diff options
| author | Pavel Begunkov <asml.silence@gmail.com> | 2025-02-12 13:33:24 +0000 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-02-21 14:10:49 +0100 |
| commit | 082f62b99642ccd3cdfde81c84d6d1c7d545443f (patch) | |
| tree | 1a29456cbd6b8d82fbef85714451bba20e50d4cf /io_uring | |
| parent | 3a4ca365c51729143a2cab693cd40fe0bb585ef0 (diff) | |
| download | linux-082f62b99642ccd3cdfde81c84d6d1c7d545443f.tar.gz linux-082f62b99642ccd3cdfde81c84d6d1c7d545443f.tar.bz2 linux-082f62b99642ccd3cdfde81c84d6d1c7d545443f.zip | |
io_uring/waitid: don't abuse io_tw_state
[ Upstream commit 06521ac0485effdcc9c792cb0b40ed8e6f2f5fb8 ]
struct io_tw_state is managed by core io_uring, and opcode handling code
must never try to cheat and create their own instances, it's plain
incorrect.
io_waitid_complete() attempts exactly that outside of the task work
context, and even though the ring is locked, there would be no one to
reap the requests from the defer completion list. It only works now
because luckily it's called before io_uring_try_cancel_uring_cmd(),
which flushes completions.
Fixes: f31ecf671ddc4 ("io_uring: add IORING_OP_WAITID support")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'io_uring')
| -rw-r--r-- | io_uring/waitid.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/io_uring/waitid.c b/io_uring/waitid.c index daef5dd644f0..eddd2dffc88b 100644 --- a/io_uring/waitid.c +++ b/io_uring/waitid.c @@ -118,7 +118,6 @@ static int io_waitid_finish(struct io_kiocb *req, int ret) static void io_waitid_complete(struct io_kiocb *req, int ret) { struct io_waitid *iw = io_kiocb_to_cmd(req, struct io_waitid); - struct io_tw_state ts = {}; /* anyone completing better be holding a reference */ WARN_ON_ONCE(!(atomic_read(&iw->refs) & IO_WAITID_REF_MASK)); @@ -131,7 +130,6 @@ static void io_waitid_complete(struct io_kiocb *req, int ret) if (ret < 0) req_set_fail(req); io_req_set_res(req, ret, 0); - io_req_task_complete(req, &ts); } static bool __io_waitid_cancel(struct io_ring_ctx *ctx, struct io_kiocb *req) @@ -153,6 +151,7 @@ static bool __io_waitid_cancel(struct io_ring_ctx *ctx, struct io_kiocb *req) list_del_init(&iwa->wo.child_wait.entry); spin_unlock_irq(&iw->head->lock); io_waitid_complete(req, -ECANCELED); + io_req_queue_tw_complete(req, -ECANCELED); return true; } @@ -258,6 +257,7 @@ static void io_waitid_cb(struct io_kiocb *req, struct io_tw_state *ts) } io_waitid_complete(req, ret); + io_req_task_complete(req, ts); } static int io_waitid_wait(struct wait_queue_entry *wait, unsigned mode, |