On 06/12/2020 22:22, Pavel Begunkov wrote:
> IOPOLL allows buffer remove/provide requests, but they doesn't
> synchronise by rules of IOPOLL, namely it have to hold uring_lock.
>
> Cc: <stable@xxxxxxxxxxxxxxx> # 5.7+
> Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx>
> ---
> fs/io_uring.c | 23 ++++++++++++++++++-----
> 1 file changed, 18 insertions(+), 5 deletions(-)
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index c895a306f919..4fac02ea5f4c 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -3948,11 +3948,17 @@ static int io_remove_buffers(struct io_kiocb *req, bool force_nonblock,
> head = idr_find(&ctx->io_buffer_idr, p->bgid);
> if (head)
> ret = __io_remove_buffers(ctx, head, p->bgid, p->nbufs);
> -
> - io_ring_submit_lock(ctx, !force_nonblock);
Here should be unlock(), not a second lock(). I didn't notice
first, but the patch fixes it. maybe for 5.10?
> if (ret < 0)
> req_set_fail_links(req);
> - __io_req_complete(req, ret, 0, cs);
> +
> + /* need to hold the lock to complete IOPOLL requests */
> + if (ctx->flags & IORING_SETUP_IOPOLL) {
> + __io_req_complete(req, ret, 0, cs);
> + io_ring_submit_unlock(ctx, !force_nonblock);
> + } else {
> + io_ring_submit_unlock(ctx, !force_nonblock);
> + __io_req_complete(req, ret, 0, cs);
> + }
> return 0;
> }
--
Pavel Begunkov
