Commit 6de3014d authored May 23, 2023 by Jens Axboe Committed by Greg Kroah-Hartman Jun 05, 2023

io_uring: don't drop completion lock before timer is fully initialized



No upstream commit exists for this patch.

If we drop the lock right after adding it to the timeout list, then
someone attempting to kill timeouts will find it in an indeterminate
state. That means that cancelation could attempt to cancel and remove
a timeout, and then io_timeout() proceeds to init and add the timer
afterwards.

Ensure the timeout request is fully setup before we drop the
completion lock, which guards cancelation as well.

Reported-and-tested-by: Lee Jones <lee@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent b0bfceaa

fs/io_uring.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -2079,12 +2079,12 @@ static int io_timeout(struct io_kiocb req, const struct io_uring_sqe sqe)
		req->sequence -= span;
		add:
		list_add(&req->list, entry);
		spin_unlock_irq(&ctx->completion_lock);

		hrtimer_init(&req->timeout.timer, CLOCK_MONOTONIC, HRTIMER_MODE_REL);
		req->timeout.timer.function = io_timeout_fn;
		hrtimer_start(&req->timeout.timer, timespec64_to_ktime(ts),
		HRTIMER_MODE_REL);
		spin_unlock_irq(&ctx->completion_lock);
		return 0;
		}