Don't bother to take a ctx->refs for io_req_task_cancel() because it take uring_lock before putting a request, and the context is promised to stay alive until unlock happens. Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx> --- fs/io_uring.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 6e781c064e74..2d66d0afc6c0 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2010,10 +2010,10 @@ static void io_req_task_cancel(struct callback_head *cb) struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work); struct io_ring_ctx *ctx = req->ctx; + /* ctx is guaranteed to stay alive while we hold uring_lock */ mutex_lock(&ctx->uring_lock); __io_req_task_cancel(req, req->result); mutex_unlock(&ctx->uring_lock); - percpu_ref_put(&ctx->refs); } static void __io_req_task_submit(struct io_kiocb *req) @@ -2044,14 +2044,12 @@ static void io_req_task_queue(struct io_kiocb *req) ret = io_req_task_work_add(req); if (unlikely(ret)) { req->result = -ECANCELED; - percpu_ref_get(&req->ctx->refs); io_req_task_work_add_fallback(req, io_req_task_cancel); } } static void io_req_task_queue_fail(struct io_kiocb *req, int ret) { - percpu_ref_get(&req->ctx->refs); req->result = ret; req->task_work.func = io_req_task_cancel; -- 2.24.0