io_uring: fix io_prep_async_link locking

io_prep_async_link() may be called after arming a linked timeout, automatically making it unsafe to traverse the linked list. Guard with completion_lock if there was a linked timeout. Cc: stable@vger.kernel.org # 5.9+ Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Link: https://lore.kernel.org/r/93f7c617e2b4f012a2a175b3dab6bc2f27cebc48.1627304436.git.asml.silence@gmail.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Pavel Begunkov <asml.silence@gmail.com> 2021-07-26 14:14:31 +0100
committer: Jens Axboe <axboe@kernel.dk> 2021-07-26 08:58:04 -0600
commit: 44eff40a32e8f5228ae041006352e32638ad2368 (patch)
tree: 4cf9efc5d01517033f807345b27674e137fba238 /fs
parent: 991468dcf198bb87f24da330676724a704912b47 (diff)
download: linux-44eff40a32e8f5228ae041006352e32638ad2368.tar.bz2
1 files changed, 11 insertions, 2 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 5a0fd6bcd318..c4d2b320cdd4 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1279,8 +1279,17 @@ static void io_prep_async_link(struct io_kiocb *req)
 {
 	struct io_kiocb *cur;
 
-	io_for_each_link(cur, req)
-		io_prep_async_work(cur);
+	if (req->flags & REQ_F_LINK_TIMEOUT) {
+		struct io_ring_ctx *ctx = req->ctx;
+
+		spin_lock_irq(&ctx->completion_lock);
+		io_for_each_link(cur, req)
+			io_prep_async_work(cur);
+		spin_unlock_irq(&ctx->completion_lock);
+	} else {
+		io_for_each_link(cur, req)
+			io_prep_async_work(cur);
+	}
 }
 
 static void io_queue_async_work(struct io_kiocb *req)
author	Pavel Begunkov <asml.silence@gmail.com>	2021-07-26 14:14:31 +0100
committer	Jens Axboe <axboe@kernel.dk>	2021-07-26 08:58:04 -0600
commit	44eff40a32e8f5228ae041006352e32638ad2368 (patch)
tree	4cf9efc5d01517033f807345b27674e137fba238 /fs
parent	991468dcf198bb87f24da330676724a704912b47 (diff)
download	linux-44eff40a32e8f5228ae041006352e32638ad2368.tar.bz2