This is a note to let you know that I've just added the patch titled io_uring: hold uring mutex around poll removal to the 5.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: io_uring-hold-uring-mutex-around-poll-removal.patch and it can be found in the queue-5.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 3f1f052a5f8e2f9c568c4e0a34057b9049e948d9 Mon Sep 17 00:00:00 2001 From: Jens Axboe <axboe@xxxxxxxxx> Date: Fri, 16 Jun 2023 21:12:06 -0600 Subject: io_uring: hold uring mutex around poll removal From: Jens Axboe <axboe@xxxxxxxxx> Snipped from commit 9ca9fb24d5febccea354089c41f96a8ad0d853f8 upstream. While reworking the poll hashing in the v6.0 kernel, we ended up grabbing the ctx->uring_lock in poll update/removal. This also fixed a bug with linked timeouts racing with timeout expiry and poll removal. Bring back just the locking fix for that. Reported-and-tested-by: Querijn Voet <querijnqyn@xxxxxxxxx> Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- io_uring/io_uring.c | 3 +++ 1 file changed, 3 insertions(+) --- a/io_uring/io_uring.c +++ b/io_uring/io_uring.c @@ -6111,6 +6111,8 @@ static int io_poll_update(struct io_kioc struct io_kiocb *preq; int ret2, ret = 0; + io_ring_submit_lock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); + spin_lock(&ctx->completion_lock); preq = io_poll_find(ctx, req->poll_update.old_user_data, true); if (!preq || !io_poll_disarm(preq)) { @@ -6142,6 +6144,7 @@ out: req_set_fail(req); /* complete update request, we're done with it */ io_req_complete(req, ret); + io_ring_submit_unlock(ctx, !(issue_flags & IO_URING_F_NONBLOCK)); return 0; } Patches currently in stable-queue which might be from axboe@xxxxxxxxx are queue-5.15/io_uring-hold-uring-mutex-around-poll-removal.patch