* [PATCH backport 5.10] io_uring: close a small race gap for files cancel
[not found] <cover.1609215832.git.asml.silence@gmail.com>
@ 2020-12-29 4:35 ` Pavel Begunkov
2020-12-30 15:30 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Pavel Begunkov @ 2020-12-29 4:35 UTC (permalink / raw)
To: Jens Axboe, gregkh, stable
commit dfea9fce29fda6f2f91161677e0e0d9b671bc099 upstream.
The purpose of io_uring_cancel_files() is to wait for all requests
matching ->files to go/be cancelled. We should first drop files of a
request in io_req_drop_files() and only then make it undiscoverable for
io_uring_cancel_files.
First drop, then delete from list. It's ok to leave req->id->files
dangling, because it's not dereferenced by cancellation code, only
compared against. It would potentially go to sleep and be awaken by
following in io_req_drop_files() wake_up().
Fixes: 0f2122045b946 ("io_uring: don't rely on weak ->files references")
Cc: <stable@vger.kernel.org> # 5.5+
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---
fs/io_uring.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 86dac2b2e276..dfe33b0b148f 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -5854,15 +5854,15 @@ static void io_req_drop_files(struct io_kiocb *req)
struct io_ring_ctx *ctx = req->ctx;
unsigned long flags;
+ put_files_struct(req->work.identity->files);
+ put_nsproxy(req->work.identity->nsproxy);
spin_lock_irqsave(&ctx->inflight_lock, flags);
list_del(&req->inflight_entry);
- if (waitqueue_active(&ctx->inflight_wait))
- wake_up(&ctx->inflight_wait);
spin_unlock_irqrestore(&ctx->inflight_lock, flags);
req->flags &= ~REQ_F_INFLIGHT;
- put_files_struct(req->work.identity->files);
- put_nsproxy(req->work.identity->nsproxy);
req->work.flags &= ~IO_WQ_WORK_FILES;
+ if (waitqueue_active(&ctx->inflight_wait))
+ wake_up(&ctx->inflight_wait);
}
static void __io_clean_op(struct io_kiocb *req)
--
2.24.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH backport 5.10] io_uring: close a small race gap for files cancel
2020-12-29 4:35 ` [PATCH backport 5.10] io_uring: close a small race gap for files cancel Pavel Begunkov
@ 2020-12-30 15:30 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2020-12-30 15:30 UTC (permalink / raw)
To: Pavel Begunkov; +Cc: Jens Axboe, stable
On Tue, Dec 29, 2020 at 04:35:49AM +0000, Pavel Begunkov wrote:
> commit dfea9fce29fda6f2f91161677e0e0d9b671bc099 upstream.
>
> The purpose of io_uring_cancel_files() is to wait for all requests
> matching ->files to go/be cancelled. We should first drop files of a
> request in io_req_drop_files() and only then make it undiscoverable for
> io_uring_cancel_files.
>
> First drop, then delete from list. It's ok to leave req->id->files
> dangling, because it's not dereferenced by cancellation code, only
> compared against. It would potentially go to sleep and be awaken by
> following in io_req_drop_files() wake_up().
>
> Fixes: 0f2122045b946 ("io_uring: don't rely on weak ->files references")
> Cc: <stable@vger.kernel.org> # 5.5+
> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
> ---
> fs/io_uring.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
Now applied, thanks.
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-12-30 15:29 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <cover.1609215832.git.asml.silence@gmail.com>
2020-12-29 4:35 ` [PATCH backport 5.10] io_uring: close a small race gap for files cancel Pavel Begunkov
2020-12-30 15:30 ` Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.