On 2/6/20 9:32 AM, Kirill Tkhai wrote: > Hi, Jens, > > in io_grab_files() we take pointer to current->files without taking > files->count. Later, this files become attached to worker in > io_worker_handle_work() also without any manipulation with counter. > > But files->count is used for different optimizations. Say, in > expand_fdtable() we avoid synchonize_rcu() in case of there is only > files user. In case of there are more users, missing of > synchronize_rcu() is not safe. > > Is this correct? Or maybe there is some hidden logic in io_uring, > which prevents this problem? Say, IORING_OP_OPENAT/CLOSE/ETC can't be > propagated to worker etc... We track requests that grab files on the side, since we can't safely grab a reference to the file table. We could have our own ring fd in the file table, and thus create a circular reference if we incremented files->count here. Looks like we might need a 2nd way to know if we need to use synchronize_rcu() or not, though I need to look into this particular case. -- Jens Axboe
