In io_read() or io_write(), when io request is submitted successfully,
it'll go through below codes:
kfree(iovec);
req->flags &= ~REQ_F_NEED_CLEANUP;
return ret;
But indeed the "req->flags &= ~REQ_F_NEED_CLEANUP;" maybe dangerous,
io request may already have been completed, then io_complete_rw_iopoll()
and io_complete_rw() will be called, both of them will also modify
req->flags if needed, race condition will occur, concurrent modifaction
will happen, which is neither protected by locks nor atomic operations.
To eliminate this race, in io_read() or io_write(), if io request is
submitted successfully, we don't remove REQ_F_NEED_CLEANUP flag. If
REQ_F_NEED_CLEANUP is set, we'll leave __io_req_aux_free() to the
iovec cleanup work correspondingly.
Signed-off-by: Xiaoguang Wang <xiaoguang.wang@xxxxxxxxxxxxxxxxx>
---
fs/io_uring.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 2038d52c5450..a78201b96179 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -2670,8 +2670,8 @@ static int io_read(struct io_kiocb *req, bool force_nonblock)
}
}
out_free:
- kfree(iovec);
- req->flags &= ~REQ_F_NEED_CLEANUP;
+ if (!(req->flags & REQ_F_NEED_CLEANUP))
+ kfree(iovec);
return ret;
}
@@ -2793,8 +2793,8 @@ static int io_write(struct io_kiocb *req, bool force_nonblock)
}
}
out_free:
- req->flags &= ~REQ_F_NEED_CLEANUP;
- kfree(iovec);
+ if (!(req->flags & REQ_F_NEED_CLEANUP))
+ kfree(iovec);
return ret;
}
--
2.17.2
