If io_ring_ctx_wait_and_kill() haven't killed all requests on the first attempt, new timeouts or requests enqueued for polling may appear. They won't be ever cancelled by io_ring_exit_work() unless we specifically handle that case. That hangs of the exit work locking up grabbed by io_uring resources. Cc: <stable@xxxxxxxxxxxxxxx> # 5.5+ Cc: Josef <josef.grieb@xxxxxxxxx> Reported-by: Dmitry Kadashev <dkadashev@xxxxxxxxx> Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx> --- fs/io_uring.c | 55 +++++++++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index fbf747803dbc..c1acc668fe96 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -8620,6 +8620,32 @@ static int io_remove_personalities(int id, void *p, void *data) return 0; } +static void io_cancel_defer_files(struct io_ring_ctx *ctx, + struct task_struct *task, + struct files_struct *files) +{ + struct io_defer_entry *de = NULL; + LIST_HEAD(list); + + spin_lock_irq(&ctx->completion_lock); + list_for_each_entry_reverse(de, &ctx->defer_list, list) { + if (io_match_task(de->req, task, files)) { + list_cut_position(&list, &ctx->defer_list, &de->list); + break; + } + } + spin_unlock_irq(&ctx->completion_lock); + + while (!list_empty(&list)) { + de = list_first_entry(&list, struct io_defer_entry, list); + list_del_init(&de->list); + req_set_fail_links(de->req); + io_put_req(de->req); + io_req_complete(de->req, -ECANCELED); + kfree(de); + } +} + static void io_ring_exit_work(struct work_struct *work) { struct io_ring_ctx *ctx = container_of(work, struct io_ring_ctx, @@ -8633,6 +8659,8 @@ static void io_ring_exit_work(struct work_struct *work) */ do { io_iopoll_try_reap_events(ctx); + io_poll_remove_all(ctx, NULL, NULL); + io_kill_timeouts(ctx, NULL, NULL); } while (!wait_for_completion_timeout(&ctx->ref_comp, HZ/20)); io_ring_ctx_free(ctx); } @@ -8654,6 +8682,7 @@ static void io_ring_ctx_wait_and_kill(struct io_ring_ctx *ctx) io_cqring_overflow_flush(ctx, true, NULL, NULL); mutex_unlock(&ctx->uring_lock); + io_cancel_defer_files(ctx, NULL, NULL); io_kill_timeouts(ctx, NULL, NULL); io_poll_remove_all(ctx, NULL, NULL); @@ -8716,32 +8745,6 @@ static bool io_cancel_task_cb(struct io_wq_work *work, void *data) return ret; } -static void io_cancel_defer_files(struct io_ring_ctx *ctx, - struct task_struct *task, - struct files_struct *files) -{ - struct io_defer_entry *de = NULL; - LIST_HEAD(list); - - spin_lock_irq(&ctx->completion_lock); - list_for_each_entry_reverse(de, &ctx->defer_list, list) { - if (io_match_task(de->req, task, files)) { - list_cut_position(&list, &ctx->defer_list, &de->list); - break; - } - } - spin_unlock_irq(&ctx->completion_lock); - - while (!list_empty(&list)) { - de = list_first_entry(&list, struct io_defer_entry, list); - list_del_init(&de->list); - req_set_fail_links(de->req); - io_put_req(de->req); - io_req_complete(de->req, -ECANCELED); - kfree(de); - } -} - static void io_uring_cancel_files(struct io_ring_ctx *ctx, struct task_struct *task, struct files_struct *files) -- 2.24.0