From: Pavel Begunkov <asml.silence@xxxxxxxxx> commit 2ccc92f4effcfa1c51c4fcf1e34d769099d3cad4 upstream. There are pieces of code that may allow iopoll to race filling cqes, temporarily add spinlocking around posting events. Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Pavel Begunkov <asml.silence@xxxxxxxxx> Link: https://lore.kernel.org/r/84d86b5c117feda075471c5c9e65208e0dccf5d0.1669203009.git.asml.silence@xxxxxxxxx Signed-off-by: Jens Axboe <axboe@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- io_uring/rw.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/io_uring/rw.c +++ b/io_uring/rw.c @@ -1043,6 +1043,7 @@ int io_do_iopoll(struct io_ring_ctx *ctx else if (!pos) return 0; + spin_lock(&ctx->completion_lock); prev = start; wq_list_for_each_resume(pos, prev) { struct io_kiocb *req = container_of(pos, struct io_kiocb, comp_list); @@ -1057,11 +1058,11 @@ int io_do_iopoll(struct io_ring_ctx *ctx req->cqe.flags = io_put_kbuf(req, 0); __io_fill_cqe_req(req->ctx, req); } - + io_commit_cqring(ctx); + spin_unlock(&ctx->completion_lock); if (unlikely(!nr_events)) return 0; - io_commit_cqring(ctx); io_cqring_ev_posted_iopoll(ctx); pos = start ? start->next : ctx->iopoll_list.first; wq_list_cut(&ctx->iopoll_list, prev, start);
