On 11/23/20 2:55 AM, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 27bba9c5 Merge tag 'scsi-fixes' of git://git.kernel.org/pu.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=11041f1e500000 > kernel config: https://syzkaller.appspot.com/x/.config?x=330f3436df12fd44 > dashboard link: https://syzkaller.appspot.com/bug?extid=1f4ba1e5520762c523c6 > compiler: gcc (GCC) 10.1.0-syz 20200507 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17d9b775500000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157e4f75500000 > > The issue was bisected to: > > commit dcd479e10a0510522a5d88b29b8f79ea3467d501 > Author: Johannes Berg <johannes.berg@xxxxxxxxx> > Date: Fri Oct 9 12:17:11 2020 +0000 > > mac80211: always wind down STA state Not sure what is going on with the syzbot bisects recently, they are way off into the weeds... Anyway, I think the below should fix it. diff --git a/fs/io_uring.c b/fs/io_uring.c index 489ec7272b3e..0f2abbff7eec 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -7194,9 +7181,9 @@ static int io_sqe_files_unregister(struct io_ring_ctx *ctx) if (!data) return -ENXIO; - spin_lock(&data->lock); + spin_lock_bh(&data->lock); ref_node = data->node; - spin_unlock(&data->lock); + spin_unlock_bh(&data->lock); if (ref_node) percpu_ref_kill(&ref_node->refs); @@ -7578,7 +7565,7 @@ static void io_file_data_ref_zero(struct percpu_ref *ref) data = ref_node->file_data; ctx = data->ctx; - spin_lock(&data->lock); + spin_lock_bh(&data->lock); ref_node->done = true; while (!list_empty(&data->ref_list)) { @@ -7590,7 +7577,7 @@ static void io_file_data_ref_zero(struct percpu_ref *ref) list_del(&ref_node->node); first_add |= llist_add(&ref_node->llist, &ctx->file_put_llist); } - spin_unlock(&data->lock); + spin_unlock_bh(&data->lock); if (percpu_ref_is_dying(&data->refs)) delay = 0; @@ -7713,9 +7700,9 @@ static int io_sqe_files_register(struct io_ring_ctx *ctx, void __user *arg, } file_data->node = ref_node; - spin_lock(&file_data->lock); + spin_lock_bh(&file_data->lock); list_add_tail(&ref_node->node, &file_data->ref_list); - spin_unlock(&file_data->lock); + spin_unlock_bh(&file_data->lock); percpu_ref_get(&file_data->refs); return ret; out_fput: @@ -7872,10 +7859,10 @@ static int __io_sqe_files_update(struct io_ring_ctx *ctx, if (needs_switch) { percpu_ref_kill(&data->node->refs); - spin_lock(&data->lock); + spin_lock_bh(&data->lock); list_add_tail(&ref_node->node, &data->ref_list); data->node = ref_node; - spin_unlock(&data->lock); + spin_unlock_bh(&data->lock); percpu_ref_get(&ctx->file_data->refs); } else destroy_fixed_file_ref_node(ref_node); -- Jens Axboe
