We should better read and set ent->fuse_req while holding
a lock, at it can be accessed from other threads, for
example during teardown.
This was part of a patch from Joanne for timeout optimizations
and I had split it out.
Fixes: a4bdb3d786c0 ("fuse: enable fuse-over-io-uring")
Signed-off-by: Bernd Schubert <bschubert@xxxxxxx>
---
fs/fuse/dev_uring.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/fuse/dev_uring.c b/fs/fuse/dev_uring.c
index 5c9b5a5fb7f7539149840378e224eb640cf8ef08..2477bbdfcbab7cd27a513bbcf9b6ed69e90d2e72 100644
--- a/fs/fuse/dev_uring.c
+++ b/fs/fuse/dev_uring.c
@@ -78,12 +78,14 @@ static void fuse_uring_flush_bg(struct fuse_ring_queue *queue)
static void fuse_uring_req_end(struct fuse_ring_ent *ent, int error)
{
struct fuse_ring_queue *queue = ent->queue;
- struct fuse_req *req = ent->fuse_req;
+ struct fuse_req *req;
struct fuse_ring *ring = queue->ring;
struct fuse_conn *fc = ring->fc;
lockdep_assert_not_held(&queue->lock);
spin_lock(&queue->lock);
+ req = ent->fuse_req;
+ ent->fuse_req = NULL;
if (test_bit(FR_BACKGROUND, &req->flags)) {
queue->active_background--;
spin_lock(&fc->bg_lock);
@@ -97,8 +99,7 @@ static void fuse_uring_req_end(struct fuse_ring_ent *ent, int error)
req->out.h.error = error;
clear_bit(FR_SENT, &req->flags);
- fuse_request_end(ent->fuse_req);
- ent->fuse_req = NULL;
+ fuse_request_end(req);
}
/* Abort all list queued request on the given ring queue */
--
2.43.0
