Commit 907d1df3 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe
Browse files

io_uring: fix wqe->lock/completion_lock deadlock 



Joseph reports following deadlock:

CPU0:
...
io_kill_linked_timeout  // &ctx->completion_lock
io_commit_cqring
__io_queue_deferred
__io_queue_async_work
io_wq_enqueue
io_wqe_enqueue  // &wqe->lock

CPU1:
...
__io_uring_files_cancel
io_wq_cancel_cb
io_wqe_cancel_pending_work  // &wqe->lock
io_cancel_task_cb  // &ctx->completion_lock

Only __io_queue_deferred() calls queue_async_work() while holding
ctx->completion_lock, enqueue drained requests via io_req_task_queue()
instead.

Cc: stable@vger.kernel.org # 5.9+
Reported-by: default avatarJoseph Qi <joseph.qi@linux.alibaba.com>
Tested-by: default avatarJoseph Qi <joseph.qi@linux.alibaba.com>
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent ca70f00b

fs/io_uring.c

+2 −8
Original line number Diff line number Diff line
@@ -1026,6 +1026,7 @@ static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec, 
			     const struct iovec *fast_iov,

			     struct iov_iter *iter, bool force);

static void io_req_drop_files(struct io_kiocb *req);

static void io_req_task_queue(struct io_kiocb *req);



static struct kmem_cache *req_cachep;
@@ -1634,18 +1635,11 @@ static void __io_queue_deferred(struct io_ring_ctx *ctx) 
	do {

		struct io_defer_entry *de = list_first_entry(&ctx->defer_list,

						struct io_defer_entry, list);

		struct io_kiocb *link;



		if (req_need_defer(de->req, de->seq))

			break;

		list_del_init(&de->list);

		/* punt-init is done before queueing for defer */

		link = __io_queue_async_work(de->req);

		if (link) {

			__io_queue_linked_timeout(link);

			/* drop submission reference */

			io_put_req_deferred(link, 1);

		}

		io_req_task_queue(de->req);

		kfree(de);

	} while (!list_empty(&ctx->defer_list));

}