This is a note to let you know that I've just added the patch titled io_uring: Fix use of XArray in __io_uring_files_cancel to the 5.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: io_uring-fix-use-of-xarray-in-__io_uring_files_cancel.patch and it can be found in the queue-5.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Thu Oct 29 01:19:08 PM CET 2020 From: "Matthew Wilcox (Oracle)" <willy@xxxxxxxxxxxxx> Date: Fri, 9 Oct 2020 13:49:51 +0100 Subject: io_uring: Fix use of XArray in __io_uring_files_cancel From: "Matthew Wilcox (Oracle)" <willy@xxxxxxxxxxxxx> commit ce765372bc443573d1d339a2bf4995de385dea3a upstream. We have to drop the lock during each iteration, so there's no advantage to using the advanced API. Convert this to a standard xa_for_each() loop. Reported-by: syzbot+27c12725d8ff0bfe1a13@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Matthew Wilcox (Oracle) <willy@xxxxxxxxxxxxx> Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/io_uring.c | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -8415,28 +8415,19 @@ static void io_uring_attempt_task_drop(s void __io_uring_files_cancel(struct files_struct *files) { struct io_uring_task *tctx = current->io_uring; - XA_STATE(xas, &tctx->xa, 0); + struct file *file; + unsigned long index; /* make sure overflow events are dropped */ tctx->in_idle = true; - do { - struct io_ring_ctx *ctx; - struct file *file; - - xas_lock(&xas); - file = xas_next_entry(&xas, ULONG_MAX); - xas_unlock(&xas); - - if (!file) - break; - - ctx = file->private_data; + xa_for_each(&tctx->xa, index, file) { + struct io_ring_ctx *ctx = file->private_data; io_uring_cancel_task_requests(ctx, files); if (files) io_uring_del_task_file(file); - } while (1); + } } static inline bool io_uring_task_idle(struct io_uring_task *tctx) Patches currently in stable-queue which might be from willy@xxxxxxxxxxxxx are queue-5.9/io_uring-convert-advanced-xarray-uses-to-the-normal-api.patch queue-5.9/io_uring-fix-xarray-usage-in-io_uring_add_task_file.patch queue-5.9/io_uring-fix-use-of-xarray-in-__io_uring_files_cancel.patch