[ Upstream commit 6b5733eb638b7068ab7cb34e663b55a1d1892d85]
files_cancel() should cancel all relevant requests and drop file notes,
so we should never have file notes after that, including on-exit fput
and flush. Add a WARN_ONCE to be sure.
Cc: stable@xxxxxxxxxxxxxxx # 5.5+
Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx>
Signed-off-by: Jens Axboe <axboe@xxxxxxxxx>
---
fs/io_uring.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 6c89d38076d0..4dfba3d44a3c 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -8895,17 +8895,23 @@ void __io_uring_task_cancel(void)
static int io_uring_flush(struct file *file, void *data)
{
- if (!current->io_uring)
+ struct io_uring_task *tctx = current->io_uring;
+
+ if (!tctx)
return 0;
+ /* we should have cancelled and erased it before PF_EXITING */
+ WARN_ON_ONCE((current->flags & PF_EXITING) &&
+ xa_load(&tctx->xa, (unsigned long)file));
+
/*
* fput() is pending, will be 2 if the only other ref is our potential
* task file note. If the task is exiting, drop regardless of count.
*/
- if (fatal_signal_pending(current) || (current->flags & PF_EXITING) ||
- atomic_long_read(&file->f_count) == 2)
- io_uring_del_task_file(file);
+ if (atomic_long_read(&file->f_count) != 2)
+ return 0;
+ io_uring_del_task_file(file);
return 0;
}
--
2.24.0
