Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom/io_uring?h=v6.2-rc3 2023-01-05T15:04:47Z 2023-01-05T15:04:47Z Pavel Begunkov asml.silence@gmail.com 2023-01-05T10:49:15Z urn:sha1:12521a5d5cb7ff0ad43eadfc9c135d86e1131fa8 Jiffy to ktime CQ waiting conversion broke how we treat timeouts, in particular we rearm it anew every time we get into io_cqring_wait_schedule() without adjusting the timeout. Waiting for 2 CQEs and getting a task_work in the middle may double the timeout value, or even worse in some cases task may wait indefinitely. Cc: stable@vger.kernel.org Fixes: 228339662b398 ("io_uring: don't convert to jiffies for waiting on timeouts") Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/f7bffddd71b08f28a877d44d37ac953ddb01590d.1672915663.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk> 2023-01-04T02:05:41Z Pavel Begunkov asml.silence@gmail.com 2023-01-04T01:34:57Z urn:sha1:f26cc9593581bd734c846bf827401350b36dc3c9 Locking around CQE posting is complex and depends on options the ring is created with, add more thorough lockdep annotations checking all invariants. Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/aa3770b4eacae3915d782cc2ab2f395a99b4b232.1672795976.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk> 2023-01-04T02:03:28Z Pavel Begunkov asml.silence@gmail.com 2023-01-04T01:34:02Z urn:sha1:9ffa13ff78a0a55df968a72d6f0ebffccee5c9f4 Unlike normal tw, nothing prevents deferred tw to be executed right after an tw item added to ->work_llist in io_req_local_work_add(). For instance, the waiting task may get waken up by CQ posting or a normal tw. Thus we need to pin the ring for the rest of io_req_local_work_add() Cc: stable@vger.kernel.org Fixes: c0e0d6ba25f18 ("io_uring: add IORING_SETUP_DEFER_TASKRUN") Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/1a79362b9c10b8523ef70b061d96523650a23344.1672795998.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk> 2023-01-02T23:49:46Z Jens Axboe axboe@kernel.dk 2023-01-02T23:49:46Z urn:sha1:af82425c6a2d2f347c79b63ce74fca6dc6be157f If we cancel the task_work, the worker will never come into existance. As this is the last reference to it, ensure that we get it freed appropriately. Cc: stable@vger.kernel.org Reported-by: 진호 <wnwlsgh98@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> 2022-12-23T13:40:32Z Jens Axboe axboe@kernel.dk 2022-12-23T13:37:08Z urn:sha1:343190841a1f22b96996d9f8cfab902a4d1bfd0e We only check the register opcode value inside the restricted ring section, move it into the main io_uring_register() function instead and check it up front. Signed-off-by: Jens Axboe <axboe@kernel.dk> 2022-12-21T20:31:40Z Jens Axboe axboe@kernel.dk 2022-12-21T14:11:33Z urn:sha1:23fffb2f09ce1145cbd751801d45ba74acaa6542 If we have a signal pending during cancelations, it'll cause the task_work run to return an error. Since we didn't run task_work, the current task is left in TASK_INTERRUPTIBLE state when we need to re-grab the ctx mutex, and the kernel will rightfully complain about that. Move the lock grabbing for the error cases outside the loop to avoid that issue. Reported-by: syzbot+7df055631cd1be4586fd@syzkaller.appspotmail.com Link: https://lore.kernel.org/io-uring/0000000000003a14a905f05050b0@google.com/ Signed-off-by: Jens Axboe <axboe@kernel.dk> 2022-12-21T15:43:53Z Jens Axboe axboe@kernel.dk 2022-12-21T14:05:09Z urn:sha1:52ea806ad983490b3132a9e526e11a10dc2fd10c If we have overflow entries being generated after we've done the initial flush in io_cqring_wait(), then we could be flushing them in the main wait loop as well. If that's done after having added ourselves to the cq_wait waitqueue, then the task state can be != TASK_RUNNING when we enter the overflow flush. Check for the need to overflow flush, and finish our wait cycle first if we have to do so. Reported-and-tested-by: syzbot+cf6ea1d6bb30a4ce10b2@syzkaller.appspotmail.com Link: https://lore.kernel.org/io-uring/000000000000cb143a05f04eee15@google.com/ Signed-off-by: Jens Axboe <axboe@kernel.dk> 2022-12-19T15:28:28Z Pavel Begunkov asml.silence@gmail.com 2022-12-19T15:11:40Z urn:sha1:6c3e8955d4bd9811a6e1761eea412a14fb51a2e6 Don't access io_async_msghdr io_netmsg_recycle(), it may be reallocated. Cc: stable@vger.kernel.org Fixes: 9bb66906f23e5 ("io_uring: support multishot in recvmsg") Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/9e326f4ad4046ddadf15bf34bf3fa58c6372f6b5.1671461985.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk> 2022-12-19T14:35:16Z Jens Axboe axboe@kernel.dk 2022-12-19T14:28:26Z urn:sha1:990a4de57e44f4f4cfc33c90d2ec5d285b7c8342 If we're not allocating the vectors because the count is below UIO_FASTIOV, we still do need to properly clear ->free_iov to prevent an erronous free of on-stack data. Reported-by: Jiri Slaby <jirislaby@gmail.com> Fixes: 4c17a496a7a0 ("io_uring/net: fix cleanup double free free_iov init") Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe <axboe@kernel.dk> 2022-12-18T03:35:54Z Jens Axboe axboe@kernel.dk 2022-12-17T20:42:24Z urn:sha1:35d90f95cfa773b7e3b1f57ba15ce06a470f354c It's quite possible that we got woken up because task_work was queued, and we need to process this task_work to generate the events waited for. If we return to the wait loop without running task_work, we'll end up adding the task to the waitqueue again, only to call io_cqring_wait_schedule() again which will run the task_work. This is less efficient than it could be, as it requires adding to the cq_wait queue again. It also triggers the wakeup path for completions as cq_wait is now non-empty with the task itself, and it'll require another lock grab and deletion to remove ourselves from the waitqueue. Signed-off-by: Jens Axboe <axboe@kernel.dk>