tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

io_uring: fix sleeping under spin in __io_clean_op

[ 27.629441] BUG: sleeping function called from invalid context
at fs/file.c:402
[ 27.631317] in_atomic(): 1, irqs_disabled(): 1, non_block: 0,
pid: 1012, name: io_wqe_worker-0
[ 27.633220] 1 lock held by io_wqe_worker-0/1012:
[ 27.634286] #0: ffff888105e26c98 (&ctx->completion_lock)
{....}-{2:2}, at: __io_req_complete.part.102+0x30/0x70
[ 27.649249] Call Trace:
[ 27.649874] dump_stack+0xac/0xe3
[ 27.650666] ___might_sleep+0x284/0x2c0
[ 27.651566] put_files_struct+0xb8/0x120
[ 27.652481] __io_clean_op+0x10c/0x2a0
[ 27.653362] __io_cqring_fill_event+0x2c1/0x350
[ 27.654399] __io_req_complete.part.102+0x41/0x70
[ 27.655464] io_openat2+0x151/0x300
[ 27.656297] io_issue_sqe+0x6c/0x14e0
[ 27.660991] io_wq_submit_work+0x7f/0x240
[ 27.662890] io_worker_handle_work+0x501/0x8a0
[ 27.664836] io_wqe_worker+0x158/0x520
[ 27.667726] kthread+0x134/0x180
[ 27.669641] ret_from_fork+0x1f/0x30

Instead of cleaning files on overflow, return back overflow cancellation
into io_uring_cancel_files(). Previously it was racy to clean
REQ_F_OVERFLOW flag, but we got rid of it, and can do it through
repetitive attempts targeting all matching requests.

Reported-by: Abaci <abaci@linux.alibaba.com>
Reported-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by Pavel Begunkov and committed by Jens Axboe 9d5c8190 9a173346

options
unified split
Changed files
+5 -5
fs
io_uring.c
+5 -5
fs/io_uring.c
··· 1025 1025 static int io_setup_async_rw(struct io_kiocb *req, const struct iovec *iovec, 1026 1026 const struct iovec *fast_iov, 1027 1027 struct iov_iter *iter, bool force); 1028 + static void io_req_drop_files(struct io_kiocb *req); 1028 1029 1029 1030 static struct kmem_cache *req_cachep; 1030 1031 ··· 1049 1048 1050 1049 static inline void io_clean_op(struct io_kiocb *req) 1051 1050 { 1052 - if (req->flags & (REQ_F_NEED_CLEANUP | REQ_F_BUFFER_SELECTED | 1053 - REQ_F_INFLIGHT)) 1051 + if (req->flags & (REQ_F_NEED_CLEANUP | REQ_F_BUFFER_SELECTED)) 1054 1052 __io_clean_op(req); 1055 1053 } 1056 1054 ··· 1394 1394 free_fs_struct(fs); 1395 1395 req->work.flags &= ~IO_WQ_WORK_FS; 1396 1396 } 1397 + if (req->flags & REQ_F_INFLIGHT) 1398 + io_req_drop_files(req); 1397 1399 1398 1400 io_put_identity(req->task->io_uring, req); 1399 1401 } ··· 6232 6230 } 6233 6231 req->flags &= ~REQ_F_NEED_CLEANUP; 6234 6232 } 6235 - 6236 - if (req->flags & REQ_F_INFLIGHT) 6237 - io_req_drop_files(req); 6238 6233 } 6239 6234 6240 6235 static int io_issue_sqe(struct io_kiocb *req, bool force_nonblock, ··· 8878 8879 io_wq_cancel_cb(ctx->io_wq, io_cancel_task_cb, &cancel, true); 8879 8880 io_poll_remove_all(ctx, task, files); 8880 8881 io_kill_timeouts(ctx, task, files); 8882 + io_cqring_overflow_flush(ctx, true, task, files); 8881 8883 /* cancellations _may_ trigger task work */ 8882 8884 io_run_task_work(); 8883 8885 schedule();