Commit dfea9fce authored Dec 18, 2020 by Pavel Begunkov Committed by Jens Axboe Dec 18, 2020

io_uring: close a small race gap for files cancel



The purpose of io_uring_cancel_files() is to wait for all requests
matching ->files to go/be cancelled. We should first drop files of a
request in io_req_drop_files() and only then make it undiscoverable for
io_uring_cancel_files.

First drop, then delete from list. It's ok to leave req->id->files
dangling, because it's not dereferenced by cancellation code, only
compared against. It would potentially go to sleep and be awaken by
following in io_req_drop_files() wake_up().

Fixes: 0f212204 ("io_uring: don't rely on weak ->files references")
Cc: <stable@vger.kernel.org> # 5.5+
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent 0020ef04

fs/io_uring.c

+4 −4

Original line number	Diff line number	Diff line
		@@ -6098,15 +6098,15 @@ static void io_req_drop_files(struct io_kiocb *req)
		struct io_uring_task *tctx = req->task->io_uring;
		unsigned long flags;

		put_files_struct(req->work.identity->files);
		put_nsproxy(req->work.identity->nsproxy);
		spin_lock_irqsave(&ctx->inflight_lock, flags);
		list_del(&req->inflight_entry);
		if (atomic_read(&tctx->in_idle))
		wake_up(&tctx->wait);
		spin_unlock_irqrestore(&ctx->inflight_lock, flags);
		req->flags &= ~REQ_F_INFLIGHT;
		put_files_struct(req->work.identity->files);
		put_nsproxy(req->work.identity->nsproxy);
		req->work.flags &= ~IO_WQ_WORK_FILES;
		if (atomic_read(&tctx->in_idle))
		wake_up(&tctx->wait);
		}

		static void __io_clean_op(struct io_kiocb *req)

Admin message