On 5/17/22 5:41 AM, Lee Jones wrote:
> Good afternoon Jens, Pavel, et al.,
>
> Not sure if you are presently aware, but there appears to be a
> use-after-free issue affecting the io_uring worker driver (fs/io-wq.c)
> in Stable v5.10.y.
>
> The full sysbot report can be seen below [0].
>
> The C-reproducer has been placed below that [1].
>
> I had great success running this reproducer in an infinite loop.
>
> My colleague reverse-bisected the fixing commit to:
>
> commit fb3a1f6c745ccd896afadf6e2d6f073e871d38ba
> Author: Jens Axboe <axboe@xxxxxxxxx>
> Date: Fri Feb 26 09:47:20 2021 -0700
>
> io-wq: have manager wait for all workers to exit
>
> Instead of having to wait separately on workers and manager, just have
> the manager wait on the workers. We use an atomic_t for the reference
> here, as we need to start at 0 and allow increment from that. Since the
> number of workers is naturally capped by the allowed nr of processes,
> and that uses an int, there is no risk of overflow.
>
> Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
>
> fs/io-wq.c | 30 ++++++++++++++++++++++--------
> 1 file changed, 22 insertions(+), 8 deletions(-)
Does this fix it:
commit 886d0137f104a440d9dfa1d16efc1db06c9a2c02
Author: Jens Axboe <axboe@xxxxxxxxx>
Date: Fri Mar 5 12:59:30 2021 -0700
io-wq: fix race in freeing 'wq' and worker access
Looks like it didn't make it into 5.10-stable, but we can certainly
rectify that.
--
Jens Axboe
