Commit 31bff9a5 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe
Browse files

io_uring: fix racy IOPOLL completions 



IOPOLL allows buffer remove/provide requests, but they doesn't
synchronise by rules of IOPOLL, namely it have to hold uring_lock.

Cc: <stable@vger.kernel.org> # 5.7+
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent dad1b124

fs/io_uring.c

+18 −5
Original line number Diff line number Diff line
@@ -4152,11 +4152,17 @@ static int io_remove_buffers(struct io_kiocb *req, bool force_nonblock, 
	head = idr_find(&ctx->io_buffer_idr, p->bgid);

	if (head)

		ret = __io_remove_buffers(ctx, head, p->bgid, p->nbufs);



	io_ring_submit_lock(ctx, !force_nonblock);

	if (ret < 0)

		req_set_fail_links(req);



	/* need to hold the lock to complete IOPOLL requests */

	if (ctx->flags & IORING_SETUP_IOPOLL) {

		__io_req_complete(req, ret, 0, cs);

		io_ring_submit_unlock(ctx, !force_nonblock);

	} else {

		io_ring_submit_unlock(ctx, !force_nonblock);

		__io_req_complete(req, ret, 0, cs);

	}

	return 0;

}
@@ -4241,10 +4247,17 @@ static int io_provide_buffers(struct io_kiocb *req, bool force_nonblock, 
		}

	}

out:

	io_ring_submit_unlock(ctx, !force_nonblock);

	if (ret < 0)

		req_set_fail_links(req);



	/* need to hold the lock to complete IOPOLL requests */

	if (ctx->flags & IORING_SETUP_IOPOLL) {

		__io_req_complete(req, ret, 0, cs);

		io_ring_submit_unlock(ctx, !force_nonblock);

	} else {

		io_ring_submit_unlock(ctx, !force_nonblock);

		__io_req_complete(req, ret, 0, cs);

	}

	return 0;

}

CRA Git | Maintained and supported by SUSTech CRA and CCSE