Jens Axboe (1): io_uring: check if we need to reschedule during overflow flush
Pavel Begunkov (1): io_uring: always lock __io_cqring_overflow_flush
io_uring/io_uring.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-)
From: Pavel Begunkov asml.silence@gmail.com
mainline inclusion from mainline-v6.10-rc1 commit 8d09a88ef9d3cb7d21d45c39b7b7c31298d23998 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRF9 CVE: CVE-2024-50060
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Conditional locking is never great, in case of __io_cqring_overflow_flush(), which is a slow path, it's not justified. Don't handle IOPOLL separately, always grab uring_lock for overflow flushing.
Signed-off-by: Pavel Begunkov asml.silence@gmail.com Link: https://lore.kernel.org/r/162947df299aa12693ac4b305dacedab32ec7976.171270826... Signed-off-by: Jens Axboe axboe@kernel.dk
Conflicts: io_uring/io_uring.c [Context differences because there is no commit 408024b95927 ("io_uring: open code io_cqring_overflow_flush()").] Signed-off-by: Baokun Li libaokun1@huawei.com --- io_uring/io_uring.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 6c9d6dfad68e..31d8565fad28 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -667,6 +667,8 @@ static void io_cqring_overflow_kill(struct io_ring_ctx *ctx) struct io_overflow_cqe *ocqe; LIST_HEAD(list);
+ lockdep_assert_held(&ctx->uring_lock); + spin_lock(&ctx->completion_lock); list_splice_init(&ctx->cq_overflow_list, &list); clear_bit(IO_CHECK_CQ_OVERFLOW_BIT, &ctx->check_cq); @@ -683,6 +685,8 @@ static void __io_cqring_overflow_flush(struct io_ring_ctx *ctx) { size_t cqe_size = sizeof(struct io_uring_cqe);
+ lockdep_assert_held(&ctx->uring_lock); + if (__io_cqring_events(ctx) == ctx->cq_entries) return;
@@ -712,12 +716,9 @@ static void __io_cqring_overflow_flush(struct io_ring_ctx *ctx)
static void io_cqring_do_overflow_flush(struct io_ring_ctx *ctx) { - /* iopoll syncs against uring_lock, not completion_lock */ - if (ctx->flags & IORING_SETUP_IOPOLL) - mutex_lock(&ctx->uring_lock); + mutex_lock(&ctx->uring_lock); __io_cqring_overflow_flush(ctx); - if (ctx->flags & IORING_SETUP_IOPOLL) - mutex_unlock(&ctx->uring_lock); + mutex_unlock(&ctx->uring_lock); }
static void io_cqring_overflow_flush(struct io_ring_ctx *ctx) @@ -1596,6 +1597,8 @@ static int io_iopoll_check(struct io_ring_ctx *ctx, long min) unsigned int nr_events = 0; unsigned long check_cq;
+ lockdep_assert_held(&ctx->uring_lock); + if (!io_allowed_run_tw(ctx)) return -EEXIST;
From: Jens Axboe axboe@kernel.dk
stable inclusion from stable-v6.6.57 commit f4ce3b5d26ce149e77e6b8e8f2058aa80e5b034e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYRF9 CVE: CVE-2024-50060
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit eac2ca2d682f94f46b1973bdf5e77d85d77b8e53 ]
In terms of normal application usage, this list will always be empty. And if an application does overflow a bit, it'll have a few entries. However, nothing obviously prevents syzbot from running a test case that generates a ton of overflow entries, and then flushing them can take quite a while.
Check for needing to reschedule while flushing, and drop our locks and do so if necessary. There's no state to maintain here as overflows always prune from head-of-list, hence it's fine to drop and reacquire the locks at the end of the loop.
Link: https://lore.kernel.org/io-uring/66ed061d.050a0220.29194.0053.GAE@google.com... Reported-by: syzbot+5fca234bd7eb378ff78e@syzkaller.appspotmail.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Baokun Li libaokun1@huawei.com --- io_uring/io_uring.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c index 31d8565fad28..69f5b73a609e 100644 --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -705,6 +705,21 @@ static void __io_cqring_overflow_flush(struct io_ring_ctx *ctx) memcpy(cqe, &ocqe->cqe, cqe_size); list_del(&ocqe->list); kfree(ocqe); + + /* + * For silly syzbot cases that deliberately overflow by huge + * amounts, check if we need to resched and drop and + * reacquire the locks if so. Nothing real would ever hit this. + * Ideally we'd have a non-posting unlock for this, but hard + * to care for a non-real case. + */ + if (need_resched()) { + io_cq_unlock_post(ctx); + mutex_unlock(&ctx->uring_lock); + cond_resched(); + mutex_lock(&ctx->uring_lock); + io_cq_lock(ctx); + } }
if (list_empty(&ctx->cq_overflow_list)) {
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/12906 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/F...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/12906 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/F...
-
Baokun Li -
patchwork bot