Skip to content

Commit e7637a4

Browse files
axboeaxboe
committed
io_uring: fix locking state for empty buffer group
io_provided_buffer_select() must drop the submit lock, if needed, even in the error handling case. Failure to do so will leave us with the ctx->uring_lock held, causing spew like: ==================================== WARNING: iou-wrk-366/368 still has locks held! 5.18.0-rc6-00294-gdf8dc7004331 #994 Not tainted ------------------------------------ 1 lock held by iou-wrk-366/368: #0: ffff0000c72598a8 (&ctx->uring_lock){+.+.}-{3:3}, at: io_ring_submit_lock+0x20/0x48 stack backtrace: CPU: 4 PID: 368 Comm: iou-wrk-366 Not tainted 5.18.0-rc6-00294-gdf8dc7004331 #994 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xa4/0xd4 show_stack+0x14/0x5c dump_stack_lvl+0x88/0xb0 dump_stack+0x14/0x2c debug_check_no_locks_held+0x84/0x90 try_to_freeze.isra.0+0x18/0x44 get_signal+0x94/0x6ec io_wqe_worker+0x1d8/0x2b4 ret_from_fork+0x10/0x20 and triggering later hangs off get_signal() because we attempt to re-grab the lock. Reported-by: syzbot+987d7bb19195ae45208c@syzkaller.appspotmail.com Fixes: 149c69b ("io_uring: abstract out provided buffer list selection") Signed-off-by: Jens Axboe <axboe@kernel.dk>
1 parent 4e86a2c commit e7637a4

File tree

1 file changed

+14
-11
lines changed

1 file changed

+14
-11
lines changed

fs/io_uring.c

Lines changed: 14 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -3467,20 +3467,23 @@ static void __user *io_provided_buffer_select(struct io_kiocb *req, size_t *len,
34673467
struct io_buffer_list *bl,
34683468
unsigned int issue_flags)
34693469
{
3470-
struct io_buffer *kbuf;
3470+
void __user *ret = ERR_PTR(-ENOBUFS);
34713471

3472-
if (list_empty(&bl->buf_list))
3473-
return ERR_PTR(-ENOBUFS);
3472+
if (!list_empty(&bl->buf_list)) {
3473+
struct io_buffer *kbuf;
3474+
3475+
kbuf = list_first_entry(&bl->buf_list, struct io_buffer, list);
3476+
list_del(&kbuf->list);
3477+
if (*len > kbuf->len)
3478+
*len = kbuf->len;
3479+
req->flags |= REQ_F_BUFFER_SELECTED;
3480+
req->kbuf = kbuf;
3481+
req->buf_index = kbuf->bid;
3482+
ret = u64_to_user_ptr(kbuf->addr);
3483+
}
34743484

3475-
kbuf = list_first_entry(&bl->buf_list, struct io_buffer, list);
3476-
list_del(&kbuf->list);
3477-
if (*len > kbuf->len)
3478-
*len = kbuf->len;
3479-
req->flags |= REQ_F_BUFFER_SELECTED;
3480-
req->kbuf = kbuf;
3481-
req->buf_index = kbuf->bid;
34823485
io_ring_submit_unlock(req->ctx, issue_flags);
3483-
return u64_to_user_ptr(kbuf->addr);
3486+
return ret;
34843487
}
34853488

34863489
static void __user *io_buffer_select(struct io_kiocb *req, size_t *len,

0 commit comments

Comments
 (0)