提交 99c8bc52 编写于 作者: H Hao Xu 提交者: Jens Axboe

io_uring: fix lack of protection for compl_nr

coml_nr in ctx_flush_and_put() is not protected by uring_lock, this
may cause problems when accessing in parallel:

say coml_nr > 0

  ctx_flush_and put                  other context
   if (compl_nr)                      get mutex
                                      coml_nr > 0
                                      do flush
                                          coml_nr = 0
                                      release mutex
        get mutex
           do flush (*)
        release mutex

in (*) place, we call io_cqring_ev_posted() and users likely get
no events there. To avoid spurious events, re-check the value when
under the lock.

Fixes: 2c32395d ("io_uring: fix __tctx_task_work() ctx race")
Signed-off-by: NHao Xu <haoxu@linux.alibaba.com>
Link: https://lore.kernel.org/r/20210820221954.61815-1-haoxu@linux.alibaba.comSigned-off-by: NJens Axboe <axboe@kernel.dk>
上级 187f08c1
...@@ -2007,7 +2007,8 @@ static void ctx_flush_and_put(struct io_ring_ctx *ctx) ...@@ -2007,7 +2007,8 @@ static void ctx_flush_and_put(struct io_ring_ctx *ctx)
return; return;
if (ctx->submit_state.compl_nr) { if (ctx->submit_state.compl_nr) {
mutex_lock(&ctx->uring_lock); mutex_lock(&ctx->uring_lock);
io_submit_flush_completions(ctx); if (ctx->submit_state.compl_nr)
io_submit_flush_completions(ctx);
mutex_unlock(&ctx->uring_lock); mutex_unlock(&ctx->uring_lock);
} }
percpu_ref_put(&ctx->refs); percpu_ref_put(&ctx->refs);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册