Patch "io_uring: fix possible deadlock in io_register_iowq_max_workers()" has been added to the 6.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 22 Jul 2024 20:22:59 -0400

This is a note to let you know that I've just added the patch titled

    io_uring: fix possible deadlock in io_register_iowq_max_workers()

to the 6.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     io_uring-fix-possible-deadlock-in-io_register_iowq_m.patch
and it can be found in the queue-6.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit f5edadadcf48298c145d71e5d5bc57edeee2623d
Author: Hagar Hemdan <hagarhem@xxxxxxxxxx>
Date:   Tue Jun 4 13:05:27 2024 +0000

    io_uring: fix possible deadlock in io_register_iowq_max_workers()
    
    [ Upstream commit 73254a297c2dd094abec7c9efee32455ae875bdf ]
    
    The io_register_iowq_max_workers() function calls io_put_sq_data(),
    which acquires the sqd->lock without releasing the uring_lock.
    Similar to the commit 009ad9f0c6ee ("io_uring: drop ctx->uring_lock
    before acquiring sqd->lock"), this can lead to a potential deadlock
    situation.
    
    To resolve this issue, the uring_lock is released before calling
    io_put_sq_data(), and then it is re-acquired after the function call.
    
    This change ensures that the locks are acquired in the correct
    order, preventing the possibility of a deadlock.
    
    Suggested-by: Maximilian Heyne <mheyne@xxxxxxxxx>
    Signed-off-by: Hagar Hemdan <hagarhem@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240604130527.3597-1-hagarhem@xxxxxxxxxx
    Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/io_uring/register.c b/io_uring/register.c
index 99c37775f974c..1ae8491e35abb 100644
--- a/io_uring/register.c
+++ b/io_uring/register.c
@@ -355,8 +355,10 @@ static __cold int io_register_iowq_max_workers(struct io_ring_ctx *ctx,
 	}
 
 	if (sqd) {
+		mutex_unlock(&ctx->uring_lock);
 		mutex_unlock(&sqd->lock);
 		io_put_sq_data(sqd);
+		mutex_lock(&ctx->uring_lock);
 	}
 
 	if (copy_to_user(arg, new_count, sizeof(new_count)))
@@ -381,8 +383,10 @@ static __cold int io_register_iowq_max_workers(struct io_ring_ctx *ctx,
 	return 0;
 err:
 	if (sqd) {
+		mutex_unlock(&ctx->uring_lock);
 		mutex_unlock(&sqd->lock);
 		io_put_sq_data(sqd);
+		mutex_lock(&ctx->uring_lock);
 	}
 	return ret;
 }







