Patch "io_uring: don't drop completion lock before timer is fully initialized" has been added to the 5.4-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Thu, 01 Jun 2023 10:10:09 +0100

This is a note to let you know that I've just added the patch titled

    io_uring: don't drop completion lock before timer is fully initialized

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     io_uring-don-t-drop-completion-lock-before-timer-is-fully-initialized.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 66512e9596044057fe2cc173ac5c32e4fb8aed5c Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@xxxxxxxxx>
Date: Tue, 23 May 2023 08:24:31 -0600
Subject: io_uring: don't drop completion lock before timer is fully initialized

From: Jens Axboe <axboe@xxxxxxxxx>

No upstream commit exists for this patch.

If we drop the lock right after adding it to the timeout list, then
someone attempting to kill timeouts will find it in an indeterminate
state. That means that cancelation could attempt to cancel and remove
a timeout, and then io_timeout() proceeds to init and add the timer
afterwards.

Ensure the timeout request is fully setup before we drop the
completion lock, which guards cancelation as well.

Reported-and-tested-by: Lee Jones <lee@xxxxxxxxxx>
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/io_uring.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2079,12 +2079,12 @@ static int io_timeout(struct io_kiocb *r
 	req->sequence -= span;
 add:
 	list_add(&req->list, entry);
-	spin_unlock_irq(&ctx->completion_lock);
 
 	hrtimer_init(&req->timeout.timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
 	req->timeout.timer.function = io_timeout_fn;
 	hrtimer_start(&req->timeout.timer, timespec64_to_ktime(ts),
 			HRTIMER_MODE_REL);
+	spin_unlock_irq(&ctx->completion_lock);
 	return 0;
 }
 


Patches currently in stable-queue which might be from axboe@xxxxxxxxx are

queue-5.4/io_uring-don-t-drop-completion-lock-before-timer-is-fully-initialized.patch
queue-5.4/io_uring-have-io_kill_timeout-honor-the-request-references.patch
queue-5.4/io_uring-always-grab-lock-in-io_cancel_async_work.patch






