projects
/
platform
/
kernel
/
linux-starfive.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
3fd44c8
)
io_uring: fix extra put in sync_file_range()
author
Pavel Begunkov
<asml.silence@gmail.com>
Fri, 1 May 2020 14:09:36 +0000
(17:09 +0300)
committer
Jens Axboe
<axboe@kernel.dk>
Fri, 1 May 2020 14:50:30 +0000
(08:50 -0600)
[ 40.179474] refcount_t: underflow; use-after-free.
[ 40.179499] WARNING: CPU: 6 PID: 1848 at lib/refcount.c:28 refcount_warn_saturate+0xae/0xf0
...
[ 40.179612] RIP: 0010:refcount_warn_saturate+0xae/0xf0
[ 40.179617] Code: 28 44 0a 01 01 e8 d7 01 c2 ff 0f 0b 5d c3 80 3d 15 44 0a 01 00 75 91 48 c7 c7 b8 f5 75 be c6 05 05 44 0a 01 01 e8 b7 01 c2 ff <0f> 0b 5d c3 80 3d f3 43 0a 01 00 0f 85 6d ff ff ff 48 c7 c7 10 f6
[ 40.179619] RSP: 0018:
ffffb252423ebe18
EFLAGS:
00010286
[ 40.179623] RAX:
0000000000000000
RBX:
ffff98d65e929400
RCX:
0000000000000000
[ 40.179625] RDX:
0000000000000001
RSI:
0000000000000086
RDI:
00000000ffffffff
[ 40.179627] RBP:
ffffb252423ebe18
R08:
0000000000000001
R09:
000000000000055d
[ 40.179629] R10:
0000000000000c8c
R11:
0000000000000001
R12:
0000000000000000
[ 40.179631] R13:
ffff98d68c434400
R14:
ffff98d6a9cbaa20
R15:
ffff98d6a609ccb8
[ 40.179634] FS:
0000000000000000
(0000) GS:
ffff98d6af580000
(0000) knlGS:
0000000000000000
[ 40.179636] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 40.179638] CR2:
00000000033e3194
CR3:
000000006480a003
CR4:
00000000003606e0
[ 40.179641] Call Trace:
[ 40.179652] io_put_req+0x36/0x40
[ 40.179657] io_free_work+0x15/0x20
[ 40.179661] io_worker_handle_work+0x2f5/0x480
[ 40.179667] io_wqe_worker+0x2a9/0x360
[ 40.179674] ? _raw_spin_unlock_irqrestore+0x24/0x40
[ 40.179681] kthread+0x12c/0x170
[ 40.179685] ? io_worker_handle_work+0x480/0x480
[ 40.179690] ? kthread_park+0x90/0x90
[ 40.179695] ret_from_fork+0x35/0x40
[ 40.179702] ---[ end trace
85027405f00110aa
]---
Opcode handler must never put submission ref, but that's what
io_sync_file_range_finish() do. use io_steal_work() there.
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
fs/io_uring.c
patch
|
blob
|
history
diff --git
a/fs/io_uring.c
b/fs/io_uring.c
index 5ca2da6648d077ab9e53f60a0ab3fca4166cc479..7f10af02c3d144712907371c20180a3cb1eb2c54 100644
(file)
--- a/
fs/io_uring.c
+++ b/
fs/io_uring.c
@@
-3518,7
+3518,7
@@
static void io_sync_file_range_finish(struct io_wq_work **workptr)
if (io_req_cancelled(req))
return;
__io_sync_file_range(req);
- io_
put_req(req); /* put submission ref */
+ io_
steal_work(req, workptr);
}
static int io_sync_file_range(struct io_kiocb *req, bool force_nonblock)