io_uring: account fixed file references correctly in batch

mainline inclusion from mainline-5.6-rc1 commit 10fef4be category: feature bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=27 CVE: NA --------------------------- We can't assume that the whole batch has fixed files in it. If it's a mix, or none at all, then we can end up doing a ref put that either messes up accounting, or causes an oops if we have no fixed files at all. Also ensure we free requests properly between inflight accounted and normal requests. Fixes: 82c721577011 ("io_uring: extend batch freeing to cover more cases") Reported-by: N Dmitrii Dolgov <9erthalion6@gmail.com> Reported-by: N Pavel Begunkov <asml.silence@gmail.com> Tested-by: N Dmitrii Dolgov <9erthalion6@gmail.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N yangerkun <yangerkun@huawei.com> Reviewed-by: N zhangyi (F) <yi.zhang@huawei.com> Signed-off-by: N Cheng Jian <cj.chengjian@huawei.com>

io_uring: account fixed file references correctly in batch
mainline inclusion from mainline-5.6-rc1 commit 10fef4be category: feature bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=27 CVE: NA --------------------------- We can't assume that the whole batch has fixed files in it. If it's a mix, or none at all, then we can end up doing a ref put that either messes up accounting, or causes an oops if we have no fixed files at all. Also ensure we free requests properly between inflight accounted and normal requests. Fixes: 82c721577011 ("io_uring: extend batch freeing to cover more cases") Reported-by: N Dmitrii Dolgov <9erthalion6@gmail.com> Reported-by: N Pavel Begunkov <asml.silence@gmail.com> Tested-by: N Dmitrii Dolgov <9erthalion6@gmail.com> Signed-off-by: N Jens Axboe <axboe@kernel.dk> Signed-off-by: N yangerkun <yangerkun@huawei.com> Reviewed-by: N zhangyi (F) <yi.zhang@huawei.com> Signed-off-by: N Cheng Jian <cj.chengjian@huawei.com>
04dea516 · Jens Axboe · Cheng Jian · 11967b48 · 04dea516
隐藏空白更改
内联并排

Showing with 9 addition and 5 deletion

fs/io_uring.c fs/io_uring.c +9 -5

未找到文件。
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1202,21 +1202,24 @@ struct req_batch {
 static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
 {
+	int fixed_refs = rb->to_free;
 	if (!rb->to_free)
 		return;
 	if (rb->need_iter) {
 		int i, inflight = 0;
 		unsigned long flags;
+		fixed_refs = 0;
 		for (i = 0; i < rb->to_free; i++) {
 			struct io_kiocb *req = rb->reqs[i];
-			if (req->flags & REQ_F_FIXED_FILE)
+			if (req->flags & REQ_F_FIXED_FILE) {
 				req->file = NULL;
+				fixed_refs++;
+			}
 			if (req->flags & REQ_F_INFLIGHT)
 				inflight++;
-			else
-				rb->reqs[i] = NULL;
 			__io_req_aux_free(req);
 		}
 		if (!inflight)
@@ -1226,7 +1229,7 @@ static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
 		for (i = 0; i < rb->to_free; i++) {
 			struct io_kiocb *req = rb->reqs[i];
-			if (req) {
+			if (req->flags & REQ_F_INFLIGHT) {
 				list_del(&req->inflight_entry);
 				if (!--inflight)
 					break;
@@ -1239,8 +1242,9 @@ static void io_free_req_many(struct io_ring_ctx *ctx, struct req_batch *rb)
 	}
 do_free:
 	kmem_cache_free_bulk(req_cachep, rb->to_free, rb->reqs);
+	if (fixed_refs)
+		percpu_ref_put_many(&ctx->file_data->refs, fixed_refs);
 	percpu_ref_put_many(&ctx->refs, rb->to_free);
-	percpu_ref_put_many(&ctx->file_data->refs, rb->to_free);
 	rb->to_free = rb->need_iter = 0;
 }