io_uring: fail io_uring_register(2) on a dying io_uring instance

If we have multiple threads doing io_uring_register(2) on an io_uring fd, then we can potentially try and kill the percpu reference while someone else has already killed it. Prevent this race by failing io_uring_register(2) if the ref is marked dying. This is safe since we're inside the io_uring mutex. Fixes: b19062a56726 ("io_uring: fix possible deadlock between io_uring_{enter,register}") Reported-by: syzbot <syzbot+10d25e23199614b7721f@syzkaller.appspotmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Jens Axboe <axboe@kernel.dk> 2019-04-22 10:23:23 -0600
committer: Jens Axboe <axboe@kernel.dk> 2019-04-22 10:37:07 -0600
commit: 35fa71a030caa50458a043560d4814ea9bcd639f (patch)
tree: f40aab4ff93b1443117ce1ed87a63c6ebd0dda2b /fs
parent: 085b7755808aa11f78ab9377257e1dad2e6fa4bb (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c
index f65f85d89217..a2f39faed6a7 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2934,6 +2934,14 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,
 {
 	int ret;
 
+	/*
+	 * We're inside the ring mutex, if the ref is already dying, then
+	 * someone else killed the ctx or is already going through
+	 * io_uring_register().
+	 */
+	if (percpu_ref_is_dying(&ctx->refs))
+		return -ENXIO;
+
 	percpu_ref_kill(&ctx->refs);
 
 	/*
author	Jens Axboe <axboe@kernel.dk>	2019-04-22 10:23:23 -0600
committer	Jens Axboe <axboe@kernel.dk>	2019-04-22 10:37:07 -0600
commit	35fa71a030caa50458a043560d4814ea9bcd639f (patch)
tree	f40aab4ff93b1443117ce1ed87a63c6ebd0dda2b /fs
parent	085b7755808aa11f78ab9377257e1dad2e6fa4bb (diff)