Re: [PATCH for-5.15] io_uring: fix lacking of protection for compl_nr

[Hao Xu <haoxu@linux.alibaba.com>]

在 2021/8/21 上午5:32, Pavel Begunkov 写道:
> On 8/20/21 9:39 PM, Hao Xu wrote:
>> 在 2021/8/21 上午2:59, Pavel Begunkov 写道:
>>> On 8/20/21 7:40 PM, Hao Xu wrote:
>>>> coml_nr in ctx_flush_and_put() is not protected by uring_lock, this
>>>> may cause problems when accessing it parallelly.
>>>
>>> Did you hit any problem? It sounds like it should be fine as is:
>>>
>>> The trick is that it's only responsible to flush requests added
>>> during execution of current call to tctx_task_work(), and those
>>> naturally synchronised with the current task. All other potentially
>>> enqueued requests will be of someone else's responsibility.
>>>
>>> So, if nobody flushed requests, we're finely in-sync. If we see
>>> 0 there, but actually enqueued a request, it means someone
>>> actually flushed it after the request had been added.
>>>
>>> Probably, needs a more formal explanation with happens-before
>>> and so.
>> I should put more detail in the commit message, the thing is:
>> say coml_nr > 0
>>
>>    ctx_flush_and put                  other context
>>     if (compl_nr)                      get mutex
>>                                        coml_nr > 0
>>                                        do flush
>>                                            coml_nr = 0
>>                                        release mutex
>>          get mutex
>>             do flush (*)
>>          release mutex
>>
>> in (*) place, we do a bunch of unnecessary works, moreover, we
> 
> I wouldn't care about overhead, that shouldn't be much
> 
>> call io_cqring_ev_posted() which I think we shouldn't.
> 
> IMHO, users should expect spurious io_cqring_ev_posted(),
> though there were some eventfd users complaining before, so
> for them we can do
> 
> if (state->nr) {
>      lock();
>      if (state->nr) flush();
>      unlock();
> }
Agree.
> 
>>>> Fixes: d10299e14aae ("io_uring: inline struct io_comp_state")
>>>
>>> FWIW, it came much earlier than this commit, IIRC
>>>
>>> commit 2c32395d8111037ae2cb8cab883e80bcdbb70713
>>> Author: Pavel Begunkov <asml.silence@gmail.com>
>>> Date:   Sun Feb 28 22:04:53 2021 +0000
>>>
>>>       io_uring: fix __tctx_task_work() ctx race
>>>
>>>
>>>> Signed-off-by: Hao Xu <haoxu@linux.alibaba.com>
>>>> ---
>>>>    fs/io_uring.c | 7 +++----
>>>>    1 file changed, 3 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/fs/io_uring.c b/fs/io_uring.c
>>>> index c755efdac71f..420f8dfa5327 100644
>>>> --- a/fs/io_uring.c
>>>> +++ b/fs/io_uring.c
>>>> @@ -2003,11 +2003,10 @@ static void ctx_flush_and_put(struct io_ring_ctx *ctx)
>>>>    {
>>>>        if (!ctx)
>>>>            return;
>>>> -    if (ctx->submit_state.compl_nr) {
>>>> -        mutex_lock(&ctx->uring_lock);
>>>> +    mutex_lock(&ctx->uring_lock);
>>>> +    if (ctx->submit_state.compl_nr)
>>>>            io_submit_flush_completions(ctx);
>>>> -        mutex_unlock(&ctx->uring_lock);
>>>> -    }
>>>> +    mutex_unlock(&ctx->uring_lock);
>>>>        percpu_ref_put(&ctx->refs);
>>>>    }
>>>>   
>>>
>>
>