tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'io_uring-5.6-2020-02-22' of git://git.kernel.dk/linux-block

Pull io_uring fixes from Jens Axboe:
"Here's a small collection of fixes that were queued up:

- Remove unnecessary NULL check (Dan)

- Missing io_req_cancelled() call in fallocate (Pavel)

- Put the cleanup check for aux data in the right spot (Pavel)

- Two fixes for SQPOLL (Stefano, Xiaoguang)"

* tag 'io_uring-5.6-2020-02-22' of git://git.kernel.dk/linux-block:
io_uring: fix __io_iopoll_check deadlock in io_sq_thread
io_uring: prevent sq_thread from spinning when it should stop
io_uring: fix use-after-free by io_cleanup_req()
io_uring: remove unnecessary NULL checks
io_uring: add missing io_req_cancelled()

Linus Torvalds b88025ea f6c69b7f

+30 -35
+30 -35
fs/io_uring.c
··· 1260 1260 { 1261 1261 struct io_ring_ctx *ctx = req->ctx; 1262 1262 1263 + if (req->flags & REQ_F_NEED_CLEANUP) 1264 + io_cleanup_req(req); 1265 + 1263 1266 kfree(req->io); 1264 1267 if (req->file) { 1265 1268 if (req->flags & REQ_F_FIXED_FILE) ··· 1277 1274 static void __io_free_req(struct io_kiocb *req) 1278 1275 { 1279 1276 __io_req_aux_free(req); 1280 - 1281 - if (req->flags & REQ_F_NEED_CLEANUP) 1282 - io_cleanup_req(req); 1283 1277 1284 1278 if (req->flags & REQ_F_INFLIGHT) { 1285 1279 struct io_ring_ctx *ctx = req->ctx; ··· 1672 1672 mutex_unlock(&ctx->uring_lock); 1673 1673 } 1674 1674 1675 - static int __io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events, 1676 - long min) 1675 + static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events, 1676 + long min) 1677 1677 { 1678 1678 int iters = 0, ret = 0; 1679 1679 1680 + /* 1681 + * We disallow the app entering submit/complete with polling, but we 1682 + * still need to lock the ring to prevent racing with polled issue 1683 + * that got punted to a workqueue. 1684 + */ 1685 + mutex_lock(&ctx->uring_lock); 1680 1686 do { 1681 1687 int tmin = 0; 1682 1688 ··· 1718 1712 ret = 0; 1719 1713 } while (min && !*nr_events && !need_resched()); 1720 1714 1721 - return ret; 1722 - } 1723 - 1724 - static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events, 1725 - long min) 1726 - { 1727 - int ret; 1728 - 1729 - /* 1730 - * We disallow the app entering submit/complete with polling, but we 1731 - * still need to lock the ring to prevent racing with polled issue 1732 - * that got punted to a workqueue. 1733 - */ 1734 - mutex_lock(&ctx->uring_lock); 1735 - ret = __io_iopoll_check(ctx, nr_events, min); 1736 1715 mutex_unlock(&ctx->uring_lock); 1737 1716 return ret; 1738 1717 } ··· 2508 2517 struct io_kiocb *nxt = NULL; 2509 2518 int ret; 2510 2519 2520 + if (io_req_cancelled(req)) 2521 + return; 2522 + 2511 2523 ret = vfs_fallocate(req->file, req->sync.mode, req->sync.off, 2512 2524 req->sync.len); 2513 2525 if (ret < 0) ··· 2898 2904 struct io_kiocb *req = container_of(*workptr, struct io_kiocb, work); 2899 2905 struct io_kiocb *nxt = NULL; 2900 2906 2907 + /* not cancellable, don't do io_req_cancelled() */ 2901 2908 __io_close_finish(req, &nxt); 2902 2909 if (nxt) 2903 2910 io_wq_assign_next(workptr, nxt); ··· 3066 3071 if (req->io) 3067 3072 return -EAGAIN; 3068 3073 if (io_alloc_async_ctx(req)) { 3069 - if (kmsg && kmsg->iov != kmsg->fast_iov) 3074 + if (kmsg->iov != kmsg->fast_iov) 3070 3075 kfree(kmsg->iov); 3071 3076 return -ENOMEM; 3072 3077 } ··· 3220 3225 if (req->io) 3221 3226 return -EAGAIN; 3222 3227 if (io_alloc_async_ctx(req)) { 3223 - if (kmsg && kmsg->iov != kmsg->fast_iov) 3228 + if (kmsg->iov != kmsg->fast_iov) 3224 3229 kfree(kmsg->iov); 3225 3230 return -ENOMEM; 3226 3231 } ··· 5109 5114 */ 5110 5115 mutex_lock(&ctx->uring_lock); 5111 5116 if (!list_empty(&ctx->poll_list)) 5112 - __io_iopoll_check(ctx, &nr_events, 0); 5117 + io_iopoll_getevents(ctx, &nr_events, 0); 5113 5118 else 5114 5119 inflight = 0; 5115 5120 mutex_unlock(&ctx->uring_lock); ··· 5134 5139 */ 5135 5140 if (!to_submit || ret == -EBUSY) { 5136 5141 /* 5142 + * Drop cur_mm before scheduling, we can't hold it for 5143 + * long periods (or over schedule()). Do this before 5144 + * adding ourselves to the waitqueue, as the unuse/drop 5145 + * may sleep. 5146 + */ 5147 + if (cur_mm) { 5148 + unuse_mm(cur_mm); 5149 + mmput(cur_mm); 5150 + cur_mm = NULL; 5151 + } 5152 + 5153 + /* 5137 5154 * We're polling. If we're within the defined idle 5138 5155 * period, then let us spin without work before going 5139 5156 * to sleep. The exception is if we got EBUSY doing ··· 5157 5150 !percpu_ref_is_dying(&ctx->refs))) { 5158 5151 cond_resched(); 5159 5152 continue; 5160 - } 5161 - 5162 - /* 5163 - * Drop cur_mm before scheduling, we can't hold it for 5164 - * long periods (or over schedule()). Do this before 5165 - * adding ourselves to the waitqueue, as the unuse/drop 5166 - * may sleep. 5167 - */ 5168 - if (cur_mm) { 5169 - unuse_mm(cur_mm); 5170 - mmput(cur_mm); 5171 - cur_mm = NULL; 5172 5153 } 5173 5154 5174 5155 prepare_to_wait(&ctx->sqo_wait, &wait,