On 6/18/20 1:01 AM, Xiaoguang Wang wrote: > In io_read() or io_write(), when io request is submitted successfully, > it'll go through below codes: > kfree(iovec); > req->flags &= ~REQ_F_NEED_CLEANUP; > return ret; > > But indeed the "req->flags &= ~REQ_F_NEED_CLEANUP;" maybe dangerous, > io request may already have been completed, then io_complete_rw_iopoll() > and io_complete_rw() will be called, both of them will also modify > req->flags if needed, race condition will occur, concurrent modifaction > will happen, which is neither protected by locks nor atomic operations. > > To eliminate this race, in io_read() or io_write(), if io request is > submitted successfully, we don't remove REQ_F_NEED_CLEANUP flag. If > REQ_F_NEED_CLEANUP is set, we'll leave __io_req_aux_free() to the > iovec cleanup work correspondingly. Thanks, good catch! -- Jens Axboe
