On Tue, 17 May 2022, Jens Axboe wrote: > On 5/17/22 5:41 AM, Lee Jones wrote: > > Good afternoon Jens, Pavel, et al., > > > > Not sure if you are presently aware, but there appears to be a > > use-after-free issue affecting the io_uring worker driver (fs/io-wq.c) > > in Stable v5.10.y. > > > > The full sysbot report can be seen below [0]. > > > > The C-reproducer has been placed below that [1]. > > > > I had great success running this reproducer in an infinite loop. > > > > My colleague reverse-bisected the fixing commit to: > > > > commit fb3a1f6c745ccd896afadf6e2d6f073e871d38ba > > Author: Jens Axboe <axboe@xxxxxxxxx> > > Date: Fri Feb 26 09:47:20 2021 -0700 > > > > io-wq: have manager wait for all workers to exit > > > > Instead of having to wait separately on workers and manager, just have > > the manager wait on the workers. We use an atomic_t for the reference > > here, as we need to start at 0 and allow increment from that. Since the > > number of workers is naturally capped by the allowed nr of processes, > > and that uses an int, there is no risk of overflow. > > > > Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> > > > > fs/io-wq.c | 30 ++++++++++++++++++++++-------- > > 1 file changed, 22 insertions(+), 8 deletions(-) > > Does this fix it: > > commit 886d0137f104a440d9dfa1d16efc1db06c9a2c02 > Author: Jens Axboe <axboe@xxxxxxxxx> > Date: Fri Mar 5 12:59:30 2021 -0700 > > io-wq: fix race in freeing 'wq' and worker access > > Looks like it didn't make it into 5.10-stable, but we can certainly > rectify that. Thanks for your quick response Jens. This patch doesn't apply cleanly to v5.10.y. I'll have a go at back-porting it. Please bear with me. -- Lee Jones [李琼斯] Principal Technical Lead - Developer Services Linaro.org │ Open source software for Arm SoCs Follow Linaro: Facebook | Twitter | Blog
