io_uring: fix refcounting with batched allocations at OOM

In case of out of memory the second argument of percpu_ref_put_many() in
io_submit_sqes() may evaluate into "nr - (-EAGAIN)", that is clearly
wrong.

Fixes: 2b85edfc0c90 ("io_uring: batch getting pcpu references")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index a700ee5fc89d61d995c8387b366fdfbbc7714ae3..1dd20305c6644b292c76b612983fae7527b46ce2 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4830,8 +4830,11 @@ static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
                        break;
        }
 
-       if (submitted != nr)
-               percpu_ref_put_many(&ctx->refs, nr - submitted);
+       if (unlikely(submitted != nr)) {
+               int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
+
+               percpu_ref_put_many(&ctx->refs, nr - ref_used);
+       }
        if (link)
                io_queue_link_head(link);
        if (statep)