2022-05-25 08:57:27 -06:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/file.h>
|
|
|
|
#include <linux/io_uring.h>
|
|
|
|
|
|
|
|
#include <trace/events/io_uring.h>
|
|
|
|
|
|
|
|
#include <uapi/linux/io_uring.h>
|
|
|
|
|
|
|
|
#include "io_uring.h"
|
|
|
|
#include "refs.h"
|
2022-05-25 20:36:47 -06:00
|
|
|
#include "cancel.h"
|
2022-05-25 08:57:27 -06:00
|
|
|
#include "timeout.h"
|
|
|
|
|
|
|
|
struct io_timeout {
|
|
|
|
struct file *file;
|
|
|
|
u32 off;
|
|
|
|
u32 target_seq;
|
2023-04-18 15:58:18 -07:00
|
|
|
u32 repeats;
|
2022-05-25 08:57:27 -06:00
|
|
|
struct list_head list;
|
|
|
|
/* head of the link, used by linked timeouts only */
|
|
|
|
struct io_kiocb *head;
|
|
|
|
/* for linked completions */
|
|
|
|
struct io_kiocb *prev;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct io_timeout_rem {
|
|
|
|
struct file *file;
|
|
|
|
u64 addr;
|
|
|
|
|
|
|
|
/* timeout update */
|
|
|
|
struct timespec64 ts;
|
|
|
|
u32 flags;
|
|
|
|
bool ltimeout;
|
|
|
|
};
|
|
|
|
|
|
|
|
static inline bool io_is_timeout_noseq(struct io_kiocb *req)
|
|
|
|
{
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
2023-04-18 15:58:18 -07:00
|
|
|
struct io_timeout_data *data = req->async_data;
|
2022-05-25 08:57:27 -06:00
|
|
|
|
2023-04-18 15:58:18 -07:00
|
|
|
return !timeout->off || data->flags & IORING_TIMEOUT_MULTISHOT;
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline void io_put_req(struct io_kiocb *req)
|
|
|
|
{
|
|
|
|
if (req_ref_put_and_test(req)) {
|
|
|
|
io_queue_next(req);
|
|
|
|
io_free_req(req);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-04-18 15:58:18 -07:00
|
|
|
static inline bool io_timeout_finish(struct io_timeout *timeout,
|
|
|
|
struct io_timeout_data *data)
|
|
|
|
{
|
|
|
|
if (!(data->flags & IORING_TIMEOUT_MULTISHOT))
|
|
|
|
return true;
|
|
|
|
|
|
|
|
if (!timeout->off || (timeout->repeats && --timeout->repeats))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer);
|
|
|
|
|
|
|
|
static void io_timeout_complete(struct io_kiocb *req, struct io_tw_state *ts)
|
|
|
|
{
|
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
|
|
|
struct io_timeout_data *data = req->async_data;
|
|
|
|
struct io_ring_ctx *ctx = req->ctx;
|
|
|
|
|
|
|
|
if (!io_timeout_finish(timeout, data)) {
|
2024-03-18 22:00:31 +00:00
|
|
|
if (io_req_post_cqe(req, -ETIME, IORING_CQE_F_MORE)) {
|
2023-04-18 15:58:18 -07:00
|
|
|
/* re-arm timer */
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_lock_irq(&ctx->timeout_lock);
|
2023-04-18 15:58:18 -07:00
|
|
|
list_add(&timeout->list, ctx->timeout_list.prev);
|
|
|
|
hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_unlock_irq(&ctx->timeout_lock);
|
2023-04-18 15:58:18 -07:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
io_req_task_complete(req, ts);
|
|
|
|
}
|
|
|
|
|
io_uring/timeout: flush timeouts outside of the timeout lock
syzbot reports that a recent fix causes nesting issues between the (now)
raw timeoutlock and the eventfd locking:
=============================
[ BUG: Invalid wait context ]
6.13.0-rc4-00080-g9828a4c0901f #29 Not tainted
-----------------------------
kworker/u32:0/68094 is trying to lock:
ffff000014d7a520 (&ctx->wqh#2){..-.}-{3:3}, at: eventfd_signal_mask+0x64/0x180
other info that might help us debug this:
context-{5:5}
6 locks held by kworker/u32:0/68094:
#0: ffff0000c1d98148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x4e8/0xfc0
#1: ffff80008d927c78 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x53c/0xfc0
#2: ffff0000c59bc3d8 (&ctx->completion_lock){+.+.}-{3:3}, at: io_kill_timeouts+0x40/0x180
#3: ffff0000c59bc358 (&ctx->timeout_lock){-.-.}-{2:2}, at: io_kill_timeouts+0x48/0x180
#4: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
#5: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
stack backtrace:
CPU: 7 UID: 0 PID: 68094 Comm: kworker/u32:0 Not tainted 6.13.0-rc4-00080-g9828a4c0901f #29
Hardware name: linux,dummy-virt (DT)
Workqueue: iou_exit io_ring_exit_work
Call trace:
show_stack+0x1c/0x30 (C)
__dump_stack+0x24/0x30
dump_stack_lvl+0x60/0x80
dump_stack+0x14/0x20
__lock_acquire+0x19f8/0x60c8
lock_acquire+0x1a4/0x540
_raw_spin_lock_irqsave+0x90/0xd0
eventfd_signal_mask+0x64/0x180
io_eventfd_signal+0x64/0x108
io_req_local_work_add+0x294/0x430
__io_req_task_work_add+0x1c0/0x270
io_kill_timeout+0x1f0/0x288
io_kill_timeouts+0xd4/0x180
io_uring_try_cancel_requests+0x2e8/0x388
io_ring_exit_work+0x150/0x550
process_one_work+0x5e8/0xfc0
worker_thread+0x7ec/0xc80
kthread+0x24c/0x300
ret_from_fork+0x10/0x20
because after the preempt-rt fix for the timeout lock nesting inside
the io-wq lock, we now have the eventfd spinlock nesting inside the
raw timeout spinlock.
Rather than play whack-a-mole with other nesting on the timeout lock,
split the deletion and killing of timeouts so queueing the task_work
for the timeout cancelations can get done outside of the timeout lock.
Reported-by: syzbot+b1fc199a40b65d601b65@syzkaller.appspotmail.com
Fixes: 020b40f35624 ("io_uring: make ctx->timeout_lock a raw spinlock")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-12-30 14:15:17 -07:00
|
|
|
static __cold bool io_flush_killed_timeouts(struct list_head *list, int err)
|
|
|
|
{
|
|
|
|
if (list_empty(list))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
while (!list_empty(list)) {
|
|
|
|
struct io_timeout *timeout;
|
|
|
|
struct io_kiocb *req;
|
|
|
|
|
|
|
|
timeout = list_first_entry(list, struct io_timeout, list);
|
|
|
|
list_del_init(&timeout->list);
|
|
|
|
req = cmd_to_io_kiocb(timeout);
|
|
|
|
if (err)
|
|
|
|
req_set_fail(req);
|
|
|
|
io_req_queue_tw_complete(req, err);
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void io_kill_timeout(struct io_kiocb *req, struct list_head *list)
|
2022-05-25 08:57:27 -06:00
|
|
|
__must_hold(&req->ctx->timeout_lock)
|
|
|
|
{
|
|
|
|
struct io_timeout_data *io = req->async_data;
|
|
|
|
|
|
|
|
if (hrtimer_try_to_cancel(&io->timer) != -1) {
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
atomic_set(&req->ctx->cq_timeouts,
|
|
|
|
atomic_read(&req->ctx->cq_timeouts) + 1);
|
io_uring/timeout: flush timeouts outside of the timeout lock
syzbot reports that a recent fix causes nesting issues between the (now)
raw timeoutlock and the eventfd locking:
=============================
[ BUG: Invalid wait context ]
6.13.0-rc4-00080-g9828a4c0901f #29 Not tainted
-----------------------------
kworker/u32:0/68094 is trying to lock:
ffff000014d7a520 (&ctx->wqh#2){..-.}-{3:3}, at: eventfd_signal_mask+0x64/0x180
other info that might help us debug this:
context-{5:5}
6 locks held by kworker/u32:0/68094:
#0: ffff0000c1d98148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x4e8/0xfc0
#1: ffff80008d927c78 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x53c/0xfc0
#2: ffff0000c59bc3d8 (&ctx->completion_lock){+.+.}-{3:3}, at: io_kill_timeouts+0x40/0x180
#3: ffff0000c59bc358 (&ctx->timeout_lock){-.-.}-{2:2}, at: io_kill_timeouts+0x48/0x180
#4: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
#5: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
stack backtrace:
CPU: 7 UID: 0 PID: 68094 Comm: kworker/u32:0 Not tainted 6.13.0-rc4-00080-g9828a4c0901f #29
Hardware name: linux,dummy-virt (DT)
Workqueue: iou_exit io_ring_exit_work
Call trace:
show_stack+0x1c/0x30 (C)
__dump_stack+0x24/0x30
dump_stack_lvl+0x60/0x80
dump_stack+0x14/0x20
__lock_acquire+0x19f8/0x60c8
lock_acquire+0x1a4/0x540
_raw_spin_lock_irqsave+0x90/0xd0
eventfd_signal_mask+0x64/0x180
io_eventfd_signal+0x64/0x108
io_req_local_work_add+0x294/0x430
__io_req_task_work_add+0x1c0/0x270
io_kill_timeout+0x1f0/0x288
io_kill_timeouts+0xd4/0x180
io_uring_try_cancel_requests+0x2e8/0x388
io_ring_exit_work+0x150/0x550
process_one_work+0x5e8/0xfc0
worker_thread+0x7ec/0xc80
kthread+0x24c/0x300
ret_from_fork+0x10/0x20
because after the preempt-rt fix for the timeout lock nesting inside
the io-wq lock, we now have the eventfd spinlock nesting inside the
raw timeout spinlock.
Rather than play whack-a-mole with other nesting on the timeout lock,
split the deletion and killing of timeouts so queueing the task_work
for the timeout cancelations can get done outside of the timeout lock.
Reported-by: syzbot+b1fc199a40b65d601b65@syzkaller.appspotmail.com
Fixes: 020b40f35624 ("io_uring: make ctx->timeout_lock a raw spinlock")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-12-30 14:15:17 -07:00
|
|
|
list_move_tail(&timeout->list, list);
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
__cold void io_flush_timeouts(struct io_ring_ctx *ctx)
|
|
|
|
{
|
|
|
|
struct io_timeout *timeout, *tmp;
|
io_uring/timeout: flush timeouts outside of the timeout lock
syzbot reports that a recent fix causes nesting issues between the (now)
raw timeoutlock and the eventfd locking:
=============================
[ BUG: Invalid wait context ]
6.13.0-rc4-00080-g9828a4c0901f #29 Not tainted
-----------------------------
kworker/u32:0/68094 is trying to lock:
ffff000014d7a520 (&ctx->wqh#2){..-.}-{3:3}, at: eventfd_signal_mask+0x64/0x180
other info that might help us debug this:
context-{5:5}
6 locks held by kworker/u32:0/68094:
#0: ffff0000c1d98148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x4e8/0xfc0
#1: ffff80008d927c78 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x53c/0xfc0
#2: ffff0000c59bc3d8 (&ctx->completion_lock){+.+.}-{3:3}, at: io_kill_timeouts+0x40/0x180
#3: ffff0000c59bc358 (&ctx->timeout_lock){-.-.}-{2:2}, at: io_kill_timeouts+0x48/0x180
#4: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
#5: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
stack backtrace:
CPU: 7 UID: 0 PID: 68094 Comm: kworker/u32:0 Not tainted 6.13.0-rc4-00080-g9828a4c0901f #29
Hardware name: linux,dummy-virt (DT)
Workqueue: iou_exit io_ring_exit_work
Call trace:
show_stack+0x1c/0x30 (C)
__dump_stack+0x24/0x30
dump_stack_lvl+0x60/0x80
dump_stack+0x14/0x20
__lock_acquire+0x19f8/0x60c8
lock_acquire+0x1a4/0x540
_raw_spin_lock_irqsave+0x90/0xd0
eventfd_signal_mask+0x64/0x180
io_eventfd_signal+0x64/0x108
io_req_local_work_add+0x294/0x430
__io_req_task_work_add+0x1c0/0x270
io_kill_timeout+0x1f0/0x288
io_kill_timeouts+0xd4/0x180
io_uring_try_cancel_requests+0x2e8/0x388
io_ring_exit_work+0x150/0x550
process_one_work+0x5e8/0xfc0
worker_thread+0x7ec/0xc80
kthread+0x24c/0x300
ret_from_fork+0x10/0x20
because after the preempt-rt fix for the timeout lock nesting inside
the io-wq lock, we now have the eventfd spinlock nesting inside the
raw timeout spinlock.
Rather than play whack-a-mole with other nesting on the timeout lock,
split the deletion and killing of timeouts so queueing the task_work
for the timeout cancelations can get done outside of the timeout lock.
Reported-by: syzbot+b1fc199a40b65d601b65@syzkaller.appspotmail.com
Fixes: 020b40f35624 ("io_uring: make ctx->timeout_lock a raw spinlock")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-12-30 14:15:17 -07:00
|
|
|
LIST_HEAD(list);
|
|
|
|
u32 seq;
|
2022-05-25 08:57:27 -06:00
|
|
|
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_lock_irq(&ctx->timeout_lock);
|
2022-12-02 17:47:22 +00:00
|
|
|
seq = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
|
|
|
|
|
2022-05-25 08:57:27 -06:00
|
|
|
list_for_each_entry_safe(timeout, tmp, &ctx->timeout_list, list) {
|
|
|
|
struct io_kiocb *req = cmd_to_io_kiocb(timeout);
|
|
|
|
u32 events_needed, events_got;
|
|
|
|
|
|
|
|
if (io_is_timeout_noseq(req))
|
|
|
|
break;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Since seq can easily wrap around over time, subtract
|
|
|
|
* the last seq at which timeouts were flushed before comparing.
|
|
|
|
* Assuming not more than 2^31-1 events have happened since,
|
|
|
|
* these subtractions won't have wrapped, so we can check if
|
|
|
|
* target is in [last_seq, current_seq] by comparing the two.
|
|
|
|
*/
|
|
|
|
events_needed = timeout->target_seq - ctx->cq_last_tm_flush;
|
|
|
|
events_got = seq - ctx->cq_last_tm_flush;
|
|
|
|
if (events_got < events_needed)
|
|
|
|
break;
|
|
|
|
|
io_uring/timeout: flush timeouts outside of the timeout lock
syzbot reports that a recent fix causes nesting issues between the (now)
raw timeoutlock and the eventfd locking:
=============================
[ BUG: Invalid wait context ]
6.13.0-rc4-00080-g9828a4c0901f #29 Not tainted
-----------------------------
kworker/u32:0/68094 is trying to lock:
ffff000014d7a520 (&ctx->wqh#2){..-.}-{3:3}, at: eventfd_signal_mask+0x64/0x180
other info that might help us debug this:
context-{5:5}
6 locks held by kworker/u32:0/68094:
#0: ffff0000c1d98148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x4e8/0xfc0
#1: ffff80008d927c78 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x53c/0xfc0
#2: ffff0000c59bc3d8 (&ctx->completion_lock){+.+.}-{3:3}, at: io_kill_timeouts+0x40/0x180
#3: ffff0000c59bc358 (&ctx->timeout_lock){-.-.}-{2:2}, at: io_kill_timeouts+0x48/0x180
#4: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
#5: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
stack backtrace:
CPU: 7 UID: 0 PID: 68094 Comm: kworker/u32:0 Not tainted 6.13.0-rc4-00080-g9828a4c0901f #29
Hardware name: linux,dummy-virt (DT)
Workqueue: iou_exit io_ring_exit_work
Call trace:
show_stack+0x1c/0x30 (C)
__dump_stack+0x24/0x30
dump_stack_lvl+0x60/0x80
dump_stack+0x14/0x20
__lock_acquire+0x19f8/0x60c8
lock_acquire+0x1a4/0x540
_raw_spin_lock_irqsave+0x90/0xd0
eventfd_signal_mask+0x64/0x180
io_eventfd_signal+0x64/0x108
io_req_local_work_add+0x294/0x430
__io_req_task_work_add+0x1c0/0x270
io_kill_timeout+0x1f0/0x288
io_kill_timeouts+0xd4/0x180
io_uring_try_cancel_requests+0x2e8/0x388
io_ring_exit_work+0x150/0x550
process_one_work+0x5e8/0xfc0
worker_thread+0x7ec/0xc80
kthread+0x24c/0x300
ret_from_fork+0x10/0x20
because after the preempt-rt fix for the timeout lock nesting inside
the io-wq lock, we now have the eventfd spinlock nesting inside the
raw timeout spinlock.
Rather than play whack-a-mole with other nesting on the timeout lock,
split the deletion and killing of timeouts so queueing the task_work
for the timeout cancelations can get done outside of the timeout lock.
Reported-by: syzbot+b1fc199a40b65d601b65@syzkaller.appspotmail.com
Fixes: 020b40f35624 ("io_uring: make ctx->timeout_lock a raw spinlock")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-12-30 14:15:17 -07:00
|
|
|
io_kill_timeout(req, &list);
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
ctx->cq_last_tm_flush = seq;
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_unlock_irq(&ctx->timeout_lock);
|
io_uring/timeout: flush timeouts outside of the timeout lock
syzbot reports that a recent fix causes nesting issues between the (now)
raw timeoutlock and the eventfd locking:
=============================
[ BUG: Invalid wait context ]
6.13.0-rc4-00080-g9828a4c0901f #29 Not tainted
-----------------------------
kworker/u32:0/68094 is trying to lock:
ffff000014d7a520 (&ctx->wqh#2){..-.}-{3:3}, at: eventfd_signal_mask+0x64/0x180
other info that might help us debug this:
context-{5:5}
6 locks held by kworker/u32:0/68094:
#0: ffff0000c1d98148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x4e8/0xfc0
#1: ffff80008d927c78 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x53c/0xfc0
#2: ffff0000c59bc3d8 (&ctx->completion_lock){+.+.}-{3:3}, at: io_kill_timeouts+0x40/0x180
#3: ffff0000c59bc358 (&ctx->timeout_lock){-.-.}-{2:2}, at: io_kill_timeouts+0x48/0x180
#4: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
#5: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
stack backtrace:
CPU: 7 UID: 0 PID: 68094 Comm: kworker/u32:0 Not tainted 6.13.0-rc4-00080-g9828a4c0901f #29
Hardware name: linux,dummy-virt (DT)
Workqueue: iou_exit io_ring_exit_work
Call trace:
show_stack+0x1c/0x30 (C)
__dump_stack+0x24/0x30
dump_stack_lvl+0x60/0x80
dump_stack+0x14/0x20
__lock_acquire+0x19f8/0x60c8
lock_acquire+0x1a4/0x540
_raw_spin_lock_irqsave+0x90/0xd0
eventfd_signal_mask+0x64/0x180
io_eventfd_signal+0x64/0x108
io_req_local_work_add+0x294/0x430
__io_req_task_work_add+0x1c0/0x270
io_kill_timeout+0x1f0/0x288
io_kill_timeouts+0xd4/0x180
io_uring_try_cancel_requests+0x2e8/0x388
io_ring_exit_work+0x150/0x550
process_one_work+0x5e8/0xfc0
worker_thread+0x7ec/0xc80
kthread+0x24c/0x300
ret_from_fork+0x10/0x20
because after the preempt-rt fix for the timeout lock nesting inside
the io-wq lock, we now have the eventfd spinlock nesting inside the
raw timeout spinlock.
Rather than play whack-a-mole with other nesting on the timeout lock,
split the deletion and killing of timeouts so queueing the task_work
for the timeout cancelations can get done outside of the timeout lock.
Reported-by: syzbot+b1fc199a40b65d601b65@syzkaller.appspotmail.com
Fixes: 020b40f35624 ("io_uring: make ctx->timeout_lock a raw spinlock")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-12-30 14:15:17 -07:00
|
|
|
io_flush_killed_timeouts(&list, 0);
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
|
2023-03-27 16:38:15 +01:00
|
|
|
static void io_req_tw_fail_links(struct io_kiocb *link, struct io_tw_state *ts)
|
2022-05-25 08:57:27 -06:00
|
|
|
{
|
2023-03-27 16:38:15 +01:00
|
|
|
io_tw_lock(link->ctx, ts);
|
2022-05-25 08:57:27 -06:00
|
|
|
while (link) {
|
2022-06-25 11:52:58 +01:00
|
|
|
struct io_kiocb *nxt = link->link;
|
2022-05-25 08:57:27 -06:00
|
|
|
long res = -ECANCELED;
|
|
|
|
|
|
|
|
if (link->flags & REQ_F_FAIL)
|
|
|
|
res = link->cqe.res;
|
|
|
|
link->link = NULL;
|
2022-06-25 11:52:58 +01:00
|
|
|
io_req_set_res(link, res, 0);
|
2023-03-27 16:38:15 +01:00
|
|
|
io_req_task_complete(link, ts);
|
2022-06-25 11:52:58 +01:00
|
|
|
link = nxt;
|
|
|
|
}
|
|
|
|
}
|
2022-05-25 08:57:27 -06:00
|
|
|
|
2022-06-25 11:52:58 +01:00
|
|
|
static void io_fail_links(struct io_kiocb *req)
|
|
|
|
__must_hold(&req->ctx->completion_lock)
|
|
|
|
{
|
|
|
|
struct io_kiocb *link = req->link;
|
|
|
|
bool ignore_cqes = req->flags & REQ_F_SKIP_LINK_CQES;
|
|
|
|
|
|
|
|
if (!link)
|
|
|
|
return;
|
2022-05-25 08:57:27 -06:00
|
|
|
|
2022-06-25 11:52:58 +01:00
|
|
|
while (link) {
|
2022-05-25 08:57:27 -06:00
|
|
|
if (ignore_cqes)
|
|
|
|
link->flags |= REQ_F_CQE_SKIP;
|
|
|
|
else
|
|
|
|
link->flags &= ~REQ_F_CQE_SKIP;
|
2022-06-25 11:52:58 +01:00
|
|
|
trace_io_uring_fail_link(req, link);
|
|
|
|
link = link->link;
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
2022-06-25 11:52:58 +01:00
|
|
|
|
|
|
|
link = req->link;
|
|
|
|
link->io_task_work.func = io_req_tw_fail_links;
|
|
|
|
io_req_task_work_add(link);
|
|
|
|
req->link = NULL;
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline void io_remove_next_linked(struct io_kiocb *req)
|
|
|
|
{
|
|
|
|
struct io_kiocb *nxt = req->link;
|
|
|
|
|
|
|
|
req->link = nxt->link;
|
|
|
|
nxt->link = NULL;
|
|
|
|
}
|
|
|
|
|
2022-09-08 16:56:57 +01:00
|
|
|
void io_disarm_next(struct io_kiocb *req)
|
2022-05-25 08:57:27 -06:00
|
|
|
__must_hold(&req->ctx->completion_lock)
|
|
|
|
{
|
|
|
|
struct io_kiocb *link = NULL;
|
|
|
|
|
|
|
|
if (req->flags & REQ_F_ARM_LTIMEOUT) {
|
|
|
|
link = req->link;
|
|
|
|
req->flags &= ~REQ_F_ARM_LTIMEOUT;
|
|
|
|
if (link && link->opcode == IORING_OP_LINK_TIMEOUT) {
|
|
|
|
io_remove_next_linked(req);
|
2022-11-23 11:33:39 +00:00
|
|
|
io_req_queue_tw_complete(link, -ECANCELED);
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
} else if (req->flags & REQ_F_LINK_TIMEOUT) {
|
|
|
|
struct io_ring_ctx *ctx = req->ctx;
|
|
|
|
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_lock_irq(&ctx->timeout_lock);
|
2022-05-25 08:57:27 -06:00
|
|
|
link = io_disarm_linked_timeout(req);
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_unlock_irq(&ctx->timeout_lock);
|
2022-09-08 16:56:57 +01:00
|
|
|
if (link)
|
2022-11-23 11:33:39 +00:00
|
|
|
io_req_queue_tw_complete(link, -ECANCELED);
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
if (unlikely((req->flags & REQ_F_FAIL) &&
|
2022-09-08 16:56:57 +01:00
|
|
|
!(req->flags & REQ_F_HARDLINK)))
|
2022-05-25 08:57:27 -06:00
|
|
|
io_fail_links(req);
|
|
|
|
}
|
|
|
|
|
|
|
|
struct io_kiocb *__io_disarm_linked_timeout(struct io_kiocb *req,
|
|
|
|
struct io_kiocb *link)
|
|
|
|
__must_hold(&req->ctx->completion_lock)
|
|
|
|
__must_hold(&req->ctx->timeout_lock)
|
|
|
|
{
|
|
|
|
struct io_timeout_data *io = link->async_data;
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(link, struct io_timeout);
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
io_remove_next_linked(req);
|
|
|
|
timeout->head = NULL;
|
|
|
|
if (hrtimer_try_to_cancel(&io->timer) != -1) {
|
|
|
|
list_del(&timeout->list);
|
|
|
|
return link;
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
static enum hrtimer_restart io_timeout_fn(struct hrtimer *timer)
|
|
|
|
{
|
|
|
|
struct io_timeout_data *data = container_of(timer,
|
|
|
|
struct io_timeout_data, timer);
|
|
|
|
struct io_kiocb *req = data->req;
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
2022-05-25 08:57:27 -06:00
|
|
|
struct io_ring_ctx *ctx = req->ctx;
|
|
|
|
unsigned long flags;
|
|
|
|
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_lock_irqsave(&ctx->timeout_lock, flags);
|
2022-05-25 08:57:27 -06:00
|
|
|
list_del_init(&timeout->list);
|
|
|
|
atomic_set(&req->ctx->cq_timeouts,
|
|
|
|
atomic_read(&req->ctx->cq_timeouts) + 1);
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_unlock_irqrestore(&ctx->timeout_lock, flags);
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
if (!(data->flags & IORING_TIMEOUT_ETIME_SUCCESS))
|
|
|
|
req_set_fail(req);
|
|
|
|
|
|
|
|
io_req_set_res(req, -ETIME, 0);
|
2023-04-18 15:58:18 -07:00
|
|
|
req->io_task_work.func = io_timeout_complete;
|
2022-05-25 08:57:27 -06:00
|
|
|
io_req_task_work_add(req);
|
|
|
|
return HRTIMER_NORESTART;
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct io_kiocb *io_timeout_extract(struct io_ring_ctx *ctx,
|
|
|
|
struct io_cancel_data *cd)
|
|
|
|
__must_hold(&ctx->timeout_lock)
|
|
|
|
{
|
|
|
|
struct io_timeout *timeout;
|
|
|
|
struct io_timeout_data *io;
|
|
|
|
struct io_kiocb *req = NULL;
|
|
|
|
|
|
|
|
list_for_each_entry(timeout, &ctx->timeout_list, list) {
|
|
|
|
struct io_kiocb *tmp = cmd_to_io_kiocb(timeout);
|
|
|
|
|
2023-06-23 09:04:35 -06:00
|
|
|
if (io_cancel_req_match(tmp, cd)) {
|
|
|
|
req = tmp;
|
|
|
|
break;
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!req)
|
|
|
|
return ERR_PTR(-ENOENT);
|
|
|
|
|
|
|
|
io = req->async_data;
|
|
|
|
if (hrtimer_try_to_cancel(&io->timer) == -1)
|
|
|
|
return ERR_PTR(-EALREADY);
|
2022-08-11 09:11:15 +02:00
|
|
|
timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
2022-05-25 08:57:27 -06:00
|
|
|
list_del_init(&timeout->list);
|
|
|
|
return req;
|
|
|
|
}
|
|
|
|
|
|
|
|
int io_timeout_cancel(struct io_ring_ctx *ctx, struct io_cancel_data *cd)
|
|
|
|
__must_hold(&ctx->completion_lock)
|
|
|
|
{
|
|
|
|
struct io_kiocb *req;
|
|
|
|
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_lock_irq(&ctx->timeout_lock);
|
2022-05-25 08:57:27 -06:00
|
|
|
req = io_timeout_extract(ctx, cd);
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_unlock_irq(&ctx->timeout_lock);
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
if (IS_ERR(req))
|
|
|
|
return PTR_ERR(req);
|
|
|
|
io_req_task_queue_fail(req, -ECANCELED);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2023-03-27 16:38:15 +01:00
|
|
|
static void io_req_task_link_timeout(struct io_kiocb *req, struct io_tw_state *ts)
|
2022-05-25 08:57:27 -06:00
|
|
|
{
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
2022-05-25 08:57:27 -06:00
|
|
|
struct io_kiocb *prev = timeout->prev;
|
io_uring: move struct io_kiocb from task_struct to io_uring_task
Rather than store the task_struct itself in struct io_kiocb, store
the io_uring specific task_struct. The life times are the same in terms
of io_uring, and this avoids doing some dereferences through the
task_struct. For the hot path of putting local task references, we can
deref req->tctx instead, which we'll need anyway in that function
regardless of whether it's local or remote references.
This is mostly straight forward, except the original task PF_EXITING
check needs a bit of tweaking. task_work is _always_ run from the
originating task, except in the fallback case, where it's run from a
kernel thread. Replace the potentially racy (in case of fallback work)
checks for req->task->flags with current->flags. It's either the still
the original task, in which case PF_EXITING will be sane, or it has
PF_KTHREAD set, in which case it's fallback work. Both cases should
prevent moving forward with the given request.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-11-03 10:23:38 -07:00
|
|
|
int ret;
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
if (prev) {
|
io_uring: move struct io_kiocb from task_struct to io_uring_task
Rather than store the task_struct itself in struct io_kiocb, store
the io_uring specific task_struct. The life times are the same in terms
of io_uring, and this avoids doing some dereferences through the
task_struct. For the hot path of putting local task references, we can
deref req->tctx instead, which we'll need anyway in that function
regardless of whether it's local or remote references.
This is mostly straight forward, except the original task PF_EXITING
check needs a bit of tweaking. task_work is _always_ run from the
originating task, except in the fallback case, where it's run from a
kernel thread. Replace the potentially racy (in case of fallback work)
checks for req->task->flags with current->flags. It's either the still
the original task, in which case PF_EXITING will be sane, or it has
PF_KTHREAD set, in which case it's fallback work. Both cases should
prevent moving forward with the given request.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-11-03 10:23:38 -07:00
|
|
|
if (!io_should_terminate_tw()) {
|
2022-05-25 08:57:27 -06:00
|
|
|
struct io_cancel_data cd = {
|
|
|
|
.ctx = req->ctx,
|
|
|
|
.data = prev->cqe.user_data,
|
|
|
|
};
|
|
|
|
|
io_uring: move struct io_kiocb from task_struct to io_uring_task
Rather than store the task_struct itself in struct io_kiocb, store
the io_uring specific task_struct. The life times are the same in terms
of io_uring, and this avoids doing some dereferences through the
task_struct. For the hot path of putting local task references, we can
deref req->tctx instead, which we'll need anyway in that function
regardless of whether it's local or remote references.
This is mostly straight forward, except the original task PF_EXITING
check needs a bit of tweaking. task_work is _always_ run from the
originating task, except in the fallback case, where it's run from a
kernel thread. Replace the potentially racy (in case of fallback work)
checks for req->task->flags with current->flags. It's either the still
the original task, in which case PF_EXITING will be sane, or it has
PF_KTHREAD set, in which case it's fallback work. Both cases should
prevent moving forward with the given request.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-11-03 10:23:38 -07:00
|
|
|
ret = io_try_cancel(req->tctx, &cd, 0);
|
|
|
|
} else {
|
|
|
|
ret = -ECANCELED;
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
io_req_set_res(req, ret ?: -ETIME, 0);
|
2023-03-27 16:38:15 +01:00
|
|
|
io_req_task_complete(req, ts);
|
2022-05-25 08:57:27 -06:00
|
|
|
io_put_req(prev);
|
|
|
|
} else {
|
|
|
|
io_req_set_res(req, -ETIME, 0);
|
2023-03-27 16:38:15 +01:00
|
|
|
io_req_task_complete(req, ts);
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static enum hrtimer_restart io_link_timeout_fn(struct hrtimer *timer)
|
|
|
|
{
|
|
|
|
struct io_timeout_data *data = container_of(timer,
|
|
|
|
struct io_timeout_data, timer);
|
|
|
|
struct io_kiocb *prev, *req = data->req;
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
2022-05-25 08:57:27 -06:00
|
|
|
struct io_ring_ctx *ctx = req->ctx;
|
|
|
|
unsigned long flags;
|
|
|
|
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_lock_irqsave(&ctx->timeout_lock, flags);
|
2022-05-25 08:57:27 -06:00
|
|
|
prev = timeout->head;
|
|
|
|
timeout->head = NULL;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We don't expect the list to be empty, that will only happen if we
|
|
|
|
* race with the completion of the linked work.
|
|
|
|
*/
|
|
|
|
if (prev) {
|
|
|
|
io_remove_next_linked(prev);
|
|
|
|
if (!req_ref_inc_not_zero(prev))
|
|
|
|
prev = NULL;
|
|
|
|
}
|
|
|
|
list_del(&timeout->list);
|
|
|
|
timeout->prev = prev;
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_unlock_irqrestore(&ctx->timeout_lock, flags);
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
req->io_task_work.func = io_req_task_link_timeout;
|
|
|
|
io_req_task_work_add(req);
|
|
|
|
return HRTIMER_NORESTART;
|
|
|
|
}
|
|
|
|
|
|
|
|
static clockid_t io_timeout_get_clock(struct io_timeout_data *data)
|
|
|
|
{
|
|
|
|
switch (data->flags & IORING_TIMEOUT_CLOCK_MASK) {
|
|
|
|
case IORING_TIMEOUT_BOOTTIME:
|
|
|
|
return CLOCK_BOOTTIME;
|
|
|
|
case IORING_TIMEOUT_REALTIME:
|
|
|
|
return CLOCK_REALTIME;
|
|
|
|
default:
|
|
|
|
/* can't happen, vetted at prep time */
|
|
|
|
WARN_ON_ONCE(1);
|
|
|
|
fallthrough;
|
|
|
|
case 0:
|
|
|
|
return CLOCK_MONOTONIC;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int io_linked_timeout_update(struct io_ring_ctx *ctx, __u64 user_data,
|
|
|
|
struct timespec64 *ts, enum hrtimer_mode mode)
|
|
|
|
__must_hold(&ctx->timeout_lock)
|
|
|
|
{
|
|
|
|
struct io_timeout_data *io;
|
|
|
|
struct io_timeout *timeout;
|
|
|
|
struct io_kiocb *req = NULL;
|
|
|
|
|
|
|
|
list_for_each_entry(timeout, &ctx->ltimeout_list, list) {
|
|
|
|
struct io_kiocb *tmp = cmd_to_io_kiocb(timeout);
|
|
|
|
|
|
|
|
if (user_data == tmp->cqe.user_data) {
|
|
|
|
req = tmp;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!req)
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
io = req->async_data;
|
|
|
|
if (hrtimer_try_to_cancel(&io->timer) == -1)
|
|
|
|
return -EALREADY;
|
|
|
|
hrtimer_init(&io->timer, io_timeout_get_clock(io), mode);
|
|
|
|
io->timer.function = io_link_timeout_fn;
|
|
|
|
hrtimer_start(&io->timer, timespec64_to_ktime(*ts), mode);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int io_timeout_update(struct io_ring_ctx *ctx, __u64 user_data,
|
|
|
|
struct timespec64 *ts, enum hrtimer_mode mode)
|
|
|
|
__must_hold(&ctx->timeout_lock)
|
|
|
|
{
|
2023-06-23 09:34:08 -06:00
|
|
|
struct io_cancel_data cd = { .ctx = ctx, .data = user_data, };
|
2022-05-25 08:57:27 -06:00
|
|
|
struct io_kiocb *req = io_timeout_extract(ctx, &cd);
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
2022-05-25 08:57:27 -06:00
|
|
|
struct io_timeout_data *data;
|
|
|
|
|
|
|
|
if (IS_ERR(req))
|
|
|
|
return PTR_ERR(req);
|
|
|
|
|
|
|
|
timeout->off = 0; /* noseq */
|
|
|
|
data = req->async_data;
|
2025-01-04 18:29:02 +00:00
|
|
|
data->ts = *ts;
|
|
|
|
|
2022-05-25 08:57:27 -06:00
|
|
|
list_add_tail(&timeout->list, &ctx->timeout_list);
|
|
|
|
hrtimer_init(&data->timer, io_timeout_get_clock(data), mode);
|
|
|
|
data->timer.function = io_timeout_fn;
|
2025-01-04 18:29:02 +00:00
|
|
|
hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), mode);
|
2022-05-25 08:57:27 -06:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int io_timeout_remove_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
|
|
|
|
{
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout_rem *tr = io_kiocb_to_cmd(req, struct io_timeout_rem);
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
if (unlikely(req->flags & (REQ_F_FIXED_FILE | REQ_F_BUFFER_SELECT)))
|
|
|
|
return -EINVAL;
|
|
|
|
if (sqe->buf_index || sqe->len || sqe->splice_fd_in)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
tr->ltimeout = false;
|
|
|
|
tr->addr = READ_ONCE(sqe->addr);
|
|
|
|
tr->flags = READ_ONCE(sqe->timeout_flags);
|
|
|
|
if (tr->flags & IORING_TIMEOUT_UPDATE_MASK) {
|
|
|
|
if (hweight32(tr->flags & IORING_TIMEOUT_CLOCK_MASK) > 1)
|
|
|
|
return -EINVAL;
|
|
|
|
if (tr->flags & IORING_LINK_TIMEOUT_UPDATE)
|
|
|
|
tr->ltimeout = true;
|
|
|
|
if (tr->flags & ~(IORING_TIMEOUT_UPDATE_MASK|IORING_TIMEOUT_ABS))
|
|
|
|
return -EINVAL;
|
|
|
|
if (get_timespec64(&tr->ts, u64_to_user_ptr(sqe->addr2)))
|
|
|
|
return -EFAULT;
|
|
|
|
if (tr->ts.tv_sec < 0 || tr->ts.tv_nsec < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
} else if (tr->flags) {
|
|
|
|
/* timeout removal doesn't support flags */
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline enum hrtimer_mode io_translate_timeout_mode(unsigned int flags)
|
|
|
|
{
|
|
|
|
return (flags & IORING_TIMEOUT_ABS) ? HRTIMER_MODE_ABS
|
|
|
|
: HRTIMER_MODE_REL;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Remove or update an existing timeout command
|
|
|
|
*/
|
|
|
|
int io_timeout_remove(struct io_kiocb *req, unsigned int issue_flags)
|
|
|
|
{
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout_rem *tr = io_kiocb_to_cmd(req, struct io_timeout_rem);
|
2022-05-25 08:57:27 -06:00
|
|
|
struct io_ring_ctx *ctx = req->ctx;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (!(tr->flags & IORING_TIMEOUT_UPDATE)) {
|
2023-06-23 09:34:08 -06:00
|
|
|
struct io_cancel_data cd = { .ctx = ctx, .data = tr->addr, };
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
spin_lock(&ctx->completion_lock);
|
|
|
|
ret = io_timeout_cancel(ctx, &cd);
|
|
|
|
spin_unlock(&ctx->completion_lock);
|
|
|
|
} else {
|
|
|
|
enum hrtimer_mode mode = io_translate_timeout_mode(tr->flags);
|
|
|
|
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_lock_irq(&ctx->timeout_lock);
|
2022-05-25 08:57:27 -06:00
|
|
|
if (tr->ltimeout)
|
|
|
|
ret = io_linked_timeout_update(ctx, tr->addr, &tr->ts, mode);
|
|
|
|
else
|
|
|
|
ret = io_timeout_update(ctx, tr->addr, &tr->ts, mode);
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_unlock_irq(&ctx->timeout_lock);
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
if (ret < 0)
|
|
|
|
req_set_fail(req);
|
|
|
|
io_req_set_res(req, ret, 0);
|
|
|
|
return IOU_OK;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int __io_timeout_prep(struct io_kiocb *req,
|
|
|
|
const struct io_uring_sqe *sqe,
|
|
|
|
bool is_timeout_link)
|
|
|
|
{
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
2022-05-25 08:57:27 -06:00
|
|
|
struct io_timeout_data *data;
|
|
|
|
unsigned flags;
|
|
|
|
u32 off = READ_ONCE(sqe->off);
|
|
|
|
|
|
|
|
if (sqe->buf_index || sqe->len != 1 || sqe->splice_fd_in)
|
|
|
|
return -EINVAL;
|
|
|
|
if (off && is_timeout_link)
|
|
|
|
return -EINVAL;
|
|
|
|
flags = READ_ONCE(sqe->timeout_flags);
|
|
|
|
if (flags & ~(IORING_TIMEOUT_ABS | IORING_TIMEOUT_CLOCK_MASK |
|
2023-04-18 15:58:18 -07:00
|
|
|
IORING_TIMEOUT_ETIME_SUCCESS |
|
|
|
|
IORING_TIMEOUT_MULTISHOT))
|
2022-05-25 08:57:27 -06:00
|
|
|
return -EINVAL;
|
|
|
|
/* more than one clock specified is invalid, obviously */
|
|
|
|
if (hweight32(flags & IORING_TIMEOUT_CLOCK_MASK) > 1)
|
|
|
|
return -EINVAL;
|
2023-04-18 15:58:18 -07:00
|
|
|
/* multishot requests only make sense with rel values */
|
|
|
|
if (!(~flags & (IORING_TIMEOUT_MULTISHOT | IORING_TIMEOUT_ABS)))
|
|
|
|
return -EINVAL;
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
INIT_LIST_HEAD(&timeout->list);
|
|
|
|
timeout->off = off;
|
|
|
|
if (unlikely(off && !req->ctx->off_timeout_used))
|
|
|
|
req->ctx->off_timeout_used = true;
|
2023-04-18 15:58:18 -07:00
|
|
|
/*
|
|
|
|
* for multishot reqs w/ fixed nr of repeats, repeats tracks the
|
|
|
|
* remaining nr
|
|
|
|
*/
|
|
|
|
timeout->repeats = 0;
|
|
|
|
if ((flags & IORING_TIMEOUT_MULTISHOT) && off > 0)
|
|
|
|
timeout->repeats = off;
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
if (WARN_ON_ONCE(req_has_async_data(req)))
|
|
|
|
return -EFAULT;
|
|
|
|
if (io_alloc_async_data(req))
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
|
|
data = req->async_data;
|
|
|
|
data->req = req;
|
|
|
|
data->flags = flags;
|
|
|
|
|
|
|
|
if (get_timespec64(&data->ts, u64_to_user_ptr(sqe->addr)))
|
|
|
|
return -EFAULT;
|
|
|
|
|
|
|
|
if (data->ts.tv_sec < 0 || data->ts.tv_nsec < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
data->mode = io_translate_timeout_mode(flags);
|
|
|
|
hrtimer_init(&data->timer, io_timeout_get_clock(data), data->mode);
|
|
|
|
|
|
|
|
if (is_timeout_link) {
|
|
|
|
struct io_submit_link *link = &req->ctx->submit_state.link;
|
|
|
|
|
|
|
|
if (!link->head)
|
|
|
|
return -EINVAL;
|
|
|
|
if (link->last->opcode == IORING_OP_LINK_TIMEOUT)
|
|
|
|
return -EINVAL;
|
|
|
|
timeout->head = link->last;
|
|
|
|
link->last->flags |= REQ_F_ARM_LTIMEOUT;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
int io_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
|
|
|
|
{
|
|
|
|
return __io_timeout_prep(req, sqe, false);
|
|
|
|
}
|
|
|
|
|
|
|
|
int io_link_timeout_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
|
|
|
|
{
|
|
|
|
return __io_timeout_prep(req, sqe, true);
|
|
|
|
}
|
|
|
|
|
|
|
|
int io_timeout(struct io_kiocb *req, unsigned int issue_flags)
|
|
|
|
{
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
2022-05-25 08:57:27 -06:00
|
|
|
struct io_ring_ctx *ctx = req->ctx;
|
|
|
|
struct io_timeout_data *data = req->async_data;
|
|
|
|
struct list_head *entry;
|
|
|
|
u32 tail, off = timeout->off;
|
|
|
|
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_lock_irq(&ctx->timeout_lock);
|
2022-05-25 08:57:27 -06:00
|
|
|
|
|
|
|
/*
|
|
|
|
* sqe->off holds how many events that need to occur for this
|
|
|
|
* timeout event to be satisfied. If it isn't set, then this is
|
|
|
|
* a pure timeout request, sequence isn't used.
|
|
|
|
*/
|
|
|
|
if (io_is_timeout_noseq(req)) {
|
|
|
|
entry = ctx->timeout_list.prev;
|
|
|
|
goto add;
|
|
|
|
}
|
|
|
|
|
2023-05-19 15:21:16 +01:00
|
|
|
tail = data_race(ctx->cached_cq_tail) - atomic_read(&ctx->cq_timeouts);
|
2022-05-25 08:57:27 -06:00
|
|
|
timeout->target_seq = tail + off;
|
|
|
|
|
|
|
|
/* Update the last seq here in case io_flush_timeouts() hasn't.
|
|
|
|
* This is safe because ->completion_lock is held, and submissions
|
|
|
|
* and completions are never mixed in the same ->completion_lock section.
|
|
|
|
*/
|
|
|
|
ctx->cq_last_tm_flush = tail;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Insertion sort, ensuring the first entry in the list is always
|
|
|
|
* the one we need first.
|
|
|
|
*/
|
|
|
|
list_for_each_prev(entry, &ctx->timeout_list) {
|
|
|
|
struct io_timeout *nextt = list_entry(entry, struct io_timeout, list);
|
|
|
|
struct io_kiocb *nxt = cmd_to_io_kiocb(nextt);
|
|
|
|
|
|
|
|
if (io_is_timeout_noseq(nxt))
|
|
|
|
continue;
|
|
|
|
/* nxt.seq is behind @tail, otherwise would've been completed */
|
|
|
|
if (off >= nextt->target_seq - tail)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
add:
|
|
|
|
list_add(&timeout->list, entry);
|
|
|
|
data->timer.function = io_timeout_fn;
|
|
|
|
hrtimer_start(&data->timer, timespec64_to_ktime(data->ts), data->mode);
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_unlock_irq(&ctx->timeout_lock);
|
2022-05-25 08:57:27 -06:00
|
|
|
return IOU_ISSUE_SKIP_COMPLETE;
|
|
|
|
}
|
|
|
|
|
|
|
|
void io_queue_linked_timeout(struct io_kiocb *req)
|
|
|
|
{
|
2022-08-11 09:11:15 +02:00
|
|
|
struct io_timeout *timeout = io_kiocb_to_cmd(req, struct io_timeout);
|
2022-05-25 08:57:27 -06:00
|
|
|
struct io_ring_ctx *ctx = req->ctx;
|
|
|
|
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_lock_irq(&ctx->timeout_lock);
|
2022-05-25 08:57:27 -06:00
|
|
|
/*
|
|
|
|
* If the back reference is NULL, then our linked request finished
|
|
|
|
* before we got a chance to setup the timer
|
|
|
|
*/
|
|
|
|
if (timeout->head) {
|
|
|
|
struct io_timeout_data *data = req->async_data;
|
|
|
|
|
|
|
|
data->timer.function = io_link_timeout_fn;
|
|
|
|
hrtimer_start(&data->timer, timespec64_to_ktime(data->ts),
|
|
|
|
data->mode);
|
|
|
|
list_add_tail(&timeout->list, &ctx->ltimeout_list);
|
|
|
|
}
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_unlock_irq(&ctx->timeout_lock);
|
2022-05-25 08:57:27 -06:00
|
|
|
/* drop submission reference */
|
|
|
|
io_put_req(req);
|
|
|
|
}
|
|
|
|
|
2024-11-03 10:22:43 -07:00
|
|
|
static bool io_match_task(struct io_kiocb *head, struct io_uring_task *tctx,
|
2022-05-25 08:57:27 -06:00
|
|
|
bool cancel_all)
|
2024-07-24 12:16:18 +01:00
|
|
|
__must_hold(&head->ctx->timeout_lock)
|
2022-05-25 08:57:27 -06:00
|
|
|
{
|
|
|
|
struct io_kiocb *req;
|
|
|
|
|
io_uring: move struct io_kiocb from task_struct to io_uring_task
Rather than store the task_struct itself in struct io_kiocb, store
the io_uring specific task_struct. The life times are the same in terms
of io_uring, and this avoids doing some dereferences through the
task_struct. For the hot path of putting local task references, we can
deref req->tctx instead, which we'll need anyway in that function
regardless of whether it's local or remote references.
This is mostly straight forward, except the original task PF_EXITING
check needs a bit of tweaking. task_work is _always_ run from the
originating task, except in the fallback case, where it's run from a
kernel thread. Replace the potentially racy (in case of fallback work)
checks for req->task->flags with current->flags. It's either the still
the original task, in which case PF_EXITING will be sane, or it has
PF_KTHREAD set, in which case it's fallback work. Both cases should
prevent moving forward with the given request.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-11-03 10:23:38 -07:00
|
|
|
if (tctx && head->tctx != tctx)
|
2022-05-25 08:57:27 -06:00
|
|
|
return false;
|
|
|
|
if (cancel_all)
|
|
|
|
return true;
|
|
|
|
|
|
|
|
io_for_each_link(req, head) {
|
|
|
|
if (req->flags & REQ_F_INFLIGHT)
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Returns true if we found and killed one or more timeouts */
|
2024-11-03 10:22:43 -07:00
|
|
|
__cold bool io_kill_timeouts(struct io_ring_ctx *ctx, struct io_uring_task *tctx,
|
2022-05-25 08:57:27 -06:00
|
|
|
bool cancel_all)
|
|
|
|
{
|
|
|
|
struct io_timeout *timeout, *tmp;
|
io_uring/timeout: flush timeouts outside of the timeout lock
syzbot reports that a recent fix causes nesting issues between the (now)
raw timeoutlock and the eventfd locking:
=============================
[ BUG: Invalid wait context ]
6.13.0-rc4-00080-g9828a4c0901f #29 Not tainted
-----------------------------
kworker/u32:0/68094 is trying to lock:
ffff000014d7a520 (&ctx->wqh#2){..-.}-{3:3}, at: eventfd_signal_mask+0x64/0x180
other info that might help us debug this:
context-{5:5}
6 locks held by kworker/u32:0/68094:
#0: ffff0000c1d98148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x4e8/0xfc0
#1: ffff80008d927c78 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x53c/0xfc0
#2: ffff0000c59bc3d8 (&ctx->completion_lock){+.+.}-{3:3}, at: io_kill_timeouts+0x40/0x180
#3: ffff0000c59bc358 (&ctx->timeout_lock){-.-.}-{2:2}, at: io_kill_timeouts+0x48/0x180
#4: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
#5: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
stack backtrace:
CPU: 7 UID: 0 PID: 68094 Comm: kworker/u32:0 Not tainted 6.13.0-rc4-00080-g9828a4c0901f #29
Hardware name: linux,dummy-virt (DT)
Workqueue: iou_exit io_ring_exit_work
Call trace:
show_stack+0x1c/0x30 (C)
__dump_stack+0x24/0x30
dump_stack_lvl+0x60/0x80
dump_stack+0x14/0x20
__lock_acquire+0x19f8/0x60c8
lock_acquire+0x1a4/0x540
_raw_spin_lock_irqsave+0x90/0xd0
eventfd_signal_mask+0x64/0x180
io_eventfd_signal+0x64/0x108
io_req_local_work_add+0x294/0x430
__io_req_task_work_add+0x1c0/0x270
io_kill_timeout+0x1f0/0x288
io_kill_timeouts+0xd4/0x180
io_uring_try_cancel_requests+0x2e8/0x388
io_ring_exit_work+0x150/0x550
process_one_work+0x5e8/0xfc0
worker_thread+0x7ec/0xc80
kthread+0x24c/0x300
ret_from_fork+0x10/0x20
because after the preempt-rt fix for the timeout lock nesting inside
the io-wq lock, we now have the eventfd spinlock nesting inside the
raw timeout spinlock.
Rather than play whack-a-mole with other nesting on the timeout lock,
split the deletion and killing of timeouts so queueing the task_work
for the timeout cancelations can get done outside of the timeout lock.
Reported-by: syzbot+b1fc199a40b65d601b65@syzkaller.appspotmail.com
Fixes: 020b40f35624 ("io_uring: make ctx->timeout_lock a raw spinlock")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-12-30 14:15:17 -07:00
|
|
|
LIST_HEAD(list);
|
2022-05-25 08:57:27 -06:00
|
|
|
|
2022-12-02 17:47:23 +00:00
|
|
|
/*
|
|
|
|
* completion_lock is needed for io_match_task(). Take it before
|
|
|
|
* timeout_lockfirst to keep locking ordering.
|
|
|
|
*/
|
|
|
|
spin_lock(&ctx->completion_lock);
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_lock_irq(&ctx->timeout_lock);
|
2022-05-25 08:57:27 -06:00
|
|
|
list_for_each_entry_safe(timeout, tmp, &ctx->timeout_list, list) {
|
|
|
|
struct io_kiocb *req = cmd_to_io_kiocb(timeout);
|
|
|
|
|
io_uring/timeout: flush timeouts outside of the timeout lock
syzbot reports that a recent fix causes nesting issues between the (now)
raw timeoutlock and the eventfd locking:
=============================
[ BUG: Invalid wait context ]
6.13.0-rc4-00080-g9828a4c0901f #29 Not tainted
-----------------------------
kworker/u32:0/68094 is trying to lock:
ffff000014d7a520 (&ctx->wqh#2){..-.}-{3:3}, at: eventfd_signal_mask+0x64/0x180
other info that might help us debug this:
context-{5:5}
6 locks held by kworker/u32:0/68094:
#0: ffff0000c1d98148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x4e8/0xfc0
#1: ffff80008d927c78 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x53c/0xfc0
#2: ffff0000c59bc3d8 (&ctx->completion_lock){+.+.}-{3:3}, at: io_kill_timeouts+0x40/0x180
#3: ffff0000c59bc358 (&ctx->timeout_lock){-.-.}-{2:2}, at: io_kill_timeouts+0x48/0x180
#4: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
#5: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
stack backtrace:
CPU: 7 UID: 0 PID: 68094 Comm: kworker/u32:0 Not tainted 6.13.0-rc4-00080-g9828a4c0901f #29
Hardware name: linux,dummy-virt (DT)
Workqueue: iou_exit io_ring_exit_work
Call trace:
show_stack+0x1c/0x30 (C)
__dump_stack+0x24/0x30
dump_stack_lvl+0x60/0x80
dump_stack+0x14/0x20
__lock_acquire+0x19f8/0x60c8
lock_acquire+0x1a4/0x540
_raw_spin_lock_irqsave+0x90/0xd0
eventfd_signal_mask+0x64/0x180
io_eventfd_signal+0x64/0x108
io_req_local_work_add+0x294/0x430
__io_req_task_work_add+0x1c0/0x270
io_kill_timeout+0x1f0/0x288
io_kill_timeouts+0xd4/0x180
io_uring_try_cancel_requests+0x2e8/0x388
io_ring_exit_work+0x150/0x550
process_one_work+0x5e8/0xfc0
worker_thread+0x7ec/0xc80
kthread+0x24c/0x300
ret_from_fork+0x10/0x20
because after the preempt-rt fix for the timeout lock nesting inside
the io-wq lock, we now have the eventfd spinlock nesting inside the
raw timeout spinlock.
Rather than play whack-a-mole with other nesting on the timeout lock,
split the deletion and killing of timeouts so queueing the task_work
for the timeout cancelations can get done outside of the timeout lock.
Reported-by: syzbot+b1fc199a40b65d601b65@syzkaller.appspotmail.com
Fixes: 020b40f35624 ("io_uring: make ctx->timeout_lock a raw spinlock")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-12-30 14:15:17 -07:00
|
|
|
if (io_match_task(req, tctx, cancel_all))
|
|
|
|
io_kill_timeout(req, &list);
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|
2024-12-17 08:21:46 -07:00
|
|
|
raw_spin_unlock_irq(&ctx->timeout_lock);
|
2022-12-02 17:47:23 +00:00
|
|
|
spin_unlock(&ctx->completion_lock);
|
io_uring/timeout: flush timeouts outside of the timeout lock
syzbot reports that a recent fix causes nesting issues between the (now)
raw timeoutlock and the eventfd locking:
=============================
[ BUG: Invalid wait context ]
6.13.0-rc4-00080-g9828a4c0901f #29 Not tainted
-----------------------------
kworker/u32:0/68094 is trying to lock:
ffff000014d7a520 (&ctx->wqh#2){..-.}-{3:3}, at: eventfd_signal_mask+0x64/0x180
other info that might help us debug this:
context-{5:5}
6 locks held by kworker/u32:0/68094:
#0: ffff0000c1d98148 ((wq_completion)iou_exit){+.+.}-{0:0}, at: process_one_work+0x4e8/0xfc0
#1: ffff80008d927c78 ((work_completion)(&ctx->exit_work)){+.+.}-{0:0}, at: process_one_work+0x53c/0xfc0
#2: ffff0000c59bc3d8 (&ctx->completion_lock){+.+.}-{3:3}, at: io_kill_timeouts+0x40/0x180
#3: ffff0000c59bc358 (&ctx->timeout_lock){-.-.}-{2:2}, at: io_kill_timeouts+0x48/0x180
#4: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
#5: ffff800085127aa0 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire+0x8/0x38
stack backtrace:
CPU: 7 UID: 0 PID: 68094 Comm: kworker/u32:0 Not tainted 6.13.0-rc4-00080-g9828a4c0901f #29
Hardware name: linux,dummy-virt (DT)
Workqueue: iou_exit io_ring_exit_work
Call trace:
show_stack+0x1c/0x30 (C)
__dump_stack+0x24/0x30
dump_stack_lvl+0x60/0x80
dump_stack+0x14/0x20
__lock_acquire+0x19f8/0x60c8
lock_acquire+0x1a4/0x540
_raw_spin_lock_irqsave+0x90/0xd0
eventfd_signal_mask+0x64/0x180
io_eventfd_signal+0x64/0x108
io_req_local_work_add+0x294/0x430
__io_req_task_work_add+0x1c0/0x270
io_kill_timeout+0x1f0/0x288
io_kill_timeouts+0xd4/0x180
io_uring_try_cancel_requests+0x2e8/0x388
io_ring_exit_work+0x150/0x550
process_one_work+0x5e8/0xfc0
worker_thread+0x7ec/0xc80
kthread+0x24c/0x300
ret_from_fork+0x10/0x20
because after the preempt-rt fix for the timeout lock nesting inside
the io-wq lock, we now have the eventfd spinlock nesting inside the
raw timeout spinlock.
Rather than play whack-a-mole with other nesting on the timeout lock,
split the deletion and killing of timeouts so queueing the task_work
for the timeout cancelations can get done outside of the timeout lock.
Reported-by: syzbot+b1fc199a40b65d601b65@syzkaller.appspotmail.com
Fixes: 020b40f35624 ("io_uring: make ctx->timeout_lock a raw spinlock")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2024-12-30 14:15:17 -07:00
|
|
|
|
|
|
|
return io_flush_killed_timeouts(&list, -ECANCELED);
|
2022-05-25 08:57:27 -06:00
|
|
|
}
|