On 06/04/2020 00:08, Pavel Begunkov wrote:
> If io_get_req() fails, it drops a ref. Then, awhile keeping @submitted
> unmodified, io_submit_sqes() breaks the loop and puts @nr - @submitted
> refs. For each submitted req a ref is dropped in io_put_req() and
> friends. So, for @nr taken refs there will be
> (@nr - @submitted + @submitted + 1) dropped.
> 
> Remove ctx refcounting from io_get_req(), that at the same time makes
> it clearer.

It seems, nobody hit OOM, so it stayed unnoticed. And neither did I.
It could be a good idea to do fault-injection for testing.

> 
> Fixes: 2b85edfc0c90 ("io_uring: batch getting pcpu references")
> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
> ---
>  fs/io_uring.c | 1 -
>  1 file changed, 1 deletion(-)
> 
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 78ae8e8ed5bf..79bd22289d73 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -1342,7 +1342,6 @@ static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
>  	req = io_get_fallback_req(ctx);
>  	if (req)
>  		goto got_it;
> -	percpu_ref_put(&ctx->refs);
>  	return NULL;
>  }
>  
> 

-- 
Pavel Begunkov