Commit 99b32808 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe
Browse files

io_uring: fix overflowed cancel w/ linked ->files 



Current io_match_files() check in io_cqring_overflow_flush() is useless
because requests drop ->files before going to the overflow list, however
linked to it request do not, and we don't check them.

Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent cb8a8ae3

fs/io_uring.c

+21 −22
Original line number Diff line number Diff line
@@ -1593,14 +1593,29 @@ static void io_cqring_mark_overflow(struct io_ring_ctx *ctx) 
	}

}



static inline bool io_match_files(struct io_kiocb *req,

static inline bool __io_match_files(struct io_kiocb *req,

				    struct files_struct *files)

{

	return ((req->flags & REQ_F_WORK_INITIALIZED) &&

	        (req->work.flags & IO_WQ_WORK_FILES)) &&

		req->work.identity->files == files;

}



static bool io_match_files(struct io_kiocb *req,

			   struct files_struct *files)

{

	struct io_kiocb *link;



	if (!files)

		return true;

	if ((req->flags & REQ_F_WORK_INITIALIZED) &&

	    (req->work.flags & IO_WQ_WORK_FILES))

		return req->work.identity->files == files;

	if (__io_match_files(req, files))

		return true;

	if (req->flags & REQ_F_LINK_HEAD) {

		list_for_each_entry(link, &req->link_list, link_list) {

			if (__io_match_files(link, files))

				return true;

		}

	}

	return false;

}
@@ -8406,22 +8421,6 @@ static bool io_match_link(struct io_kiocb *preq, struct io_kiocb *req) 
	return false;

}



static bool io_match_link_files(struct io_kiocb *req,

				struct files_struct *files)

{

	struct io_kiocb *link;



	if (io_match_files(req, files))

		return true;

	if (req->flags & REQ_F_LINK_HEAD) {

		list_for_each_entry(link, &req->link_list, link_list) {

			if (io_match_files(link, files))

				return true;

		}

	}

	return false;

}



/*

 * We're looking to cancel 'req' because it's holding on to our files, but

 * 'req' could be a link to another request. See if it is, and cancel that
@@ -8504,7 +8503,7 @@ static void io_cancel_defer_files(struct io_ring_ctx *ctx, 


	spin_lock_irq(&ctx->completion_lock);

	list_for_each_entry_reverse(de, &ctx->defer_list, list) {

		if (io_match_link_files(de->req, files)) {

		if (io_match_files(de->req, files)) {

			list_cut_position(&list, &ctx->defer_list, &de->list);

			break;

		}

CRA Git | Maintained and supported by SUSTech CRA and CCSE