From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Pavel Begunkov <asml.silence@gmail.com>,
Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 5.16 3/9] io_uring: fix not released cached task refs
Date: Thu, 27 Jan 2022 19:09:38 +0100 [thread overview]
Message-ID: <20220127180259.001727110@linuxfoundation.org> (raw)
In-Reply-To: <20220127180258.892788582@linuxfoundation.org>
From: Pavel Begunkov <asml.silence@gmail.com>
commit 3cc7fdb9f90a25ae92250bf9e6cf3b9556b230e9 upstream.
tctx_task_work() may get run after io_uring cancellation and so there
will be no one to put cached in tctx task refs that may have been added
back by tw handlers using inline completion infra, Call
io_uring_drop_tctx_refs() at the end of the main tw handler to release
them.
Cc: stable@vger.kernel.org # 5.15+
Reported-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Fixes: e98e49b2bbf7 ("io_uring: extend task put optimisations")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/69f226b35fbdb996ab799a8bbc1c06bf634ccec1.1641688805.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/io_uring.c | 34 +++++++++++++++++++++-------------
1 file changed, 21 insertions(+), 13 deletions(-)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1830,6 +1830,18 @@ static inline void io_get_task_refs(int
io_task_refs_refill(tctx);
}
+static __cold void io_uring_drop_tctx_refs(struct task_struct *task)
+{
+ struct io_uring_task *tctx = task->io_uring;
+ unsigned int refs = tctx->cached_refs;
+
+ if (refs) {
+ tctx->cached_refs = 0;
+ percpu_counter_sub(&tctx->inflight, refs);
+ put_task_struct_many(task, refs);
+ }
+}
+
static bool io_cqring_event_overflow(struct io_ring_ctx *ctx, u64 user_data,
s32 res, u32 cflags)
{
@@ -2250,6 +2262,10 @@ static void tctx_task_work(struct callba
}
ctx_flush_and_put(ctx, &locked);
+
+ /* relaxed read is enough as only the task itself sets ->in_idle */
+ if (unlikely(atomic_read(&tctx->in_idle)))
+ io_uring_drop_tctx_refs(current);
}
static void io_req_task_work_add(struct io_kiocb *req)
@@ -9818,18 +9834,6 @@ static s64 tctx_inflight(struct io_uring
return percpu_counter_sum(&tctx->inflight);
}
-static __cold void io_uring_drop_tctx_refs(struct task_struct *task)
-{
- struct io_uring_task *tctx = task->io_uring;
- unsigned int refs = tctx->cached_refs;
-
- if (refs) {
- tctx->cached_refs = 0;
- percpu_counter_sub(&tctx->inflight, refs);
- put_task_struct_many(task, refs);
- }
-}
-
/*
* Find any io_uring ctx that this task has registered or done IO on, and cancel
* requests. @sqd should be not-null IFF it's an SQPOLL thread cancellation.
@@ -9887,10 +9891,14 @@ static __cold void io_uring_cancel_gener
schedule();
finish_wait(&tctx->wait, &wait);
} while (1);
- atomic_dec(&tctx->in_idle);
io_uring_clean_tctx(tctx);
if (cancel_all) {
+ /*
+ * We shouldn't run task_works after cancel, so just leave
+ * ->in_idle set for normal exit.
+ */
+ atomic_dec(&tctx->in_idle);
/* for exec all current's requests should be gone, kill tctx */
__io_uring_free(current);
}
next prev parent reply other threads:[~2022-01-27 18:12 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-27 18:09 [PATCH 5.16 0/9] 5.16.4-rc1 review Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.16 1/9] drm/i915: Flush TLBs before releasing backing store Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.16 2/9] drm/amd/display: reset dcn31 SMU mailbox on failures Greg Kroah-Hartman
2022-01-27 18:09 ` Greg Kroah-Hartman [this message]
2022-01-27 18:09 ` [PATCH 5.16 4/9] bnx2x: Utilize firmware 7.13.21.0 Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.16 5/9] bnx2x: Invalidate fastpath HSI version for VFs Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.16 6/9] memcg: better bounds on the memcg stats updates Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.16 7/9] rcu: Tighten rcu_advance_cbs_nowake() checks Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.16 8/9] select: Fix indefinitely sleeping task in poll_schedule_timeout() Greg Kroah-Hartman
2022-01-27 18:09 ` [PATCH 5.16 9/9] arm64/bpf: Remove 128MB limit for BPF JIT programs Greg Kroah-Hartman
2022-01-28 1:16 ` [PATCH 5.16 0/9] 5.16.4-rc1 review Shuah Khan
2022-01-28 3:10 ` Florian Fainelli
2022-01-28 3:42 ` Zan Aziz
2022-01-28 10:50 ` Naresh Kamboju
2022-01-28 11:26 ` Rudi Heitbaum
2022-01-28 13:54 ` Ron Economos
2022-01-28 23:05 ` Fox Chen
2022-01-29 2:04 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220127180259.001727110@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=asml.silence@gmail.com \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=lukas.bulwahn@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).