Skip to content

cloud-kernel
cloud-kernel

openanolis / cloud-kernel
1 年多 前同步成功

通知 160
Star 36
Fork 7
cloud-kernel
cloud-kernel
提交 e0b245f8 编写于 作者: J Jiufei Xue 提交者: Caspar Zhang
浏览文件
操作

io_uring: hold 'ctx' reference around task_work queue + execute 

fix #29820404

commit 6d816e088c359866f9867057e04f244c608c42fe linux-block/io_uring-5.9
branch.

We're holding the request reference, but we need to go one higher
to ensure that the ctx remains valid after the request has finished.
If the ring is closed with pending task_work inflight, and the
given io_kiocb finishes sync during issue, then we need a reference
to the ring itself around the task_work execution cycle.

Cc: stable@vger.kernel.org # v5.7+
Reported-by: syzbot+9b260fc33297966f5a8e@syzkaller.appspotmail.com
Signed-off-by: NJens Axboe <axboe@kernel.dk>
Signed-off-by: NJiufei Xue <jiufei.xue@linux.alibaba.com>
Reviewed-by: NJoseph Qi <joseph.qi@linux.alibaba.com>
上级 329479e2
隐藏空白更改
内联 并排
Showing with 5 addition and 0 deletion
fs/io_uring.c
浏览文件 @ e0b245f8
...@@ -4089,6 +4089,7 @@ static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll, ...@@ -4089,6 +4089,7 @@ static int __io_async_wake(struct io_kiocb *req, struct io_poll_iocb *poll,
tsk = req->task; tsk = req->task;
req->result = mask; req->result = mask;
percpu_ref_get(&req->ctx->refs);
init_task_work(&req->task_work, func); init_task_work(&req->task_work, func);
/* /*
* If this fails, then the task is exiting. When a task exits, the * If this fails, then the task is exiting. When a task exits, the
...@@ -4174,6 +4175,7 @@ static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt) ...@@ -4174,6 +4175,7 @@ static void io_poll_task_handler(struct io_kiocb *req, struct io_kiocb **nxt)
static void io_poll_task_func(struct callback_head *cb) static void io_poll_task_func(struct callback_head *cb)
{ {
struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work); struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
struct io_ring_ctx *ctx = req->ctx;
struct io_kiocb *nxt = NULL; struct io_kiocb *nxt = NULL;
io_poll_task_handler(req, &nxt); io_poll_task_handler(req, &nxt);
...@@ -4184,6 +4186,7 @@ static void io_poll_task_func(struct callback_head *cb) ...@@ -4184,6 +4186,7 @@ static void io_poll_task_func(struct callback_head *cb)
__io_queue_sqe(nxt, NULL); __io_queue_sqe(nxt, NULL);
mutex_unlock(&ctx->uring_lock); mutex_unlock(&ctx->uring_lock);
} }
percpu_ref_put(&ctx->refs);
} }
static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode, static int io_poll_double_wake(struct wait_queue_entry *wait, unsigned mode,
...@@ -4298,6 +4301,7 @@ static void io_async_task_func(struct callback_head *cb) ...@@ -4298,6 +4301,7 @@ static void io_async_task_func(struct callback_head *cb)
if (io_poll_rewait(req, &apoll->poll)) { if (io_poll_rewait(req, &apoll->poll)) {
spin_unlock_irq(&ctx->completion_lock); spin_unlock_irq(&ctx->completion_lock);
percpu_ref_put(&ctx->refs);
return; return;
} }
...@@ -4336,6 +4340,7 @@ static void io_async_task_func(struct callback_head *cb) ...@@ -4336,6 +4340,7 @@ static void io_async_task_func(struct callback_head *cb)
req_set_fail_links(req); req_set_fail_links(req);
io_double_put_req(req); io_double_put_req(req);
} }
percpu_ref_put(&ctx->refs);
} }
static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync, static int io_async_wake(struct wait_queue_entry *wait, unsigned mode, int sync,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册