io_uring: fix req->work corruption

req->work and req->task_work are in a union, so io_req_task_queue() screws
everything that was in work. De-union them for now.

[  704.367253] BUG: unable to handle page fault for address:
	ffffffffaf7330d0
[  704.367256] #PF: supervisor write access in kernel mode
[  704.367256] #PF: error_code(0x0003) - permissions violation
[  704.367261] CPU: 6 PID: 1654 Comm: io_wqe_worker-0 Tainted: G
I       5.8.0-rc2-00038-ge28d0bdc4863-dirty #498
[  704.367265] RIP: 0010:_raw_spin_lock+0x1e/0x36
...
[  704.367276]  __alloc_fd+0x35/0x150
[  704.367279]  __get_unused_fd_flags+0x25/0x30
[  704.367280]  io_openat2+0xcb/0x1b0
[  704.367283]  io_issue_sqe+0x36a/0x1320
[  704.367294]  io_wq_submit_work+0x58/0x160
[  704.367295]  io_worker_handle_work+0x2a3/0x430
[  704.367296]  io_wqe_worker+0x2a0/0x350
[  704.367301]  kthread+0x136/0x180
[  704.367304]  ret_from_fork+0x22/0x30

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

This commit is contained in:

Pavel Begunkov

2020-06-27 14:04:59 +03:00

committed by

Jens Axboe

parent 1e16c2f917

commit 8ef77766ba

1 changed files with 1 additions and 1 deletions

									
										2

fs/io_uring.c
									
										View File
										
				@ -668,12 +668,12 @@ struct io_kiocb {

						 * restore the work, if needed.

						 */

						struct {

							struct callback_head	task_work;

							struct hlist_node	hash_node;

							struct async_poll	*apoll;

						};

						struct io_wq_work	work;

					};

					struct callback_head	task_work;

				};

				#define IO_IOPOLL_BATCH			8

io_uring: fix req->work corruption

2 fs/io_uring.c Unescape Escape View File

2

fs/io_uring.c

View File