diff options
| author | Pavel Begunkov <asml.silence@gmail.com> | 2020-06-27 14:04:59 +0300 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2020-06-28 08:10:10 -0600 |
| commit | 8ef77766ba8694968ed4ba24311b4bacee14f235 (patch) | |
| tree | 32601f1488f1e53b64f11a80633d9caac39b6516 /fs/io_uring.c | |
| parent | 1e16c2f917a59d27fb6b540c44d66978c8ad29ef (diff) | |
| download | lwn-8ef77766ba8694968ed4ba24311b4bacee14f235.tar.gz lwn-8ef77766ba8694968ed4ba24311b4bacee14f235.zip | |
io_uring: fix req->work corruption
req->work and req->task_work are in a union, so io_req_task_queue() screws
everything that was in work. De-union them for now.
[ 704.367253] BUG: unable to handle page fault for address:
ffffffffaf7330d0
[ 704.367256] #PF: supervisor write access in kernel mode
[ 704.367256] #PF: error_code(0x0003) - permissions violation
[ 704.367261] CPU: 6 PID: 1654 Comm: io_wqe_worker-0 Tainted: G
I 5.8.0-rc2-00038-ge28d0bdc4863-dirty #498
[ 704.367265] RIP: 0010:_raw_spin_lock+0x1e/0x36
...
[ 704.367276] __alloc_fd+0x35/0x150
[ 704.367279] __get_unused_fd_flags+0x25/0x30
[ 704.367280] io_openat2+0xcb/0x1b0
[ 704.367283] io_issue_sqe+0x36a/0x1320
[ 704.367294] io_wq_submit_work+0x58/0x160
[ 704.367295] io_worker_handle_work+0x2a3/0x430
[ 704.367296] io_wqe_worker+0x2a0/0x350
[ 704.367301] kthread+0x136/0x180
[ 704.367304] ret_from_fork+0x22/0x30
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Diffstat (limited to 'fs/io_uring.c')
| -rw-r--r-- | fs/io_uring.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c index 43ddda2a3d49..dcf3ffb5ecf3 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -668,12 +668,12 @@ struct io_kiocb { * restore the work, if needed. */ struct { - struct callback_head task_work; struct hlist_node hash_node; struct async_poll *apoll; }; struct io_wq_work work; }; + struct callback_head task_work; }; #define IO_IOPOLL_BATCH 8 |