io_uring: fix lack of protection for compl_nr

coml_nr in ctx_flush_and_put() is not protected by uring_lock, this may cause problems when accessing in parallel: say coml_nr > 0 ctx_flush_and put other context if (compl_nr) get mutex coml_nr > 0 do flush coml_nr = 0 release mutex get mutex do flush (*) release mutex in (*) place, we call io_cqring_ev_posted() and users likely get no events there. To avoid spurious events, re-check the value when under the lock. Fixes: 2c32395d8111 ("io_uring: fix __tctx_task_work() ctx race") Signed-off-by: Hao Xu <haoxu@linux.alibaba.com> Link: https://lore.kernel.org/r/20210820221954.61815-1-haoxu@linux.alibaba.com Signed-off-by: Jens Axboe <axboe@kernel.dk>
author: Hao Xu <haoxu@linux.alibaba.com> 2021-08-21 01:19:54 +0300
committer: Jens Axboe <axboe@kernel.dk> 2021-08-23 22:10:46 +0300
commit: 99c8bc52d1321ab3a711eba2941eadbe7425230f (patch)
tree: 0bbbe1f3d0adb68888e119468af7801425e136e3 /fs/io_uring.c
parent: 187f08c12cd1d81f000cdc9c0119ef6e0a6f47e3 (diff)
download: linux-99c8bc52d1321ab3a711eba2941eadbe7425230f.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 5d3df4f913a8..706ac8c03b95 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2007,7 +2007,8 @@ static void ctx_flush_and_put(struct io_ring_ctx *ctx)
 		return;
 	if (ctx->submit_state.compl_nr) {
 		mutex_lock(&ctx->uring_lock);
-		io_submit_flush_completions(ctx);
+		if (ctx->submit_state.compl_nr)
+			io_submit_flush_completions(ctx);
 		mutex_unlock(&ctx->uring_lock);
 	}
 	percpu_ref_put(&ctx->refs);
author	Hao Xu <haoxu@linux.alibaba.com>	2021-08-21 01:19:54 +0300
committer	Jens Axboe <axboe@kernel.dk>	2021-08-23 22:10:46 +0300
commit	99c8bc52d1321ab3a711eba2941eadbe7425230f (patch)
tree	0bbbe1f3d0adb68888e119468af7801425e136e3 /fs/io_uring.c
parent	187f08c12cd1d81f000cdc9c0119ef6e0a6f47e3 (diff)
download	linux-99c8bc52d1321ab3a711eba2941eadbe7425230f.tar.xz