On 09/10/2020 15:49, Matthew Wilcox (Oracle) wrote:
> We have to drop the lock during each iteration, so there's no advantage
> to using the advanced API. Convert this to a standard xa_for_each() loop.
LGTM, but would be better to add
Reported-by: syzbot+27c12725d8ff0bfe1a13@xxxxxxxxxxxxxxxxxxxxxxxxx
>
> Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx>
> ---
> fs/io_uring.c | 19 +++++--------------
> 1 file changed, 5 insertions(+), 14 deletions(-)
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 299c530c66f9..2978cc78538a 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -8665,28 +8665,19 @@ static void io_uring_attempt_task_drop(struct file *file, bool exiting)
> void __io_uring_files_cancel(struct files_struct *files)
> {
> struct io_uring_task *tctx = current->io_uring;
> - XA_STATE(xas, &tctx->xa, 0);
> + struct file *file;
> + unsigned long index;
>
> /* make sure overflow events are dropped */
> tctx->in_idle = true;
>
> - do {
> - struct io_ring_ctx *ctx;
> - struct file *file;
> -
> - xas_lock(&xas);
> - file = xas_next_entry(&xas, ULONG_MAX);
> - xas_unlock(&xas);
> -
> - if (!file)
> - break;
> -
> - ctx = file->private_data;
> + xa_for_each(&tctx->xa, index, file) {
> + struct io_ring_ctx *ctx = file->private_data;
>
> io_uring_cancel_task_requests(ctx, files);
> if (files)
> io_uring_del_task_file(file);
> - } while (1);
> + }
> }
>
> static inline bool io_uring_task_idle(struct io_uring_task *tctx)
>
--
Pavel Begunkov
