Commit e7637a4
committed
io_uring: fix locking state for empty buffer group
io_provided_buffer_select() must drop the submit lock, if needed, even
in the error handling case. Failure to do so will leave us with the
ctx->uring_lock held, causing spew like:
====================================
WARNING: iou-wrk-366/368 still has locks held!
5.18.0-rc6-00294-gdf8dc7004331 #994 Not tainted
------------------------------------
1 lock held by iou-wrk-366/368:
#0: ffff0000c72598a8 (&ctx->uring_lock){+.+.}-{3:3}, at: io_ring_submit_lock+0x20/0x48
stack backtrace:
CPU: 4 PID: 368 Comm: iou-wrk-366 Not tainted 5.18.0-rc6-00294-gdf8dc7004331 #994
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace.part.0+0xa4/0xd4
show_stack+0x14/0x5c
dump_stack_lvl+0x88/0xb0
dump_stack+0x14/0x2c
debug_check_no_locks_held+0x84/0x90
try_to_freeze.isra.0+0x18/0x44
get_signal+0x94/0x6ec
io_wqe_worker+0x1d8/0x2b4
ret_from_fork+0x10/0x20
and triggering later hangs off get_signal() because we attempt to
re-grab the lock.
Reported-by: syzbot+987d7bb19195ae45208c@syzkaller.appspotmail.com
Fixes: 149c69b ("io_uring: abstract out provided buffer list selection")
Signed-off-by: Jens Axboe <axboe@kernel.dk>1 parent 4e86a2c commit e7637a4
1 file changed
+14
-11
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3467 | 3467 | | |
3468 | 3468 | | |
3469 | 3469 | | |
3470 | | - | |
| 3470 | + | |
3471 | 3471 | | |
3472 | | - | |
3473 | | - | |
| 3472 | + | |
| 3473 | + | |
| 3474 | + | |
| 3475 | + | |
| 3476 | + | |
| 3477 | + | |
| 3478 | + | |
| 3479 | + | |
| 3480 | + | |
| 3481 | + | |
| 3482 | + | |
| 3483 | + | |
3474 | 3484 | | |
3475 | | - | |
3476 | | - | |
3477 | | - | |
3478 | | - | |
3479 | | - | |
3480 | | - | |
3481 | | - | |
3482 | 3485 | | |
3483 | | - | |
| 3486 | + | |
3484 | 3487 | | |
3485 | 3488 | | |
3486 | 3489 | | |
| |||
0 commit comments