1. 01 May, 2020 6 commits
    • Pavel Begunkov's avatar
      io_uring: check non-sync defer_list carefully · 4ee36314
      Pavel Begunkov authored
      io_req_defer() do double-checked locking. Use proper helpers for that,
      i.e. list_empty_careful().
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      4ee36314
    • Pavel Begunkov's avatar
      io_uring: fix extra put in sync_file_range() · 7759a0bf
      Pavel Begunkov authored
      [   40.179474] refcount_t: underflow; use-after-free.
      [   40.179499] WARNING: CPU: 6 PID: 1848 at lib/refcount.c:28 refcount_warn_saturate+0xae/0xf0
      ...
      [   40.179612] RIP: 0010:refcount_warn_saturate+0xae/0xf0
      [   40.179617] Code: 28 44 0a 01 01 e8 d7 01 c2 ff 0f 0b 5d c3 80 3d 15 44 0a 01 00 75 91 48 c7 c7 b8 f5 75 be c6 05 05 44 0a 01 01 e8 b7 01 c2 ff <0f> 0b 5d c3 80 3d f3 43 0a 01 00 0f 85 6d ff ff ff 48 c7 c7 10 f6
      [   40.179619] RSP: 0018:ffffb252423ebe18 EFLAGS: 00010286
      [   40.179623] RAX: 0000000000000000 RBX: ffff98d65e929400 RCX: 0000000000000000
      [   40.179625] RDX: 0000000000000001 RSI: 0000000000000086 RDI: 00000000ffffffff
      [   40.179627] RBP: ffffb252423ebe18 R08: 0000000000000001 R09: 000000000000055d
      [   40.179629] R10: 0000000000000c8c R11: 0000000000000001 R12: 0000000000000000
      [   40.179631] R13: ffff98d68c434400 R14: ffff98d6a9cbaa20 R15: ffff98d6a609ccb8
      [   40.179634] FS:  0000000000000000(0000) GS:ffff98d6af580000(0000) knlGS:0000000000000000
      [   40.179636] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   40.179638] CR2: 00000000033e3194 CR3: 000000006480a003 CR4: 00000000003606e0
      [   40.179641] Call Trace:
      [   40.179652]  io_put_req+0x36/0x40
      [   40.179657]  io_free_work+0x15/0x20
      [   40.179661]  io_worker_handle_work+0x2f5/0x480
      [   40.179667]  io_wqe_worker+0x2a9/0x360
      [   40.179674]  ? _raw_spin_unlock_irqrestore+0x24/0x40
      [   40.179681]  kthread+0x12c/0x170
      [   40.179685]  ? io_worker_handle_work+0x480/0x480
      [   40.179690]  ? kthread_park+0x90/0x90
      [   40.179695]  ret_from_fork+0x35/0x40
      [   40.179702] ---[ end trace 85027405f00110aa ]---
      
      Opcode handler must never put submission ref, but that's what
      io_sync_file_range_finish() do. use io_steal_work() there.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      7759a0bf
    • Xiaoguang Wang's avatar
      io_uring: use cond_resched() in io_ring_ctx_wait_and_kill() · 3fd44c86
      Xiaoguang Wang authored
      While working on to make io_uring sqpoll mode support syscalls that need
      struct files_struct, I got cpu soft lockup in io_ring_ctx_wait_and_kill(),
      
          while (ctx->sqo_thread && !wq_has_sleeper(&ctx->sqo_wait))
              cpu_relax();
      
      above loop never has an chance to exit, it's because preempt isn't enabled
      in the kernel, and the context calling io_ring_ctx_wait_and_kill() and
      io_sq_thread() run in the same cpu, if io_sq_thread calls a cond_resched()
      yield cpu and another context enters above loop, then io_sq_thread() will
      always in runqueue and never exit.
      
      Use cond_resched() can fix this issue.
      
       Reported-by: syzbot+66243bb7126c410cefe6@syzkaller.appspotmail.com
      Signed-off-by: default avatarXiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      3fd44c86
    • Bijan Mottahedeh's avatar
      io_uring: use proper references for fallback_req locking · dd461af6
      Bijan Mottahedeh authored
      Use ctx->fallback_req address for test_and_set_bit_lock() and
      clear_bit_unlock().
      Signed-off-by: default avatarBijan Mottahedeh <bijan.mottahedeh@oracle.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      dd461af6
    • Jens Axboe's avatar
      io_uring: only force async punt if poll based retry can't handle it · 490e8967
      Jens Axboe authored
      We do blocking retry from our poll handler, if the file supports polled
      notifications. Only mark the request as needing an async worker if we
      can't poll for it.
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      490e8967
    • Jens Axboe's avatar
      io_uring: enable poll retry for any file with ->read_iter / ->write_iter · af197f50
      Jens Axboe authored
      We can have files like eventfd where it's perfectly fine to do poll
      based retry on them, right now io_file_supports_async() doesn't take
      that into account.
      
      Pass in data direction and check the f_op instead of just always needing
      an async worker.
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      af197f50
  2. 27 Apr, 2020 1 commit
    • Jens Axboe's avatar
      io_uring: statx must grab the file table for valid fd · 5b0bbee4
      Jens Axboe authored
      Clay reports that OP_STATX fails for a test case with a valid fd
      and empty path:
      
       -- Test 0: statx:fd 3: SUCCEED, file mode 100755
       -- Test 1: statx:path ./uring_statx: SUCCEED, file mode 100755
       -- Test 2: io_uring_statx:fd 3: FAIL, errno 9: Bad file descriptor
       -- Test 3: io_uring_statx:path ./uring_statx: SUCCEED, file mode 100755
      
      This is due to statx not grabbing the process file table, hence we can't
      lookup the fd in async context. If the fd is valid, ensure that we grab
      the file table so we can grab the file from async context.
      
      Cc: stable@vger.kernel.org # v5.6
      Reported-by: default avatarClay Harris <bugs@claycon.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      5b0bbee4
  3. 19 Apr, 2020 1 commit
    • Xiaoguang Wang's avatar
      io_uring: only restore req->work for req that needs do completion · 44575a67
      Xiaoguang Wang authored
      When testing io_uring IORING_FEAT_FAST_POLL feature, I got below panic:
      BUG: kernel NULL pointer dereference, address: 0000000000000030
      PGD 0 P4D 0
      Oops: 0000 [#1] SMP PTI
      CPU: 5 PID: 2154 Comm: io_uring_echo_s Not tainted 5.6.0+ #359
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
      RIP: 0010:io_wq_submit_work+0xf/0xa0
      Code: ff ff ff be 02 00 00 00 e8 ae c9 19 00 e9 58 ff ff ff 66 0f 1f
      84 00 00 00 00 00 0f 1f 44 00 00 41 54 49 89 fc 55 53 48 8b 2f <8b>
      45 30 48 8d 9d 48 ff ff ff 25 01 01 00 00 83 f8 01 75 07 eb 2a
      RSP: 0018:ffffbef543e93d58 EFLAGS: 00010286
      RAX: ffffffff84364f50 RBX: ffffa3eb50f046b8 RCX: 0000000000000000
      RDX: ffffa3eb0efc1840 RSI: 0000000000000006 RDI: ffffa3eb50f046b8
      RBP: 0000000000000000 R08: 00000000fffd070d R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: ffffa3eb50f046b8
      R13: ffffa3eb0efc2088 R14: ffffffff85b69be0 R15: ffffa3eb0effa4b8
      FS:  00007fe9f69cc4c0(0000) GS:ffffa3eb5ef40000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000030 CR3: 0000000020410000 CR4: 00000000000006e0
      Call Trace:
       task_work_run+0x6d/0xa0
       do_exit+0x39a/0xb80
       ? get_signal+0xfe/0xbc0
       do_group_exit+0x47/0xb0
       get_signal+0x14b/0xbc0
       ? __x64_sys_io_uring_enter+0x1b7/0x450
       do_signal+0x2c/0x260
       ? __x64_sys_io_uring_enter+0x228/0x450
       exit_to_usermode_loop+0x87/0xf0
       do_syscall_64+0x209/0x230
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      RIP: 0033:0x7fe9f64f8df9
      Code: Bad RIP value.
      
      task_work_run calls io_wq_submit_work unexpectedly, it's obvious that
      struct callback_head's func member has been changed. After looking into
      codes, I found this issue is still due to the union definition:
          union {
              /*
               * Only commands that never go async can use the below fields,
               * obviously. Right now only IORING_OP_POLL_ADD uses them, and
               * async armed poll handlers for regular commands. The latter
               * restore the work, if needed.
               */
              struct {
                  struct callback_head	task_work;
                  struct hlist_node	hash_node;
                  struct async_poll	*apoll;
              };
              struct io_wq_work	work;
          };
      
      When task_work_run has multiple work to execute, the work that calls
      io_poll_remove_all() will do req->work restore for  non-poll request
      always, but indeed if a non-poll request has been added to a new
      callback_head, subsequent callback will call io_async_task_func() to
      handle this request, that means we should not do the restore work
      for such non-poll request. Meanwhile in io_async_task_func(), we should
      drop submit ref when req has been canceled.
      
      Fix both issues.
      
      Fixes: b1f573bd ("io_uring: restore req->work when canceling poll request")
      Signed-off-by: default avatarXiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
      
      Use io_double_put_req()
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      44575a67
  4. 15 Apr, 2020 3 commits
    • Pavel Begunkov's avatar
      io_uring: don't count rqs failed after current one · 31af27c7
      Pavel Begunkov authored
      When checking for draining with __req_need_defer(), it tries to match
      how many requests were sent before a current one with number of already
      completed. Dropped SQEs are included in req->sequence, and they won't
      ever appear in CQ. To compensate for that, __req_need_defer() substracts
      ctx->cached_sq_dropped.
      However, what it should really use is number of SQEs dropped __before__
      the current one. In other words, any submitted request shouldn't
      shouldn't affect dequeueing from the drain queue of previously submitted
      ones.
      
      Instead of saving proper ctx->cached_sq_dropped in each request,
      substract from req->sequence it at initialisation, so it includes number
      of properly submitted requests.
      
      note: it also changes behaviour of timeouts, but
      1. it's already diverge from the description because of using SQ
      2. the description is ambiguous regarding dropped SQEs
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      31af27c7
    • Pavel Begunkov's avatar
      io_uring: kill already cached timeout.seq_offset · b55ce732
      Pavel Begunkov authored
      req->timeout.count and req->io->timeout.seq_offset store the same value,
      which is sqe->off. Kill the second one
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      b55ce732
    • Pavel Begunkov's avatar
      io_uring: fix cached_sq_head in io_timeout() · 22cad158
      Pavel Begunkov authored
      io_timeout() can be executed asynchronously by a worker and without
      holding ctx->uring_lock
      
      1. using ctx->cached_sq_head there is racy there
      2. it should count events from a moment of timeout's submission, but
      not execution
      
      Use req->sequence.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      22cad158
  5. 13 Apr, 2020 4 commits
    • Jens Axboe's avatar
      io_uring: only post events in io_poll_remove_all() if we completed some · 8e2e1faf
      Jens Axboe authored
      syzbot reports this crash:
      
      BUG: unable to handle page fault for address: ffffffffffffffe8
      PGD f96e17067 P4D f96e17067 PUD f96e19067 PMD 0
      Oops: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      CPU: 55 PID: 211750 Comm: trinity-c127 Tainted: G    B        L    5.7.0-rc1-next-20200413 #4
      Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 04/12/2017
      RIP: 0010:__wake_up_common+0x98/0x290
      el/sched/wait.c:87
      Code: 40 4d 8d 78 e8 49 8d 7f 18 49 39 fd 0f 84 80 00 00 00 e8 6b bd 2b 00 49 8b 5f 18 45 31 e4 48 83 eb 18 4c 89 ff e8 08 bc 2b 00 <45> 8b 37 41 f6 c6 04 75 71 49 8d 7f 10 e8 46 bd 2b 00 49 8b 47 10
      RSP: 0018:ffffc9000adbfaf0 EFLAGS: 00010046
      RAX: 0000000000000000 RBX: ffffffffffffffe8 RCX: ffffffffaa9636b8
      RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffffffffe8
      RBP: ffffc9000adbfb40 R08: fffffbfff582c5fd R09: fffffbfff582c5fd
      R10: ffffffffac162fe3 R11: fffffbfff582c5fc R12: 0000000000000000
      R13: ffff888ef82b0960 R14: ffffc9000adbfb80 R15: ffffffffffffffe8
      FS:  00007fdcba4c4740(0000) GS:ffff889033780000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffffffffe8 CR3: 0000000f776a0004 CR4: 00000000001606e0
      Call Trace:
       __wake_up_common_lock+0xea/0x150
      ommon_lock at kernel/sched/wait.c:124
       ? __wake_up_common+0x290/0x290
       ? lockdep_hardirqs_on+0x16/0x2c0
       __wake_up+0x13/0x20
       io_cqring_ev_posted+0x75/0xe0
      v_posted at fs/io_uring.c:1160
       io_ring_ctx_wait_and_kill+0x1c0/0x2f0
      l at fs/io_uring.c:7305
       io_uring_create+0xa8d/0x13b0
       ? io_req_defer_prep+0x990/0x990
       ? __kasan_check_write+0x14/0x20
       io_uring_setup+0xb8/0x130
       ? io_uring_create+0x13b0/0x13b0
       ? check_flags.part.28+0x220/0x220
       ? lockdep_hardirqs_on+0x16/0x2c0
       __x64_sys_io_uring_setup+0x31/0x40
       do_syscall_64+0xcc/0xaf0
       ? syscall_return_slowpath+0x580/0x580
       ? lockdep_hardirqs_off+0x1f/0x140
       ? entry_SYSCALL_64_after_hwframe+0x3e/0xb3
       ? trace_hardirqs_off_caller+0x3a/0x150
       ? trace_hardirqs_off_thunk+0x1a/0x1c
       entry_SYSCALL_64_after_hwframe+0x49/0xb3
      RIP: 0033:0x7fdcb9dd76ed
      Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 6b 57 2c 00 f7 d8 64 89 01 48
      RSP: 002b:00007ffe7fd4e4f8 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9
      RAX: ffffffffffffffda RBX: 00000000000001a9 RCX: 00007fdcb9dd76ed
      RDX: fffffffffffffffc RSI: 0000000000000000 RDI: 0000000000005d54
      RBP: 00000000000001a9 R08: 0000000e31d3caa7 R09: 0082400004004000
      R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000002
      R13: 00007fdcb842e058 R14: 00007fdcba4c46c0 R15: 00007fdcb842e000
      Modules linked in: bridge stp llc nfnetlink cn brd vfat fat ext4 crc16 mbcache jbd2 loop kvm_intel kvm irqbypass intel_cstate intel_uncore dax_pmem intel_rapl_perf dax_pmem_core ip_tables x_tables xfs sd_mod tg3 firmware_class libphy hpsa scsi_transport_sas dm_mirror dm_region_hash dm_log dm_mod [last unloaded: binfmt_misc]
      CR2: ffffffffffffffe8
      ---[ end trace f9502383d57e0e22 ]---
      RIP: 0010:__wake_up_common+0x98/0x290
      Code: 40 4d 8d 78 e8 49 8d 7f 18 49 39 fd 0f 84 80 00 00 00 e8 6b bd 2b 00 49 8b 5f 18 45 31 e4 48 83 eb 18 4c 89 ff e8 08 bc 2b 00 <45> 8b 37 41 f6 c6 04 75 71 49 8d 7f 10 e8 46 bd 2b 00 49 8b 47 10
      RSP: 0018:ffffc9000adbfaf0 EFLAGS: 00010046
      RAX: 0000000000000000 RBX: ffffffffffffffe8 RCX: ffffffffaa9636b8
      RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffffffffffffffe8
      RBP: ffffc9000adbfb40 R08: fffffbfff582c5fd R09: fffffbfff582c5fd
      R10: ffffffffac162fe3 R11: fffffbfff582c5fc R12: 0000000000000000
      R13: ffff888ef82b0960 R14: ffffc9000adbfb80 R15: ffffffffffffffe8
      FS:  00007fdcba4c4740(0000) GS:ffff889033780000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffffffffe8 CR3: 0000000f776a0004 CR4: 00000000001606e0
      Kernel panic - not syncing: Fatal exception
      Kernel Offset: 0x29800000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      ---[ end Kernel panic - not syncing: Fatal exception ]—
      
      which is due to error injection (or allocation failure) preventing the
      rings from being setup. On shutdown, we attempt to remove any pending
      requests, and for poll request, we call io_cqring_ev_posted() when we've
      killed poll requests. However, since the rings aren't setup, we won't
      find any poll requests. Make the calling of io_cqring_ev_posted()
      dependent on actually having completed requests. This fixes this setup
      corner case, and removes spurious calls if we remove poll requests and
      don't find any.
      Reported-by: default avatarQian Cai <cai@lca.pw>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      8e2e1faf
    • Jens Axboe's avatar
      io_uring: io_async_task_func() should check and honor cancelation · 2bae047e
      Jens Axboe authored
      If the request has been marked as canceled, don't try and issue it.
      Instead just fill a canceled event and finish the request.
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      2bae047e
    • Jens Axboe's avatar
      io_uring: check for need to re-wait in polled async handling · 74ce6ce4
      Jens Axboe authored
      We added this for just the regular poll requests in commit a6ba632d
      ("io_uring: retry poll if we got woken with non-matching mask"), we
      should do the same for the poll handler used pollable async requests.
      Move the re-wait check and arm into a helper, and call it from
      io_async_task_func() as well.
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      74ce6ce4
    • Jens Axboe's avatar
      io_uring: correct O_NONBLOCK check for splice punt · 88357580
      Jens Axboe authored
      The splice file punt check uses file->f_mode to check for O_NONBLOCK,
      but it should be checking file->f_flags. This leads to punting even
      for files that have O_NONBLOCK set, which isn't necessary. This equates
      to checking for FMODE_PATH, which will never be set on the fd in
      question.
      
      Fixes: 7d67af2c ("io_uring: add splice(2) support")
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      88357580
  6. 12 Apr, 2020 6 commits
    • Xiaoguang Wang's avatar
      io_uring: restore req->work when canceling poll request · b1f573bd
      Xiaoguang Wang authored
      When running liburing test case 'accept', I got below warning:
      RED: Invalid credentials
      RED: At include/linux/cred.h:285
      RED: Specified credentials: 00000000d02474a0
      RED: ->magic=4b, put_addr=000000005b4f46e9
      RED: ->usage=-1699227648, subscr=-25693
      RED: ->*uid = { 256,-25693,-25693,65534 }
      RED: ->*gid = { 0,-1925859360,-1789740800,-1827028688 }
      RED: ->security is 00000000258c136e
      eneral protection fault, probably for non-canonical address 0xdead4ead00000000: 0000 [#1] SMP PTI
      PU: 21 PID: 2037 Comm: accept Not tainted 5.6.0+ #318
      ardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS rel-1.11.1-0-g0551a4be2c-prebuilt.qemu-project.org 04/01/2014
      IP: 0010:dump_invalid_creds+0x16f/0x184
      ode: 48 8b 83 88 00 00 00 48 3d ff 0f 00 00 76 29 48 89 c2 81 e2 00 ff ff ff 48
      81 fa 00 6b 6b 6b 74 17 5b 48 c7 c7 4b b1 10 8e 5d <8b> 50 04 41 5c 8b 30 41 5d
      e9 67 e3 04 00 5b 5d 41 5c 41 5d c3 0f
      SP: 0018:ffffacc1039dfb38 EFLAGS: 00010087
      AX: dead4ead00000000 RBX: ffff9ba39319c100 RCX: 0000000000000007
      DX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff8e10b14b
      BP: ffffffff8e108476 R08: 0000000000000000 R09: 0000000000000001
      10: 0000000000000000 R11: ffffacc1039df9e5 R12: 000000009552b900
      13: 000000009319c130 R14: ffff9ba39319c100 R15: 0000000000000246
      S:  00007f96b2bfc4c0(0000) GS:ffff9ba39f340000(0000) knlGS:0000000000000000
      S:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      R2: 0000000000401870 CR3: 00000007db7a4000 CR4: 00000000000006e0
      all Trace:
      __invalid_creds+0x48/0x4a
      __io_req_aux_free+0x2e8/0x3b0
      ? io_poll_remove_one+0x2a/0x1d0
      __io_free_req+0x18/0x200
      io_free_req+0x31/0x350
      io_poll_remove_one+0x17f/0x1d0
      io_poll_cancel.isra.80+0x6c/0x80
      io_async_find_and_cancel+0x111/0x120
      io_issue_sqe+0x181/0x10e0
      ? __lock_acquire+0x552/0xae0
      ? lock_acquire+0x8e/0x310
      ? fs_reclaim_acquire.part.97+0x5/0x30
      __io_queue_sqe.part.100+0xc4/0x580
      ? io_submit_sqes+0x751/0xbd0
      ? rcu_read_lock_sched_held+0x32/0x40
      io_submit_sqes+0x9ba/0xbd0
      ? __x64_sys_io_uring_enter+0x2b2/0x460
      ? __x64_sys_io_uring_enter+0xaf/0x460
      ? find_held_lock+0x2d/0x90
      ? __x64_sys_io_uring_enter+0x111/0x460
      __x64_sys_io_uring_enter+0x2d7/0x460
      do_syscall_64+0x5a/0x230
      entry_SYSCALL_64_after_hwframe+0x49/0xb3
      
      After looking into codes, it turns out that this issue is because we didn't
      restore the req->work, which is changed in io_arm_poll_handler(), req->work
      is a union with below struct:
      	struct {
      		struct callback_head	task_work;
      		struct hlist_node	hash_node;
      		struct async_poll	*apoll;
      	};
      If we forget to restore, members in struct io_wq_work would be invalid,
      restore the req->work to fix this issue.
      Signed-off-by: default avatarXiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
      
      Get rid of not needed 'need_restore' variable.
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      b1f573bd
    • Pavel Begunkov's avatar
      io_uring: move all request init code in one place · ef4ff581
      Pavel Begunkov authored
      Requests initialisation is scattered across several functions, namely
      io_init_req(), io_submit_sqes(), io_submit_sqe(). Put it
      in io_init_req() for better data locality and code clarity.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      ef4ff581
    • Pavel Begunkov's avatar
      io_uring: keep all sqe->flags in req->flags · dea3b49c
      Pavel Begunkov authored
      It's a good idea to not read sqe->flags twice, as it's prone to security
      bugs. Instead of passing it around, embeed them in req->flags. It's
      already so except for IOSQE_IO_LINK.
      1. rename former REQ_F_LINK -> REQ_F_LINK_HEAD
      2. introduce and copy REQ_F_LINK, which mimics IO_IOSQE_LINK
      
      And leave req_set_fail_links() using new REQ_F_LINK, because it's more
      sensible.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      dea3b49c
    • Pavel Begunkov's avatar
      io_uring: early submission req fail code · 1d4240cc
      Pavel Begunkov authored
      Having only one place for cleaning up a request after a link assembly/
      submission failure will play handy in the future. At least it allows
      to remove duplicated cleanup sequence.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      1d4240cc
    • Pavel Begunkov's avatar
      io_uring: track mm through current->mm · bf9c2f1c
      Pavel Begunkov authored
      As a preparation for extracting request init bits, remove self-coded mm
      tracking from io_submit_sqes(), but rely on current->mm. It's more
      convenient, than passing this piece of state in other functions.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      bf9c2f1c
    • Pavel Begunkov's avatar
      io_uring: remove obsolete @mm_fault · dccc587f
      Pavel Begunkov authored
      If io_submit_sqes() can't grab an mm, it fails and exits right away.
      There is no need to track the fact of the failure. Remove @mm_fault.
      Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      dccc587f
  7. 11 Apr, 2020 5 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 5b8b9d0c
      Linus Torvalds authored
      Merge yet more updates from Andrew Morton:
      
       - Almost all of the rest of MM (memcg, slab-generic, slab, pagealloc,
         gup, hugetlb, pagemap, memremap)
      
       - Various other things (hfs, ocfs2, kmod, misc, seqfile)
      
      * akpm: (34 commits)
        ipc/util.c: sysvipc_find_ipc() should increase position index
        kernel/gcov/fs.c: gcov_seq_next() should increase position index
        fs/seq_file.c: seq_read(): add info message about buggy .next functions
        drivers/dma/tegra20-apb-dma.c: fix platform_get_irq.cocci warnings
        change email address for Pali Rohár
        selftests: kmod: test disabling module autoloading
        selftests: kmod: fix handling test numbers above 9
        docs: admin-guide: document the kernel.modprobe sysctl
        fs/filesystems.c: downgrade user-reachable WARN_ONCE() to pr_warn_once()
        kmod: make request_module() return an error when autoloading is disabled
        mm/memremap: set caching mode for PCI P2PDMA memory to WC
        mm/memory_hotplug: add pgprot_t to mhp_params
        powerpc/mm: thread pgprot_t through create_section_mapping()
        x86/mm: introduce __set_memory_prot()
        x86/mm: thread pgprot_t through init_memory_mapping()
        mm/memory_hotplug: rename mhp_restrictions to mhp_params
        mm/memory_hotplug: drop the flags field from struct mhp_restrictions
        mm/special: create generic fallbacks for pte_special() and pte_mkspecial()
        mm/vma: introduce VM_ACCESS_FLAGS
        mm/vma: define a default value for VM_DATA_DEFAULT_FLAGS
        ...
      5b8b9d0c
    • Linus Torvalds's avatar
      Merge tag 'docs-5.7-2' of git://git.lwn.net/linux · ca6151a9
      Linus Torvalds authored
      Pull Documentation fixes from Jonathan Corbet:
       "A handful of late-arriving fixes for the documentation tree"
      
      * tag 'docs-5.7-2' of git://git.lwn.net/linux:
        Documentation: android: binderfs: add 'stats' mount option
        Documentation: driver-api/usb/writing_usb_driver.rst Updates documentation links
        docs: driver-api: address duplicate label warning
        Documentation: sysrq: fix RST formatting
        docs: kernel-parameters.txt: Fix broken references
        docs: kernel-parameters.txt: Remove nompx
        docs: filesystems: fix typo in qnx6.rst
      ca6151a9
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.7-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux · 4e4bdcfa
      Linus Torvalds authored
      Pull orangefs updates from Mike Marshall:
       "A fix and two cleanups.
      
        Fix:
      
         - Christoph Hellwig noticed that some logic I added to
           orangefs_file_read_iter introduced a race condition, so he sent a
           reversion patch. I had to modify his patch since reverting at this
           point broke Orangefs.
      
        Cleanups:
      
         - Christoph Hellwig noticed that we were doing some unnecessary work
           in orangefs_flush, so he sent in a patch that removed the un-needed
           code.
      
         - Al Viro told me he had trouble building Orangefs. Orangefs should
           be easy to build, even for Al :-).
      
           I looked back at the test server build notes in orangefs.txt, just
           in case that's where the trouble really is, and found a couple of
           typos and made a couple of clarifications"
      
      * tag 'for-linus-5.7-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux:
        orangefs: clarify build steps for test server in orangefs.txt
        orangefs: don't mess with I_DIRTY_TIMES in orangefs_flush
        orangefs: get rid of knob code...
      4e4bdcfa
    • Linus Torvalds's avatar
      Merge tag 'xtensa-20200410' of git://github.com/jcmvbkbc/linux-xtensa · 9539303a
      Linus Torvalds authored
      Pull xtensa updates from Max Filippov:
      
       - replace setup_irq() by request_irq()
      
       - cosmetic fixes in xtensa Kconfig and boot/Makefile
      
      * tag 'xtensa-20200410' of git://github.com/jcmvbkbc/linux-xtensa:
        arch/xtensa: fix grammar in Kconfig help text
        xtensa: remove meaningless export ccflags-y
        xtensa: replace setup_irq() by request_irq()
      9539303a
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.7-rc1b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · e6383b18
      Linus Torvalds authored
      Pull more xen updates from Juergen Gross:
      
       - two cleanups
      
       - fix a boot regression introduced in this merge window
      
       - fix wrong use of memory allocation flags
      
      * tag 'for-linus-5.7-rc1b-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        x86/xen: fix booting 32-bit pv guest
        x86/xen: make xen_pvmmu_arch_setup() static
        xen/blkfront: fix memory allocation flags in blkfront_setup_indirect()
        xen: Use evtchn_type_t as a type for event channels
      e6383b18
  8. 10 Apr, 2020 14 commits