Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'io_uring-5.11-2021-01-16' of git://git.kernel.dk/linux-block
Pull io_uring fixes from Jens Axboe:
"We still have a pending fix for a cancelation issue, but it's still
being investigated. In the meantime:
- Dead mm handling fix (Pavel)
- SQPOLL setup error handling (Pavel)
- Flush timeout sequence fix (Marcelo)
- Missing finish_wait() for one exit case"
* tag 'io_uring-5.11-2021-01-16' of git://git.kernel.dk/linux-block:
io_uring: ensure finish_wait() is always called in __io_uring_task_cancel()
io_uring: flush timeouts that should already have expired
io_uring: do sqo disable on install_fd error
io_uring: fix null-deref in io_disable_sqo_submit
io_uring: don't take files/mm for a dead task
io_uring: drop mm and files after task_work_run
+41
-5
+41
-5
fs/io_uring.c
+41
-5
fs/io_uring.c
···
354
354
unsigned cq_entries;
355
355
unsigned cq_mask;
356
356
atomic_t cq_timeouts;
357
+
unsigned cq_last_tm_flush;
357
358
unsigned long cq_check_overflow;
358
359
struct wait_queue_head cq_wait;
359
360
struct fasync_struct *cq_fasync;
···
1107
1106
1108
1107
static int __io_sq_thread_acquire_files(struct io_ring_ctx *ctx)
1109
1108
{
1109
+
if (current->flags & PF_EXITING)
1110
+
return -EFAULT;
1111
+
1110
1112
if (!current->files) {
1111
1113
struct files_struct *files;
1112
1114
struct nsproxy *nsproxy;
···
1137
1133
{
1138
1134
struct mm_struct *mm;
1139
1135
1136
+
if (current->flags & PF_EXITING)
1137
+
return -EFAULT;
1140
1138
if (current->mm)
1141
1139
return 0;
1142
1140
···
1640
1634
1641
1635
static void io_flush_timeouts(struct io_ring_ctx *ctx)
1642
1636
{
1643
-
while (!list_empty(&ctx->timeout_list)) {
1637
+
u32 seq;
1638
+
1639
+
if (list_empty(&ctx->timeout_list))
1640
+
return;
1641
+
1642
+
seq = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
1643
+
1644
+
do {
1645
+
u32 events_needed, events_got;
1644
1646
struct io_kiocb *req = list_first_entry(&ctx->timeout_list,
1645
1647
struct io_kiocb, timeout.list);
1646
1648
1647
1649
if (io_is_timeout_noseq(req))
1648
1650
break;
1649
-
if (req->timeout.target_seq != ctx->cached_cq_tail
1650
-
- atomic_read(&ctx->cq_timeouts))
1651
+
1652
+
/*
1653
+
* Since seq can easily wrap around over time, subtract
1654
+
* the last seq at which timeouts were flushed before comparing.
1655
+
* Assuming not more than 2^31-1 events have happened since,
1656
+
* these subtractions won't have wrapped, so we can check if
1657
+
* target is in [last_seq, current_seq] by comparing the two.
1658
+
*/
1659
+
events_needed = req->timeout.target_seq - ctx->cq_last_tm_flush;
1660
+
events_got = seq - ctx->cq_last_tm_flush;
1661
+
if (events_got < events_needed)
1651
1662
break;
1652
1663
1653
1664
list_del_init(&req->timeout.list);
1654
1665
io_kill_timeout(req);
1655
-
}
1666
+
} while (!list_empty(&ctx->timeout_list));
1667
+
1668
+
ctx->cq_last_tm_flush = seq;
1656
1669
}
1657
1670
1658
1671
static void io_commit_cqring(struct io_ring_ctx *ctx)
···
5857
5832
tail = ctx->cached_cq_tail - atomic_read(&ctx->cq_timeouts);
5858
5833
req->timeout.target_seq = tail + off;
5859
5834
5835
+
/* Update the last seq here in case io_flush_timeouts() hasn't.
5836
+
* This is safe because ->completion_lock is held, and submissions
5837
+
* and completions are never mixed in the same ->completion_lock section.
5838
+
*/
5839
+
ctx->cq_last_tm_flush = tail;
5840
+
5860
5841
/*
5861
5842
* Insertion sort, ensuring the first entry in the list is always
5862
5843
* the one we need first.
···
7087
7056
7088
7057
if (sqt_spin || !time_after(jiffies, timeout)) {
7089
7058
io_run_task_work();
7059
+
io_sq_thread_drop_mm_files();
7090
7060
cond_resched();
7091
7061
if (sqt_spin)
7092
7062
timeout = jiffies + sqd->sq_thread_idle;
···
7125
7093
}
7126
7094
7127
7095
io_run_task_work();
7096
+
io_sq_thread_drop_mm_files();
7128
7097
7129
7098
if (cur_css)
7130
7099
io_sq_thread_unassociate_blkcg();
···
8921
8888
mutex_unlock(&ctx->uring_lock);
8922
8889
8923
8890
/* make sure callers enter the ring to get error */
8924
-
io_ring_set_wakeup_flag(ctx);
8891
+
if (ctx->rings)
8892
+
io_ring_set_wakeup_flag(ctx);
8925
8893
}
8926
8894
8927
8895
/*
···
9101
9067
finish_wait(&tctx->wait, &wait);
9102
9068
} while (1);
9103
9069
9070
+
finish_wait(&tctx->wait, &wait);
9104
9071
atomic_dec(&tctx->in_idle);
9105
9072
9106
9073
io_uring_remove_task_files(tctx);
···
9735
9700
*/
9736
9701
ret = io_uring_install_fd(ctx, file);
9737
9702
if (ret < 0) {
9703
+
io_disable_sqo_submit(ctx);
9738
9704
/* fput will clean it up */
9739
9705
fput(file);
9740
9706
return ret;