io_uring: fix possible deadlock between io_uring_{enter,register}

If we have multiple threads, one doing io_uring_enter() while the other is doing io_uring_register(), we can run into a deadlock between the two. io_uring_register() must wait for existing users of the io_uring instance to exit. But it does so while holding the io_uring mutex. Callers of io_uring_enter() may need this mutex to make progress (and eventually exit). If we wait for users to exit in io_uring_register(), we can't do so with the io_uring mutex held without potentially risking a deadlock. Drop the io_uring mutex while waiting for existing callers to exit. This is safe and guaranteed to make forward progress, since we already killed the percpu ref before doing so. Hence later callers of io_uring_enter() will be rejected. Reported-by: syzbot+16dc03452dee970a0c3e@syzkaller.appspotmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Jens Axboe <axboe@kernel.dk> 2019-04-15 12:49:38 -0400
committer: Jens Axboe <axboe@kernel.dk> 2019-04-15 12:49:38 -0400
commit: b19062a567266ee1f10f6709325f766bbcc07d1c (patch)
tree: a2b5175f8121ff6efc7e3a26eb075711263dfede
parent: 3d6770fbd9353988839611bab107e4e891506aad (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c
index f4ddb9d23241..b35300e4c9a7 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2929,11 +2929,23 @@ SYSCALL_DEFINE2(io_uring_setup, u32, entries,
 static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
                               void __user *arg, unsigned nr_args)
+        __releases(ctx->uring_lock)
+        __acquires(ctx->uring_lock)
 {
        int ret;
        percpu_ref_kill(&ctx->refs);
+        /*
+         * Drop uring mutex before waiting for references to exit. If another
+         * thread is currently inside io_uring_enter() it might need to grab
+         * the uring_lock to make progress. If we hold it here across the drain
+         * wait, then we can deadlock. It's safe to drop the mutex here, since
+         * no new references will come in after we've killed the percpu ref.
+         */
+        mutex_unlock(&ctx->uring_lock);
        wait_for_completion(&ctx->ctx_done);
+        mutex_lock(&ctx->uring_lock);
        switch (opcode) {
        case IORING_REGISTER_BUFFERS:
author	Jens Axboe <axboe@kernel.dk>	2019-04-15 12:49:38 -0400
committer	Jens Axboe <axboe@kernel.dk>	2019-04-15 12:49:38 -0400
commit	b19062a567266ee1f10f6709325f766bbcc07d1c (patch)
tree	a2b5175f8121ff6efc7e3a26eb075711263dfede
parent	3d6770fbd9353988839611bab107e4e891506aad (diff)

diff --git a/fs/io_uring.c b/fs/io_uring.c index f4ddb9d23241..b35300e4c9a7 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c
@@ -2929,11 +2929,23 @@ SYSCALL_DEFINE2(io_uring_setup, u32, entries,
2929		2929
2930	static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,	2930	static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
2931	void __user *arg, unsigned nr_args)	2931	void __user *arg, unsigned nr_args)
		2932	__releases(ctx->uring_lock)
		2933	__acquires(ctx->uring_lock)
2932	{	2934	{
2933	int ret;	2935	int ret;
2934		2936
2935	percpu_ref_kill(&ctx->refs);	2937	percpu_ref_kill(&ctx->refs);
		2938
		2939	/*
		2940	* Drop uring mutex before waiting for references to exit. If another
		2941	* thread is currently inside io_uring_enter() it might need to grab
		2942	* the uring_lock to make progress. If we hold it here across the drain
		2943	* wait, then we can deadlock. It's safe to drop the mutex here, since
		2944	* no new references will come in after we've killed the percpu ref.
		2945	*/
		2946	mutex_unlock(&ctx->uring_lock);
2936	wait_for_completion(&ctx->ctx_done);	2947	wait_for_completion(&ctx->ctx_done);
		2948	mutex_lock(&ctx->uring_lock);
2937		2949
2938	switch (opcode) {	2950	switch (opcode) {
2939	case IORING_REGISTER_BUFFERS:	2951	case IORING_REGISTER_BUFFERS: