io_uring: fix files grab/cancel race
authorPavel Begunkov <asml.silence@gmail.com>
Wed, 25 Nov 2020 18:41:28 +0000 (18:41 +0000)
committerJens Axboe <axboe@kernel.dk>
Thu, 26 Nov 2020 15:50:21 +0000 (08:50 -0700)
commitaf60470347de6ac2b9f0cc3703975a543a3de075
tree6b0d7677d948ebb14a02c02fca16c9f63d6644cb
parent9c3a205c5ffa36e96903c2e37eb5f41c0f03c43e
io_uring: fix files grab/cancel race

When one task is in io_uring_cancel_files() and another is doing
io_prep_async_work() a race may happen. That's because after accounting
a request inflight in first call to io_grab_identity() it still may fail
and go to io_identity_cow(), which migh briefly keep dangling
work.identity and not only.

Grab files last, so io_prep_async_work() won't fail if it did get into
->inflight_list.

note: the bug shouldn't exist after making io_uring_cancel_files() not
poking into other tasks' requests.

Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
fs/io_uring.c