From patchwork Thu Jan 28 18:39:24 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pavel Begunkov <asml.silence@gmail.com>
X-Patchwork-Id: 373247
Return-Path: <stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
 MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT
 autolearn=unavailable autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 6C0CFC43381
 for <stable@archiver.kernel.org>;
 Thu, 28 Jan 2021 18:46:16 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 370D764E23
 for <stable@archiver.kernel.org>;
 Thu, 28 Jan 2021 18:46:16 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S231175AbhA1SqL (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 28 Jan 2021 13:46:11 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41316 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S232245AbhA1Sn4 (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 28 Jan 2021 13:43:56 -0500
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com
 [IPv6:2a00:1450:4864:20::42e])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3EC77C0613D6;
 Thu, 28 Jan 2021 10:43:16 -0800 (PST)
Received: by mail-wr1-x42e.google.com with SMTP id q7so6416717wre.13;
 Thu, 28 Jan 2021 10:43:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=yP0udIqQ5N4s/ns7Vr5zMHUty7fjICCtXowNGmke6wI=;
 b=CBcHSFFkDRsULzX1kuYr9rG2UQ5CS30IXB92gl9WMzYgKJKr3hs7teNApQAVLRtXyc
 e+JnA5HVT9ZUrJa9qzrKsOD6vomNmg5fWbGokNeOp0svaZutdzAUBnp3FRxnrZXbQoXm
 tyIlo1DbJ4r9nAk7l0KZvl6VBaBUshVSIeQf/bnNQoFJ/Qm1vnGbGbvQtciW1vHmr5t5
 331SKw3UsPv5TtBWtbM7eYZ9WKoqhY9mMlwinFJ6Et9XkEN8ft7ZI3IO/vxIFDvHlnEW
 GP6r+WMfuQLI0ovISLlg8xpPIa7xQXcH3xfYGkM/8TqQEZLi2gwtHRndZn0NBLnfQUyA
 T/NA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=yP0udIqQ5N4s/ns7Vr5zMHUty7fjICCtXowNGmke6wI=;
 b=pEr2nrwqIDT45G3mvQ6iI635weAcOS7e318NpeWXXWvKrNFFEypS/dmU1hog2jmLxp
 gLPHC66rdNVhVtORa//RC/dlbssU95cHD0dyCOQyJilC5VCDAi99TOR+A81ibVHzKMn2
 CYYTxsYa6YyGSX8jTdd4ItKQNtCRQjO01IOPPdBKpCNf4a4toRfWzsgYT88yxWclrp+X
 7GqeTu1PgRjH2OkbtQxm0FTmFVIOQM5hE02LyDAdVEf2QNfZjKFnz6P61qcyF6OblZNK
 AvnJwAHV+4EuFqeCWxDjCpFL88C7v/xM24zvQH94kUcJPR6v7SUNv10HHvoMSLMUCS/X
 cphA==
X-Gm-Message-State: AOAM531TA2LDYHWRZd2HgLwUzZJYIc073d6rB8pfYjAR+RqjitoY/uAu
 BRue8HBjfFv3mXPk3MlFZ0I=
X-Google-Smtp-Source: ABdhPJxXxlr9TCNrRr80JXY/UhTCoiNZZrk2BxI1aBdoR3FRiOSkWYl6pz/I+N5JStBIMa0fPegyhQ==
X-Received: by 2002:a05:6000:104f:: with SMTP id
 c15mr441512wrx.239.1611859395083; 
 Thu, 28 Jan 2021 10:43:15 -0800 (PST)
Received: from localhost.localdomain ([148.252.132.131])
 by smtp.gmail.com with ESMTPSA id
 y18sm7916386wrt.19.2021.01.28.10.43.14
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 28 Jan 2021 10:43:14 -0800 (PST)
From: Pavel Begunkov <asml.silence@gmail.com>
To: Jens Axboe <axboe@kernel.dk>, io-uring@vger.kernel.org
Cc: stable@vger.kernel.org,
 syzbot+6879187cf57845801267@syzkaller.appspotmail.com
Subject: [PATCH 1/2] io_uring: fix list corruption for splice file_get
Date: Thu, 28 Jan 2021 18:39:24 +0000
Message-Id: <8cf8339c34948e837fc5236d75cd816e0931fe9b.1611859042.git.asml.silence@gmail.com>
X-Mailer: git-send-email 2.24.0
In-Reply-To: <cover.1611859042.git.asml.silence@gmail.com>
References: <cover.1611859042.git.asml.silence@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

kernel BUG at lib/list_debug.c:29!
Call Trace:
 __list_add include/linux/list.h:67 [inline]
 list_add include/linux/list.h:86 [inline]
 io_file_get+0x8cc/0xdb0 fs/io_uring.c:6466
 __io_splice_prep+0x1bc/0x530 fs/io_uring.c:3866
 io_splice_prep fs/io_uring.c:3920 [inline]
 io_req_prep+0x3546/0x4e80 fs/io_uring.c:6081
 io_queue_sqe+0x609/0x10d0 fs/io_uring.c:6628
 io_submit_sqe fs/io_uring.c:6705 [inline]
 io_submit_sqes+0x1495/0x2720 fs/io_uring.c:6953
 __do_sys_io_uring_enter+0x107d/0x1f30 fs/io_uring.c:9353
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

io_file_get() may be called from splice, and so REQ_F_INFLIGHT may
already be set.

Fixes: 02a13674fa0e8 ("io_uring: account io_uring internal files as REQ_F_INFLIGHT")
Cc: stable@vger.kernel.org # 5.9+
Reported-by: syzbot+6879187cf57845801267@syzkaller.appspotmail.com
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 fs/io_uring.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index ae388cc52843..39ae1f821cef 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -6460,7 +6460,8 @@ static struct file *io_file_get(struct io_submit_state *state,
 		file = __io_file_get(state, fd);
 	}
 
-	if (file && file->f_op == &io_uring_fops) {
+	if (file && file->f_op == &io_uring_fops &&
+	    !(req->flags & REQ_F_INFLIGHT)) {
 		io_req_init_async(req);
 		req->flags |= REQ_F_INFLIGHT;
 

From patchwork Thu Jan 28 18:39:25 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pavel Begunkov <asml.silence@gmail.com>
X-Patchwork-Id: 373784
Return-Path: <stable-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-15.7 required=3.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
 MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id E4F86C433E0
 for <stable@archiver.kernel.org>;
 Thu, 28 Jan 2021 18:46:13 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id AF68B64E24
 for <stable@archiver.kernel.org>;
 Thu, 28 Jan 2021 18:46:13 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S231461AbhA1SqJ (ORCPT <rfc822;stable@archiver.kernel.org>);
 Thu, 28 Jan 2021 13:46:09 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41320 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S232281AbhA1Sn5 (ORCPT
 <rfc822;stable@vger.kernel.org>); Thu, 28 Jan 2021 13:43:57 -0500
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com
 [IPv6:2a00:1450:4864:20::334])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5F78CC0613ED;
 Thu, 28 Jan 2021 10:43:17 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id o10so5683085wmc.1;
 Thu, 28 Jan 2021 10:43:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=uKrqSdyJaO/qlYV4J4LsnqnVzOS6dJ7WZMQZFyJyEIM=;
 b=KAbVlfCNrRn8sp03E+YTUXL478zVqtOH9yv9ZkGPmyoqraIJ5j5eU1a7cIk+DbSgFE
 T6HF8qofx0tSRPk+L3Bn1yUgVYlHTxQGbTh9/ENSvXwm5lWekcad4aLXLsaGtMzdTLqN
 6CbJxQ/XPu2r1woKPs0EhDGKJAxzk+BRgrqYE2OIh2x9alJ4RN14qFY09RObCmEvxrtD
 sx87+304uVQyCHF7SdESqj9sjbTfJTU4jOmS37yrtr1U7R7p/ldD0OfcsQrQaapxfBGV
 n2SkhvxrghZe0TfVy4BOqqZ0vVJ2sqlE18jD39ZPd5+nIsFVRYXH0DxpqBSu88bpqEDZ
 TZlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=uKrqSdyJaO/qlYV4J4LsnqnVzOS6dJ7WZMQZFyJyEIM=;
 b=mDLsaBu7QM1692zpHlBu9Efd3M/yvBJrw8393aDuzgg48xFNT7rgr3qdTzZPuBRnxm
 BdWEc3j2vHBEOL5O7VA2k8al4zbntL0ZdGiM3QeRlrBvY0oeccTE5lwJZe27dmGRgRkM
 kDq88/eN1T+2bwuWnw2+LPRRkEJNQC9Mag0DKI/7mmQrUH8PyQcku2N+FhxoypK5RW4p
 OCZoVSDHjIWYr+HeQQol7SdVqlgZexU3OBE0YY/kly5srbZnAHKeaP8fQlGOVMhhnqAk
 nvAf9fLaFZjo6jwVCTMzs1iEXwQVoS5YAVjxt7Z7+OrK8AE2Q476DQxcVr3MRLRL6iH7
 CruQ==
X-Gm-Message-State: AOAM531obmzswyb8sVZnpsKeQZqvkcYSzrsjidiHpflD8oHgzXZJvYk1
 UvUukXj9Ova1iDzsE0dZowg5Y61GGxU=
X-Google-Smtp-Source: ABdhPJwvkQII4SJN3SFvGozK9SnIPyzfUoGuZzjfxl3zOWLipFdn1cpTsna8D2jEvg5kcA65xTHkzw==
X-Received: by 2002:a1c:cc14:: with SMTP id h20mr577735wmb.180.1611859396195; 
 Thu, 28 Jan 2021 10:43:16 -0800 (PST)
Received: from localhost.localdomain ([148.252.132.131])
 by smtp.gmail.com with ESMTPSA id
 y18sm7916386wrt.19.2021.01.28.10.43.15
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 28 Jan 2021 10:43:15 -0800 (PST)
From: Pavel Begunkov <asml.silence@gmail.com>
To: Jens Axboe <axboe@kernel.dk>, io-uring@vger.kernel.org
Cc: stable@vger.kernel.org,
 syzbot+3e3d9bd0c6ce9efbc3ef@syzkaller.appspotmail.com
Subject: [PATCH 2/2] io_uring: fix sqo ownership false positive warning
Date: Thu, 28 Jan 2021 18:39:25 +0000
Message-Id: <4864e44e886a651f87288ad9a0ffdeea4ac025a7.1611859042.git.asml.silence@gmail.com>
X-Mailer: git-send-email 2.24.0
In-Reply-To: <cover.1611859042.git.asml.silence@gmail.com>
References: <cover.1611859042.git.asml.silence@gmail.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

WARNING: CPU: 0 PID: 21359 at fs/io_uring.c:9042
    io_uring_cancel_task_requests+0xe55/0x10c0 fs/io_uring.c:9042
Call Trace:
 io_uring_flush+0x47b/0x6e0 fs/io_uring.c:9227
 filp_close+0xb4/0x170 fs/open.c:1295
 close_files fs/file.c:403 [inline]
 put_files_struct fs/file.c:418 [inline]
 put_files_struct+0x1cc/0x350 fs/file.c:415
 exit_files+0x7e/0xa0 fs/file.c:435
 do_exit+0xc22/0x2ae0 kernel/exit.c:820
 do_group_exit+0x125/0x310 kernel/exit.c:922
 get_signal+0x427/0x20f0 kernel/signal.c:2773
 arch_do_signal_or_restart+0x2a8/0x1eb0 arch/x86/kernel/signal.c:811
 handle_signal_work kernel/entry/common.c:147 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
 exit_to_user_mode_prepare+0x148/0x250 kernel/entry/common.c:201
 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline]
 syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:302
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Now io_uring_cancel_task_requests() can be called not through file
notes but directly, remove a WARN_ONCE() there that give us false
positives. That check is not very important and we catch it in other
places.

Fixes: 84965ff8a84f0 ("io_uring: if we see flush on exit, cancel related tasks")
Cc: stable@vger.kernel.org # 5.9+
Reported-by: syzbot+3e3d9bd0c6ce9efbc3ef@syzkaller.appspotmail.com
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
---
 fs/io_uring.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 39ae1f821cef..12bf7180c0f1 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -8967,8 +8967,6 @@ static void io_uring_cancel_task_requests(struct io_ring_ctx *ctx,
 	struct task_struct *task = current;
 
 	if ((ctx->flags & IORING_SETUP_SQPOLL) && ctx->sq_data) {
-		/* for SQPOLL only sqo_task has task notes */
-		WARN_ON_ONCE(ctx->sqo_task != current);
 		io_disable_sqo_submit(ctx);
 		task = ctx->sq_data->thread;
 		atomic_inc(&task->io_uring->in_idle);