io_uring: hold 'ctx' reference around task_work queue + execute

Jiufei Xue · casparant · commit e0b245f82507 · 2020-09-02T17:52:57.000+08:00
fix #29820404 commit 6d816e0 linux-block/io_uring-5.9 branch. We're holding the request reference, but we need to go one higher to ensure that the ctx remains valid after the request has finished. If the ring is closed with pending task_work inflight, and the given io_kiocb finishes sync during issue, then we need a reference to the ring itself around the task_work execution cycle. Cc: stable@vger.kernel.org # v5.7+ Reported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
diff --git a/fs/io_uring.c b/fs/io_uring.c
@@ -4089,6 +4089,7 @@ static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,
 
 	tsk = req->task;
 	req->result = mask;
+	percpu_ref_get(&req->ctx->refs);
 	init_task_work(&req->task_work, func);
 	/*
 	 * If this fails, then the task is exiting. When a task exits, the
@@ -4174,6 +4175,7 @@ static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt)
 static void io_poll_task_func(struct callback_head *cb)
 {
 	struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
+	struct io_ring_ctx *ctx = req->ctx;
 	struct io_kiocb *nxt = NULL;
 
 	io_poll_task_handler(req, &nxt);
@@ -4184,6 +4186,7 @@ static void io_poll_task_func(struct callback_head *cb)
 		__io_queue_sqe(nxt, NULL);
 		mutex_unlock(&ctx->uring_lock);
 	}
+	percpu_ref_put(&ctx->refs);
 }
 
 static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,
@@ -4298,6 +4301,7 @@ static void io_async_task_func(struct callback_head *cb)
 
 	if (io_poll_rewait(req, &apoll->poll)) {
 		spin_unlock_irq(&ctx->completion_lock);
+		percpu_ref_put(&ctx->refs);
 		return;
 	}
 
@@ -4336,6 +4340,7 @@ static void io_async_task_func(struct callback_head *cb)
 		req_set_fail_links(req);
 		io_double_put_req(req);
 	}
+	percpu_ref_put(&ctx->refs);
 }
 
 static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,

Original file line number	Diff line number	Diff line change
`@@ -4089,6 +4089,7 @@ static int __io_async_wake(struct io_kiocb req, struct io_poll_iocb poll,`
`4089`	`4089`
`4090`	`4090`	`tsk = req->task;`
`4091`	`4091`	`req->result = mask;`
	`4092`	`+ percpu_ref_get(&req->ctx->refs);`
`4092`	`4093`	`init_task_work(&req->task_work, func);`
`4093`	`4094`	`/*`
`4094`	`4095`	`* If this fails, then the task is exiting. When a task exits, the`
`@@ -4174,6 +4175,7 @@ static void io_poll_task_handler(struct io_kiocb req, struct io_kiocb *nxt)`
`4174`	`4175`	`static void io_poll_task_func(struct callback_head *cb)`
`4175`	`4176`	`{`
`4176`	`4177`	`struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);`
	`4178`	`+ struct io_ring_ctx *ctx = req->ctx;`
`4177`	`4179`	`struct io_kiocb *nxt = NULL;`
`4178`	`4180`
`4179`	`4181`	`io_poll_task_handler(req, &nxt);`
`@@ -4184,6 +4186,7 @@ static void io_poll_task_func(struct callback_head *cb)`
`4184`	`4186`	`__io_queue_sqe(nxt, NULL);`
`4185`	`4187`	`mutex_unlock(&ctx->uring_lock);`
`4186`	`4188`	`}`
	`4189`	`+ percpu_ref_put(&ctx->refs);`
`4187`	`4190`	`}`
`4188`	`4191`
`4189`	`4192`	`static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,`
`@@ -4298,6 +4301,7 @@ static void io_async_task_func(struct callback_head *cb)`
`4298`	`4301`
`4299`	`4302`	`if (io_poll_rewait(req, &apoll->poll)) {`
`4300`	`4303`	`spin_unlock_irq(&ctx->completion_lock);`
	`4304`	`+ percpu_ref_put(&ctx->refs);`
`4301`	`4305`	`return;`
`4302`	`4306`	`}`
`4303`	`4307`
`@@ -4336,6 +4340,7 @@ static void io_async_task_func(struct callback_head *cb)`
`4336`	`4340`	`req_set_fail_links(req);`
`4337`	`4341`	`io_double_put_req(req);`
`4338`	`4342`	`}`
	`4343`	`+ percpu_ref_put(&ctx->refs);`
`4339`	`4344`	`}`
`4340`	`4345`
`4341`	`4346`	`static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,`