* [PATCH for-5.15 v2] io_uring: fix lacking of protection for compl_nr
@ 2021-08-20 22:19 Hao Xu
2021-08-20 22:23 ` Jens Axboe
0 siblings, 1 reply; 2+ messages in thread
From: Hao Xu @ 2021-08-20 22:19 UTC (permalink / raw)
To: Jens Axboe; +Cc: io-uring, Pavel Begunkov, Joseph Qi
coml_nr in ctx_flush_and_put() is not protected by uring_lock, this
may cause problems when accessing it parallelly:
say coml_nr > 0
ctx_flush_and put other context
if (compl_nr) get mutex
coml_nr > 0
do flush
coml_nr = 0
release mutex
get mutex
do flush (*)
release mutex
in (*) place, we call io_cqring_ev_posted() and users likely get
none events there.
Fixes: 2c32395d8111 ("io_uring: fix __tctx_task_work() ctx race")
Signed-off-by: Hao Xu <[email protected]>
---
fs/io_uring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index c755efdac71f..c3bd2b3fc46b 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2005,7 +2005,8 @@ static void ctx_flush_and_put(struct io_ring_ctx *ctx)
return;
if (ctx->submit_state.compl_nr) {
mutex_lock(&ctx->uring_lock);
- io_submit_flush_completions(ctx);
+ if (ctx->submit_state.compl_nr)
+ io_submit_flush_completions(ctx);
mutex_unlock(&ctx->uring_lock);
}
percpu_ref_put(&ctx->refs);
--
2.24.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-20 22:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-20 22:19 [PATCH for-5.15 v2] io_uring: fix lacking of protection for compl_nr Hao Xu
2021-08-20 22:23 ` Jens Axboe
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox