From patchwork Wed Oct 7 03:16:32 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Muchun Song X-Patchwork-Id: 11819689 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E15226CA for ; Wed, 7 Oct 2020 03:17:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C565A208C7 for ; Wed, 7 Oct 2020 03:17:02 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=bytedance-com.20150623.gappssmtp.com header.i=@bytedance-com.20150623.gappssmtp.com header.b="C3NVdaHy" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727226AbgJGDQ7 (ORCPT ); Tue, 6 Oct 2020 23:16:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727161AbgJGDQ7 (ORCPT ); Tue, 6 Oct 2020 23:16:59 -0400 Received: from mail-pj1-x1044.google.com (mail-pj1-x1044.google.com [IPv6:2607:f8b0:4864:20::1044]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 822DDC0613D2 for ; Tue, 6 Oct 2020 20:16:57 -0700 (PDT) Received: by mail-pj1-x1044.google.com with SMTP id kk9so336383pjb.2 for ; Tue, 06 Oct 2020 20:16:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=jbmPcsuMBq1Wr1VTHGw09I3ccTmLwf6tSkcDe8WJ9wg=; b=C3NVdaHyZWeFvUkhm10MsFRJ3eFD+WjxMF8k1dvn5K3aXofFxhf/cOOXIGeWPnxC+Z 0VTFbUdBHV+nPLJmP6Xjl8TbB2OlRniv5BsgZMOvMGA5zKgCK1QPET8ZzJ/r2A8X4upF lyrOaWAk9sGiW40GQh2cIQEjASoSkRVE4Wi7JJu4pbyGPtgAGWNHfOXt2XRKkbcXNXPc uZ3wJcrYv2AggF1nIKcHzozQze6WnycGRsu0xaUeJL5xyYNuWJtPIGgu7Hp+gTvsaxNF ZqWxfCz7vWF6w4JZyGJesqNW+BpOxWBVLNC9hsvqDlEBe5VpN6Mvv8hjjAG14XprW5LX ltng== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jbmPcsuMBq1Wr1VTHGw09I3ccTmLwf6tSkcDe8WJ9wg=; b=Z9Lp0ME22dcjj8qkX2wcmIj8Boiv2K81lquC3PS48DBs7IvwOtdByBybROYY57zNJ2 K+ZP0Fz03vdXqJuevTnZzqD+k6ycI1myeKBju7PVrkxNrfkV2n4vOwJUbJH17iO39c37 2/FP/YErlZYsRK0Ql37+nsuuVp9qCtmCqkFmj1EaKHvXYMQV4D0DLFAxmhRyi0D1NmzI p/SqHgyvs7x7DZ2AwXybblMbD4QoXu0k0/25/05sGboiFj4V1SDsWtFJodqmVirubCC9 JY9ngMAfiNvorUXHROKQFINnZbi4y5PIs0AlENKXTvWgqIWnYEY7L1NAJbmXnZgTb4aX cQEQ== X-Gm-Message-State: AOAM5321Vs5JEuMd9ru0mB8ZcLhls26R07c2gMqeqR+brF6YdastTw9+ hnMoAIi4E0uW88e5m5JaLi0ChS22FPXB33eq X-Google-Smtp-Source: ABdhPJwC7MbrbAGH7sxJ4vVu1crzXAAdPT1QPTDrOJm6sPe6ZzYQ1cOXyZKNHi07lCohpnxSjWYwDA== X-Received: by 2002:a17:90a:1b2f:: with SMTP id q44mr1006125pjq.220.1602040617045; Tue, 06 Oct 2020 20:16:57 -0700 (PDT) Received: from localhost.localdomain ([103.136.221.72]) by smtp.gmail.com with ESMTPSA id e1sm729094pfd.198.2020.10.06.20.16.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Oct 2020 20:16:56 -0700 (PDT) From: Muchun Song To: axboe@kernel.dk, viro@zeniv.linux.org.uk Cc: linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, zhuyinyin@bytedance.com Subject: [PATCH v3 1/4] io_uring: Fix resource leaking when kill the process Date: Wed, 7 Oct 2020 11:16:32 +0800 Message-Id: <20201007031635.65295-2-songmuchun@bytedance.com> X-Mailer: git-send-email 2.21.0 (Apple Git-122) In-Reply-To: <20201007031635.65295-1-songmuchun@bytedance.com> References: <20201007031635.65295-1-songmuchun@bytedance.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org From: Yinyin Zhu The commit 1c4404efcf2c0> ("") doesn't solve the resource leak problem totally! When kworker is doing a io task for the io_uring, The process which submitted the io task has received a SIGKILL signal from the user. Then the io_cancel_async_work function could have sent a SIGINT signal to the kworker, but the judging condition is wrong. So it doesn't send a SIGINT signal to the kworker, then caused the resource leaking problem. Why the juding condition is wrong? The process is a multi-threaded process, we call the thread of the process which has submitted the io task Thread1. So the req->task is the current macro of the Thread1. when all the threads of the process have done exit procedure, the last thread will call the io_cancel_async_work, but the last thread may not the Thread1, so the task is not equal and doesn't send the SIGINT signal. To fix this bug, we alter the task attribute of the req with struct files_struct. And check the files instead. Fixes: 1c4404efcf2c0 ("io_uring: make sure async workqueue is canceled on exit") Signed-off-by: Yinyin Zhu --- fs/io_uring.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 454cef93a39e8..2f46def7f5832 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -339,7 +339,7 @@ struct io_kiocb { u64 user_data; u32 result; u32 sequence; - struct task_struct *task; + struct files_struct *files; struct fs_struct *fs; @@ -513,7 +513,7 @@ static inline void io_queue_async_work(struct io_ring_ctx *ctx, } } - req->task = current; + req->files = current->files; spin_lock_irqsave(&ctx->task_lock, flags); list_add(&req->task_list, &ctx->task_list); @@ -2387,6 +2387,8 @@ static bool io_add_to_prev_work(struct async_list *list, struct io_kiocb *req) if (ret) { struct io_ring_ctx *ctx = req->ctx; + req->files = current->files; + spin_lock_irq(&ctx->task_lock); list_add(&req->task_list, &ctx->task_list); req->work_task = NULL; @@ -3717,7 +3719,7 @@ static int io_uring_fasync(int fd, struct file *file, int on) } static void io_cancel_async_work(struct io_ring_ctx *ctx, - struct task_struct *task) + struct files_struct *files) { if (list_empty(&ctx->task_list)) return; @@ -3729,7 +3731,7 @@ static void io_cancel_async_work(struct io_ring_ctx *ctx, req = list_first_entry(&ctx->task_list, struct io_kiocb, task_list); list_del_init(&req->task_list); req->flags |= REQ_F_CANCEL; - if (req->work_task && (!task || req->task == task)) + if (req->work_task && (!files || req->files == files)) send_sig(SIGINT, req->work_task, 1); } spin_unlock_irq(&ctx->task_lock); @@ -3754,7 +3756,7 @@ static int io_uring_flush(struct file *file, void *data) struct io_ring_ctx *ctx = file->private_data; if (fatal_signal_pending(current) || (current->flags & PF_EXITING)) - io_cancel_async_work(ctx, current); + io_cancel_async_work(ctx, data); return 0; } From patchwork Wed Oct 7 03:16:33 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Muchun Song X-Patchwork-Id: 11819693 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4510C17CF for ; Wed, 7 Oct 2020 03:17:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 28A35208C7 for ; Wed, 7 Oct 2020 03:17:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=bytedance-com.20150623.gappssmtp.com header.i=@bytedance-com.20150623.gappssmtp.com header.b="OXhsLhZA" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727296AbgJGDRG (ORCPT ); Tue, 6 Oct 2020 23:17:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40962 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726605AbgJGDRD (ORCPT ); Tue, 6 Oct 2020 23:17:03 -0400 Received: from mail-pj1-x1044.google.com (mail-pj1-x1044.google.com [IPv6:2607:f8b0:4864:20::1044]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 145A7C0613D3 for ; Tue, 6 Oct 2020 20:17:02 -0700 (PDT) Received: by mail-pj1-x1044.google.com with SMTP id az3so337683pjb.4 for ; Tue, 06 Oct 2020 20:17:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=IeHm/TqHuwhnyA0b8jgMCPZcrzDYgMpNDupCMS7Ulu4=; b=OXhsLhZANeWmSx3hdFzd3o12iVc4LODgV8gXnAsZsGXkYEngD1RXAFBGyzKOo7d6CM k9FbCBgD/PuBchdnvqx5zjGUBgGD/VyIwWxfbnMCmUR7oHJvKn9VdwQkPbuaKLBWp8zq BUeqiM/eu6HBB4gkMpypoXTIAoQeUw5oUyQ44PGZrrfsCB+hUVFwBv5BCKuU278t5lsS ze/kVpC5m14/YNI+78t0kgyGvNASPOkGEb+PMYbvcBPJMyHEcFIcoDOrgx1jOZb8ooWZ nll6wLvNPh8bwBnzLcXYNuiPGQje1G6dZBaYHOcoQto0W4Epx2+Ur3Ukka5eu8PN8PdJ E7cQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=IeHm/TqHuwhnyA0b8jgMCPZcrzDYgMpNDupCMS7Ulu4=; b=iJagruQ/XPnFMaXs+cVDFqbR7XYRQ6CTQHJr9kaUE40RJszBE4ClrVkksaFiEyz1qo YVqN4Aonmmgd3KLXRSZx3WGHQuhz80s6udtMud7LV8zEtGSzVt7DbIHRBcmn1YNfH9As e1g555yLJbeKfi8TMDaGndVcZZSNF08nrTNMps2dMVeWt93pSrBtOGHOs6xm8N4bmMH3 4WAJMe41QJ9pTYCm0Tu3ArE3fcwBfbeoiwNzVsBTriEXQFAYgcMwBrSaVNX2+qtn+rlg vEh/BNVsreyhRs5DBfm6Qwufn/32EbineSt1NbC7gpR9L2cRtkqcZR5tijyq+x5gQNJ/ jm6Q== X-Gm-Message-State: AOAM5313lJMgYr+6+pCx55/XOPOuDZHlp1C6Ik16KYOLBcjuJuGgmium ANo40HQJlThsn5nSe4yxZCI+uw== X-Google-Smtp-Source: ABdhPJxqB7qnbj5NCKL+OPKSzMbBMdXutgjfSrgRUieSvOOoBBQFsAv50cao3PjdgcSTlq5nNPZJ8g== X-Received: by 2002:a17:902:7882:b029:d3:b3bc:9d8a with SMTP id q2-20020a1709027882b02900d3b3bc9d8amr975601pll.46.1602040621656; Tue, 06 Oct 2020 20:17:01 -0700 (PDT) Received: from localhost.localdomain ([103.136.221.72]) by smtp.gmail.com with ESMTPSA id e1sm729094pfd.198.2020.10.06.20.16.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Oct 2020 20:17:01 -0700 (PDT) From: Muchun Song To: axboe@kernel.dk, viro@zeniv.linux.org.uk Cc: linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, zhuyinyin@bytedance.com, Muchun Song Subject: [PATCH v3 2/4] io_uring: Fix missing smp_mb() in io_cancel_async_work() Date: Wed, 7 Oct 2020 11:16:33 +0800 Message-Id: <20201007031635.65295-3-songmuchun@bytedance.com> X-Mailer: git-send-email 2.21.0 (Apple Git-122) In-Reply-To: <20201007031635.65295-1-songmuchun@bytedance.com> References: <20201007031635.65295-1-songmuchun@bytedance.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org The store to req->flags and load req->work_task should not be reordering in io_cancel_async_work(). We should make sure that either we store REQ_F_CANCE flag to req->flags or we see the req->work_task setted in io_sq_wq_submit_work(). Fixes: 1c4404efcf2c ("io_uring: make sure async workqueue is canceled on exit") Signed-off-by: Muchun Song --- fs/io_uring.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 2f46def7f5832..5d9583e3d0d25 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2252,6 +2252,12 @@ static void io_sq_wq_submit_work(struct work_struct *work) if (!ret) { req->work_task = current; + + /* + * Pairs with the smp_store_mb() (B) in + * io_cancel_async_work(). + */ + smp_mb(); /* A */ if (req->flags & REQ_F_CANCEL) { ret = -ECANCELED; goto end_req; @@ -3730,7 +3736,15 @@ static void io_cancel_async_work(struct io_ring_ctx *ctx, req = list_first_entry(&ctx->task_list, struct io_kiocb, task_list); list_del_init(&req->task_list); - req->flags |= REQ_F_CANCEL; + + /* + * The below executes an smp_mb(), which matches with the + * smp_mb() (A) in io_sq_wq_submit_work() such that either + * we store REQ_F_CANCEL flag to req->flags or we see the + * req->work_task setted in io_sq_wq_submit_work(). + */ + smp_store_mb(req->flags, req->flags | REQ_F_CANCEL); /* B */ + if (req->work_task && (!files || req->files == files)) send_sig(SIGINT, req->work_task, 1); } From patchwork Wed Oct 7 03:16:34 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Muchun Song X-Patchwork-Id: 11819699 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B8E0B6CB for ; Wed, 7 Oct 2020 03:17:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9A7A7208C3 for ; Wed, 7 Oct 2020 03:17:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=bytedance-com.20150623.gappssmtp.com header.i=@bytedance-com.20150623.gappssmtp.com header.b="fwSdbZZl" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726989AbgJGDRL (ORCPT ); Tue, 6 Oct 2020 23:17:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40976 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726605AbgJGDRH (ORCPT ); Tue, 6 Oct 2020 23:17:07 -0400 Received: from mail-pl1-x642.google.com (mail-pl1-x642.google.com [IPv6:2607:f8b0:4864:20::642]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D787FC061755 for ; Tue, 6 Oct 2020 20:17:05 -0700 (PDT) Received: by mail-pl1-x642.google.com with SMTP id s19so292292plp.3 for ; Tue, 06 Oct 2020 20:17:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=GeVbov0xNPxL4pvkkmxnDNiMOHPiM/FJbyQtEEMpPQc=; b=fwSdbZZlK5Q7h7g2nyZsoFvVzwIWW97I/PVzJbBd1xKj5L7sttS7jiyZ1oDvU7CUjm J3OK1fVORdZq5/vFvFMrPi8CJilG1lsTE1AHbpLDjp5Kr3iNKNuG3XX4vrsbmfM1A0is 4WVaiR91B6d3pbYyY5End0VaHMSfEHaU9DnjoCBOmIWo7+ZtIhfiHwm9o2SiTSxfamMF qUNI7nsNxAMfs8cuRunI2BSh7kbkT1dd75fgD9f78gp/4XqgEPn50nhrIbOcrDvn0imO jL4Tw2320znVzyDvKnSBEN+W6CWZdfXIPvOIIDrtpzD66fRCYM4hUnMvK06RAcr9fk74 o9vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GeVbov0xNPxL4pvkkmxnDNiMOHPiM/FJbyQtEEMpPQc=; b=jvxcaNGurUQsYbbD0UM5IGr/JskGONnBrQB8ZN81RVOER5e3gPXCWfEr74/4ZxYYyv avsUPkQT2H2Gj+pobGu6BuoPWRb0gXnhVo7x7ANuK9AkdMVAdbi12U8avMBaZEMqyI8v oaYaFtf4+q0KSO/l3M7KWpY/JYmLpgZQuyxMNFdwtzl4d7+bV4ayOamL0PbJaa+r72r+ rrhxe62utm8kc4KB4UF/+MJ3iY6YAcbF8Jz2x0z1zu8gm3m2Eb1QlM4+3O6MZ8R/N2Tm BhsLb/klzHTWSm7+faUC5W/WdG4OFQbbSrmR7xBmdW9kcF9bCuN/vkQSGtFled8fYyr/ CYpQ== X-Gm-Message-State: AOAM532MOrTTBdmt9CWOe5HlFEBldVyLE4Ig8qpDkFPiAOMeWfv5l8RJ pWs9fAwTaQbrybRV1EL8w/YHew== X-Google-Smtp-Source: ABdhPJyCF+csF7t8Drpu+3DqDzO7ygzPcNqG8s9mzckzPIum0U43WiRp8bWyW4FIx9nsww5R5jvIjQ== X-Received: by 2002:a17:902:8d96:b029:d2:8cdd:db9d with SMTP id v22-20020a1709028d96b02900d28cdddb9dmr1138671plo.79.1602040625464; Tue, 06 Oct 2020 20:17:05 -0700 (PDT) Received: from localhost.localdomain ([103.136.221.72]) by smtp.gmail.com with ESMTPSA id e1sm729094pfd.198.2020.10.06.20.17.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Oct 2020 20:17:04 -0700 (PDT) From: Muchun Song To: axboe@kernel.dk, viro@zeniv.linux.org.uk Cc: linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, zhuyinyin@bytedance.com, Muchun Song Subject: [PATCH v3 3/4] io_uring: Fix remove irrelevant req from the task_list Date: Wed, 7 Oct 2020 11:16:34 +0800 Message-Id: <20201007031635.65295-4-songmuchun@bytedance.com> X-Mailer: git-send-email 2.21.0 (Apple Git-122) In-Reply-To: <20201007031635.65295-1-songmuchun@bytedance.com> References: <20201007031635.65295-1-songmuchun@bytedance.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org If the process 0 has been initialized io_uring is complete, and then fork process 1. If process 1 exits and it leads to delete all reqs from the task_list. If we kill process 0. We will not send SIGINT signal to the kworker. So we can not remove the req from the task_list. The io_sq_wq_submit_work() can do that for us. Fixes: 1c4404efcf2c ("io_uring: make sure async workqueue is canceled on exit") Signed-off-by: Muchun Song --- fs/io_uring.c | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 5d9583e3d0d25..c65f78f395655 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2277,13 +2277,11 @@ static void io_sq_wq_submit_work(struct work_struct *work) break; cond_resched(); } while (1); -end_req: - if (!list_empty(&req->task_list)) { - spin_lock_irq(&ctx->task_lock); - list_del_init(&req->task_list); - spin_unlock_irq(&ctx->task_lock); - } } +end_req: + spin_lock_irq(&ctx->task_lock); + list_del_init(&req->task_list); + spin_unlock_irq(&ctx->task_lock); /* drop submission reference */ io_put_req(req); @@ -3727,15 +3725,16 @@ static int io_uring_fasync(int fd, struct file *file, int on) static void io_cancel_async_work(struct io_ring_ctx *ctx, struct files_struct *files) { + struct io_kiocb *req; + if (list_empty(&ctx->task_list)) return; spin_lock_irq(&ctx->task_lock); - while (!list_empty(&ctx->task_list)) { - struct io_kiocb *req; - req = list_first_entry(&ctx->task_list, struct io_kiocb, task_list); - list_del_init(&req->task_list); + list_for_each_entry(req, &ctx->task_list, task_list) { + if (files && req->files != files) + continue; /* * The below executes an smp_mb(), which matches with the @@ -3745,7 +3744,7 @@ static void io_cancel_async_work(struct io_ring_ctx *ctx, */ smp_store_mb(req->flags, req->flags | REQ_F_CANCEL); /* B */ - if (req->work_task && (!files || req->files == files)) + if (req->work_task) send_sig(SIGINT, req->work_task, 1); } spin_unlock_irq(&ctx->task_lock); From patchwork Wed Oct 7 03:16:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Muchun Song X-Patchwork-Id: 11819697 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 4826E6CA for ; Wed, 7 Oct 2020 03:17:17 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2BD7B208C3 for ; Wed, 7 Oct 2020 03:17:17 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=bytedance-com.20150623.gappssmtp.com header.i=@bytedance-com.20150623.gappssmtp.com header.b="i/c2g+os" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727387AbgJGDRQ (ORCPT ); Tue, 6 Oct 2020 23:17:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727345AbgJGDRM (ORCPT ); Tue, 6 Oct 2020 23:17:12 -0400 Received: from mail-pf1-x444.google.com (mail-pf1-x444.google.com [IPv6:2607:f8b0:4864:20::444]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E0CDC061755 for ; Tue, 6 Oct 2020 20:17:11 -0700 (PDT) Received: by mail-pf1-x444.google.com with SMTP id l126so524894pfd.5 for ; Tue, 06 Oct 2020 20:17:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=nPkmLEjjOLqKd/lOoAyA8z7n9dUCjwGzd+W0L3DZgSM=; b=i/c2g+osuUxGIsLB3AH+kyrVOsH7GDY82yaZk6DFm7TuOhQlVuanhZZn96R5kN3izp QCF6S7wYFvfEzqAWN4JNKCbmAxfjPUM41Xq23XmkKwysvjXL85bj9vgw91NQOOK5/Rt+ p+HAZAhwRnRxmNuQa9Jgi2tqC06ZPFxoLEpOswxrCs3AWf0oIMM7K699j2Mt7owk9KFe TpVS1j5IyNSI1FB1hBUGb33xr+uCXUaBh5wd7IfXrgUXBdLrsG5ogZ9CFp5EPiUScT41 Moa9yhVJI/PXM6UYGWvx5QP0lRzV4L7N8vOyZ0EFG8ZmnTZ2IDJjOSjJHTwSWKzAEH6U zKHw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=nPkmLEjjOLqKd/lOoAyA8z7n9dUCjwGzd+W0L3DZgSM=; b=dCmK9x0UTvHj910rPhjDn0bE0nYpkQHgYFfkPd/GX/p6PzghoFXtH9JMrWdoVKc5gQ +kTMsezMa/Yu1ka2G4xHjgNlKb1rLoqjI9jAL/5adMrXGvzwKCL9QsrRdzdiCxpNEb+N vKmVG3RjE8SdC7lOkkpzNc/aE2tkRbTBjE0WmkUZkLsNNUWi3NtBhkajRnMJSa3sTWxL 6NJ/L4M6SI/8lH6c/SyLDCwrjcWRYb08ju2KcQb9iUIzIvgeIZR5HhRrsEyXEymwjQ9a QXi78r7bR4WVTqbrW7d5yC+x/XCZmb4+OCNc36bdc7rSebj/9TL92tcipVIkqCEPAxUP OMTw== X-Gm-Message-State: AOAM5326e1tScyT25ytFs1yMIe32DgB8C6H5jcHF9bF2QviZMDChalod WDXviZ/h4HBDYWM3Zj5kH1by2A== X-Google-Smtp-Source: ABdhPJzxgagkn4cVqjUy8sr7sdcfRTWbXc2ao2DIrr5tMY6Uq7VD6rrtEFb369pBeTAqS3uisiBzXw== X-Received: by 2002:a65:4bcc:: with SMTP id p12mr1093870pgr.353.1602040631013; Tue, 06 Oct 2020 20:17:11 -0700 (PDT) Received: from localhost.localdomain ([103.136.221.72]) by smtp.gmail.com with ESMTPSA id e1sm729094pfd.198.2020.10.06.20.17.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Oct 2020 20:17:10 -0700 (PDT) From: Muchun Song To: axboe@kernel.dk, viro@zeniv.linux.org.uk Cc: linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, zhuyinyin@bytedance.com, Muchun Song , Jiachen Zhang Subject: [PATCH v3 4/4] io_uring: Fix double list add in io_queue_async_work() Date: Wed, 7 Oct 2020 11:16:35 +0800 Message-Id: <20201007031635.65295-5-songmuchun@bytedance.com> X-Mailer: git-send-email 2.21.0 (Apple Git-122) In-Reply-To: <20201007031635.65295-1-songmuchun@bytedance.com> References: <20201007031635.65295-1-songmuchun@bytedance.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org If we queue work in io_poll_wake(), it will leads to list double add. So we should add the list when the callback func is the io_sq_wq_submit_work. The following oops was seen: list_add double add: new=ffff9ca6a8f1b0e0, prev=ffff9ca62001cee8, next=ffff9ca6a8f1b0e0. ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:31! Call Trace: io_poll_wake+0xf3/0x230 __wake_up_common+0x91/0x170 __wake_up_common_lock+0x7a/0xc0 io_commit_cqring+0xea/0x280 ? blkcg_iolatency_done_bio+0x2b/0x610 io_cqring_add_event+0x3e/0x60 io_complete_rw+0x58/0x80 dio_complete+0x106/0x250 blk_update_request+0xa0/0x3b0 blk_mq_end_request+0x1a/0x110 blk_mq_complete_request+0xd0/0xe0 nvme_irq+0x129/0x270 [nvme] __handle_irq_event_percpu+0x7b/0x190 handle_irq_event_percpu+0x30/0x80 handle_irq_event+0x3c/0x60 handle_edge_irq+0x91/0x1e0 do_IRQ+0x4d/0xd0 common_interrupt+0xf/0xf Fixes: 1c4404efcf2c ("io_uring: make sure async workqueue is canceled on exit") Reported-by: Jiachen Zhang Signed-off-by: Muchun Song --- fs/io_uring.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index c65f78f395655..a7cfe976480d8 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -513,12 +513,14 @@ static inline void io_queue_async_work(struct io_ring_ctx *ctx, } } - req->files = current->files; + if (req->work.func == io_sq_wq_submit_work) { + req->files = current->files; - spin_lock_irqsave(&ctx->task_lock, flags); - list_add(&req->task_list, &ctx->task_list); - req->work_task = NULL; - spin_unlock_irqrestore(&ctx->task_lock, flags); + spin_lock_irqsave(&ctx->task_lock, flags); + list_add(&req->task_list, &ctx->task_list); + req->work_task = NULL; + spin_unlock_irqrestore(&ctx->task_lock, flags); + } queue_work(ctx->sqo_wq[rw], &req->work); } @@ -667,6 +669,7 @@ static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx, state->cur_req++; } + INIT_LIST_HEAD(&req->task_list); req->file = NULL; req->ctx = ctx; req->flags = 0;