This is a note to let you know that I've just added the patch titled
io_uring: have io_kill_timeout() honor the request references
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
io_uring-have-io_kill_timeout-honor-the-request-references.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From c835053c99074197d55857c6db5576a3f0ac1c08 Mon Sep 17 00:00:00 2001
From: Jens Axboe <axboe@xxxxxxxxx>
Date: Tue, 23 May 2023 08:26:06 -0600
Subject: io_uring: have io_kill_timeout() honor the request references
From: Jens Axboe <axboe@xxxxxxxxx>
No upstream commit exists for this patch.
Don't free the request unconditionally, if the request is issued async
then someone else may be holding a submit reference to it.
Reported-and-tested-by: Lee Jones <lee@xxxxxxxxxx>
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/io_uring.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -551,7 +551,8 @@ static void io_kill_timeout(struct io_ki
atomic_inc(&req->ctx->cq_timeouts);
list_del(&req->list);
io_cqring_fill_event(req->ctx, req->user_data, 0);
- __io_free_req(req);
+ if (refcount_dec_and_test(&req->refs))
+ __io_free_req(req);
}
}
Patches currently in stable-queue which might be from axboe@xxxxxxxxx are
queue-5.4/io_uring-don-t-drop-completion-lock-before-timer-is-fully-initialized.patch
queue-5.4/io_uring-have-io_kill_timeout-honor-the-request-references.patch
queue-5.4/io_uring-always-grab-lock-in-io_cancel_async_work.patch
