Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
io_uring/waitid: fix KCSAN warning on io_waitid->head
Storing of the iw->head entry inside the wait_queue callback, or when
removing a waitid item, really should use proper load/store
acquire/release semantics, and KCSAN correctly warns of that. Ensure
that they do so.
Reported-by: syzbot+eb441775f4f948a0902f@syzkaller.appspotmail.com
Fixes: a48c0cbf28c0 ("io_uring/waitid: have io_waitid_complete() remove wait queue entry")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
+3
-3
+3
-3
io_uring/waitid.c
+3
-3
io_uring/waitid.c
···
114
114
struct io_waitid *iw = io_kiocb_to_cmd(req, struct io_waitid);
115
115
struct wait_queue_head *head;
116
116
117
-
head = READ_ONCE(iw->head);
117
+
head = smp_load_acquire(&iw->head);
118
118
if (head) {
119
119
struct io_waitid_async *iwa = req->async_data;
120
120
121
-
iw->head = NULL;
121
+
smp_store_release(&iw->head, NULL);
122
122
spin_lock_irq(&head->lock);
123
123
list_del_init(&iwa->wo.child_wait.entry);
124
124
spin_unlock_irq(&head->lock);
···
246
246
return 0;
247
247
248
248
list_del_init(&wait->entry);
249
-
iw->head = NULL;
249
+
smp_store_release(&iw->head, NULL);
250
250
251
251
/* cancel is in progress */
252
252
if (atomic_fetch_inc(&iw->refs) & IO_WAITID_REF_MASK)