io_uring: pin context while queueing deferred tw

commit 9ffa13ff78a0a55df968a72d6f0ebffccee5c9f4 upstream.

Unlike normal tw, nothing prevents deferred tw to be executed right
after an tw item added to ->work_llist in io_req_local_work_add(). For
instance, the waiting task may get waken up by CQ posting or a normal
tw. Thus we need to pin the ring for the rest of io_req_local_work_add()

Cc: stable@vger.kernel.org
Fixes: c0e0d6ba25f18 ("io_uring: add IORING_SETUP_DEFER_TASKRUN")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/1a79362b9c10b8523ef70b061d96523650a23344.1672795998.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 1bc68df..c93e988 100644 (file)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1109,13 +1109,18 @@ static void io_req_local_work_add(struct io_kiocb *req)
 {
        struct io_ring_ctx *ctx = req->ctx;
 
-       if (!llist_add(&req->io_task_work.node, &ctx->work_llist))
+       percpu_ref_get(&ctx->refs);
+
+       if (!llist_add(&req->io_task_work.node, &ctx->work_llist)) {
+               percpu_ref_put(&ctx->refs);
                return;
+       }
        /* need it for the following io_cqring_wake() */
        smp_mb__after_atomic();
 
        if (unlikely(atomic_read(&req->task->io_uring->in_idle))) {
                io_move_task_work_from_local(ctx);
+               percpu_ref_put(&ctx->refs);
                return;
        }
 
@@ -1125,6 +1130,7 @@ static void io_req_local_work_add(struct io_kiocb *req)
        if (ctx->has_evfd)
                io_eventfd_signal(ctx);
        __io_cqring_wake(ctx);
+       percpu_ref_put(&ctx->refs);
 }
 
 static inline void __io_req_task_work_add(struct io_kiocb *req, bool allow_local)