[ Crossed emails ]
On Mon, Apr 22, 2019 at 9:23 AM Jens Axboe <axboe@xxxxxxxxx> wrote:
>
> I think the below should fix this. Very early versions of io_uring didn't
> have this issue, since we did the percpu ref tryget for io_uring_register().
Ok, so I like your patch better than mine, but note how syzbot
bisected this to the initial merge of the io_uring code.
I agree that code shouldn't have had this particular issue, but it
looks like it does.
Is there some way to race with io_ring_ctx_wait_and_kill(), which
_also_ does that ref_kill() thing? I'm not seeing how that could
happen, but maybe if the file ref counts get screwed up you have
->release() called early..
Linus
