Jens Axboe <axboe@xxxxxxxxx> wrote: > On 6/26/22 6:04 PM, Jens Axboe wrote: >> On 6/26/22 4:56 PM, Greg Thelen wrote: >>> Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> wrote: >>> >>>> I'm announcing the release of the 5.10.125 kernel. >>>> >>>> All users of the 5.10 kernel series must upgrade. >>>> >>>> The updated 5.10.y git tree can be found at: >>>> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-5.10.y >>>> and can be browsed at the normal kernel.org git web browser: >>>> https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary >>>> >>>> thanks, >>>> >>>> greg k-h >>>> >>>> ------------ >>>> >>>> Makefile | 2 >>>> arch/arm64/mm/cache.S | 2 >>>> arch/s390/mm/pgtable.c | 2 >>>> drivers/tty/serial/serial_core.c | 34 ++++-------- >>>> drivers/usb/gadget/function/u_ether.c | 11 +++- >>>> fs/io_uring.c | 23 +++++--- >>>> fs/zonefs/super.c | 92 ++++++++++++++++++++++------------ >>>> net/ipv4/inet_hashtables.c | 31 ++++++++--- >>>> 8 files changed, 122 insertions(+), 75 deletions(-) >>>> >>>> Christian Borntraeger (1): >>>> s390/mm: use non-quiescing sske for KVM switch to keyed guest >>>> >>>> Damien Le Moal (1): >>>> zonefs: fix zonefs_iomap_begin() for reads >>>> >>>> Eric Dumazet (1): >>>> tcp: add some entropy in __inet_hash_connect() >>>> >>>> Greg Kroah-Hartman (1): >>>> Linux 5.10.125 >>>> >>>> Jens Axboe (1): >>>> io_uring: add missing item types for various requests >>>> >>>> Lukas Wunner (1): >>>> serial: core: Initialize rs485 RTS polarity already on probe >>>> >>>> Marian Postevca (1): >>>> usb: gadget: u_ether: fix regression in setting fixed MAC address >>>> >>>> Will Deacon (1): >>>> arm64: mm: Don't invalidate FROM_DEVICE buffers at start of DMA transfer >>>> >>>> Willy Tarreau (5): >>>> tcp: use different parts of the port_offset for index and offset >>>> tcp: add small random increments to the source port >>>> tcp: dynamically allocate the perturb table used by source ports >>>> tcp: increase source port perturb table to 2^16 >>>> tcp: drop the hash_32() part from the index calculation >>> >>> 5.10.125 commit df3f3bb5059d20ef094d6b2f0256c4bf4127a859 ("io_uring: add >>> missing item types for various requests") causes panic when running >>> test/iopoll.t from https://github.com/axboe/liburing commit >>> dda4848a9911120a903bef6284fb88286f4464c9 (liburing-2.2). >>> >>> Here's a manually annotated panic message: >>> [ 359.047161] list_del corruption, ffffa42098824f80->next is LIST_POISON1 (dead000000000100) >>> [ 359.055393] kernel BUG at lib/list_debug.c:47! >>> [ 359.059786] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI >>> [ 359.065463] CPU: 11 PID: 15862 Comm: iopoll.t Tainted: G S I 5.10.124 #1 >>> [ 359.081804] RIP: 0010:__list_del_entry_valid+0x49/0x80 >>> [ 359.086880] Code: c2 22 48 39 d1 74 25 48 8b 11 48 39 f2 75 2d 48 8b 50 08 48 39 f2 75 34 b0 01 5d c3 48 c7 c7 68 15 79 b1 31 c0 e8 c5 a2 5a 00 <0f> 0b 48 c7 c7 d8 8e 76 b1 31 c0 e8 b5 a2 5a 00 0f 0b 48 c7 c7 69 >>> [ 359.105431] RSP: 0018:ffffb6b66785bd58 EFLAGS: 00010046 >>> [ 359.110592] RAX: 000000000000004e RBX: ffffa42098824f00 RCX: d07284ea1fbba400 >>> [ 359.117642] RDX: ffffa43f7f4f05b8 RSI: ffffa43f7f4dff48 RDI: ffffa43f7f4dff48 >>> [ 359.124691] RBP: ffffb6b66785bd58 R08: 0000000000000000 R09: ffffffffb1f38540 >>> [ 359.131740] R10: 00000000ffff7fff R11: 0000000000000000 R12: 0000000000000282 >>> [ 359.138789] R13: ffffb6b66785beb8 R14: ffffa42095d33e00 R15: ffffa420937e3d20 >>> [ 359.145836] FS: 00000000004f8380(0000) GS:ffffa43f7f4c0000(0000) knlGS:0000000000000000 >>> [ 359.153830] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 >>> [ 359.159506] CR2: 0000000000539388 CR3: 000000027b57c006 CR4: 00000000003706e0 >>> [ 359.166552] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 >>> [ 359.173600] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 >>> [ 359.180647] Call Trace: >>> [ 359.183064] io_dismantle_req+0x1da/0x2b0 >>> __list_del_entry [include/linux/list.h:132] >>> list_del [include/linux/list.h:146] >>> io_req_drop_files [fs/io_uring.c:5934] >>> io_req_clean_work [fs/io_uring.c:1315] >>> io_dismantle_req [fs/io_uring.c:1911] >>> [ 359.187023] io_do_iopoll+0x4e5/0x790 >>> [ 359.194602] __se_sys_io_uring_enter+0x39b/0x6f0 >>> [ 359.208318] __x64_sys_io_uring_enter+0x29/0x30 >>> [ 359.212793] do_syscall_64+0x31/0x40 >>> [ 359.216324] entry_SYSCALL_64_after_hwframe+0x44/0xa9 >> >> Well that sucks, I wonder why mine didn't fail like that. I'll see if I >> can hit this and send a fix. Thanks for reporting! > > Below should do it, I apologize for that. I think my test box booted the > previous kernel which is why it didn't hit it in my regression tests :-( > > Greg, can you add this to 5.10-stable? Verified it ran tests with the > right kernel now... > > > commit d2aaf8fdc544a3edf44820a07294d693dedd12e3 > Author: Jens Axboe <axboe@xxxxxxxxx> > Date: Sun Jun 26 18:16:17 2022 -0600 > > io_uring: use separate list entry for iopoll requests > > A previous commit ended up enabling file tracking for iopoll requests, > which conflicts with both of them using the same list entry for tracking. > Add a separate list entry just for iopoll requests, avoid this issue. > > No upstream commit exists for this issue. > > Reported-by: Greg Thelen <gthelen@xxxxxxxxxx> > Fixes: df3f3bb5059d ("io_uring: add missing item types for various requests") > Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Confirmed. This patch fixes the error I saw. Tested-by: Greg Thelen <gthelen@xxxxxxxxxx> > diff --git a/fs/io_uring.c b/fs/io_uring.c > index 40ac37beca47..2e12dcbc7b0f 100644 > --- a/fs/io_uring.c > +++ b/fs/io_uring.c > @@ -696,6 +696,8 @@ struct io_kiocb { > */ > struct list_head inflight_entry; > > + struct list_head iopoll_entry; > + > struct percpu_ref *fixed_file_refs; > struct callback_head task_work; > /* for polled requests, i.e. IORING_OP_POLL_ADD and async armed poll */ > @@ -2350,8 +2352,8 @@ static void io_iopoll_queue(struct list_head *again) > struct io_kiocb *req; > > do { > - req = list_first_entry(again, struct io_kiocb, inflight_entry); > - list_del(&req->inflight_entry); > + req = list_first_entry(again, struct io_kiocb, iopoll_entry); > + list_del(&req->iopoll_entry); > __io_complete_rw(req, -EAGAIN, 0, NULL); > } while (!list_empty(again)); > } > @@ -2373,14 +2375,14 @@ static void io_iopoll_complete(struct io_ring_ctx *ctx, unsigned int *nr_events, > while (!list_empty(done)) { > int cflags = 0; > > - req = list_first_entry(done, struct io_kiocb, inflight_entry); > + req = list_first_entry(done, struct io_kiocb, iopoll_entry); > if (READ_ONCE(req->result) == -EAGAIN) { > req->result = 0; > req->iopoll_completed = 0; > - list_move_tail(&req->inflight_entry, &again); > + list_move_tail(&req->iopoll_entry, &again); > continue; > } > - list_del(&req->inflight_entry); > + list_del(&req->iopoll_entry); > > if (req->flags & REQ_F_BUFFER_SELECTED) > cflags = io_put_rw_kbuf(req); > @@ -2416,7 +2418,7 @@ static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events, > spin = !ctx->poll_multi_file && *nr_events < min; > > ret = 0; > - list_for_each_entry_safe(req, tmp, &ctx->iopoll_list, inflight_entry) { > + list_for_each_entry_safe(req, tmp, &ctx->iopoll_list, iopoll_entry) { > struct kiocb *kiocb = &req->rw.kiocb; > > /* > @@ -2425,7 +2427,7 @@ static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events, > * and complete those lists first, if we have entries there. > */ > if (READ_ONCE(req->iopoll_completed)) { > - list_move_tail(&req->inflight_entry, &done); > + list_move_tail(&req->iopoll_entry, &done); > continue; > } > if (!list_empty(&done)) > @@ -2437,7 +2439,7 @@ static int io_do_iopoll(struct io_ring_ctx *ctx, unsigned int *nr_events, > > /* iopoll may have completed current req */ > if (READ_ONCE(req->iopoll_completed)) > - list_move_tail(&req->inflight_entry, &done); > + list_move_tail(&req->iopoll_entry, &done); > > if (ret && spin) > spin = false; > @@ -2670,7 +2672,7 @@ static void io_iopoll_req_issued(struct io_kiocb *req) > struct io_kiocb *list_req; > > list_req = list_first_entry(&ctx->iopoll_list, struct io_kiocb, > - inflight_entry); > + iopoll_entry); > if (list_req->file != req->file) > ctx->poll_multi_file = true; > } > @@ -2680,9 +2682,9 @@ static void io_iopoll_req_issued(struct io_kiocb *req) > * it to the front so we find it first. > */ > if (READ_ONCE(req->iopoll_completed)) > - list_add(&req->inflight_entry, &ctx->iopoll_list); > + list_add(&req->iopoll_entry, &ctx->iopoll_list); > else > - list_add_tail(&req->inflight_entry, &ctx->iopoll_list); > + list_add_tail(&req->iopoll_entry, &ctx->iopoll_list); > > if ((ctx->flags & IORING_SETUP_SQPOLL) && > wq_has_sleeper(&ctx->sq_data->wait))
