_ACK access [5.13,070/104] drm/msm/dpu: Fix sm8250_mdp register length [5.13,072/104] drm/msm/dp: Initialize the INTF_CONFIG register [5.13,074/104] bpf, sockmap: Zap ingress queues after stopping strparser [5.13,076/104] net/mlx5e: Disable Rx ntuple offload for uplink representor [5.13,079/104] net/mlx5e: RX, Avoid possible data corruption when relaxed ordering and LRO combined [5.13,080/104] net/mlx5e: Add NETIF_F_HW_TC to hw_features when HTB offload is available [5.13,084/104] net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() [5.13,088/104] tulip: windbond-840: Fix missing pci_disable_device() in probe and remove [5.13,090/104] can: hi311x: fix a signedness bug in hi3110_cmd() [5.13,091/104] bpf: Introduce BPF nospec instruction for mitigating Spectre v4 [5.13,093/104] bpf: Remove superfluous aux sanitation on subprog rejection [5.13,094/104] bpf: verifier: Allocate idmap scratch in verifier env [5.13,096/104] SMB3: fix readpage for large swap cache [5.13,098/104] powerpc/pseries: Fix regression while building external modules [5.13,099/104] Revert "perf map: Fix dso->nsinfo refcounting" [5.13,101/104] i40e: Add additional info to PHY type error [5.13,103/104] perf pmu: Fix alias matching [5.13,104/104] octeontx2-af: Remove unnecessary devm_kfree

Commit Message

Greg KH Aug. 2, 2021, 1:44 p.m. UTC

From: Pavel Begunkov <asml.silence@gmail.com>

commit 44eff40a32e8f5228ae041006352e32638ad2368 upstream.

io_prep_async_link() may be called after arming a linked timeout,
automatically making it unsafe to traverse the linked list. Guard
with completion_lock if there was a linked timeout.

Cc: stable@vger.kernel.org # 5.9+
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/93f7c617e2b4f012a2a175b3dab6bc2f27cebc48.1627304436.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/io_uring.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff mbox series

Patch

--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1258,8 +1258,17 @@  static void io_prep_async_link(struct io
 {
 	struct io_kiocb *cur;
 
-	io_for_each_link(cur, req)
-		io_prep_async_work(cur);
+	if (req->flags & REQ_F_LINK_TIMEOUT) {
+		struct io_ring_ctx *ctx = req->ctx;
+
+		spin_lock_irq(&ctx->completion_lock);
+		io_for_each_link(cur, req)
+			io_prep_async_work(cur);
+		spin_unlock_irq(&ctx->completion_lock);
+	} else {
+		io_for_each_link(cur, req)
+			io_prep_async_work(cur);
+	}
 }
 
 static void io_queue_async_work(struct io_kiocb *req)