From: Hao Xu Date: Fri, 20 Aug 2021 22:19:54 +0000 (+0800) Subject: io_uring: fix lack of protection for compl_nr X-Git-Tag: v5.15~354^2~41 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=99c8bc52d1321ab3a711eba2941eadbe7425230f;p=platform%2Fkernel%2Flinux-starfive.git io_uring: fix lack of protection for compl_nr coml_nr in ctx_flush_and_put() is not protected by uring_lock, this may cause problems when accessing in parallel: say coml_nr > 0 ctx_flush_and put other context if (compl_nr) get mutex coml_nr > 0 do flush coml_nr = 0 release mutex get mutex do flush (*) release mutex in (*) place, we call io_cqring_ev_posted() and users likely get no events there. To avoid spurious events, re-check the value when under the lock. Fixes: 2c32395d8111 ("io_uring: fix __tctx_task_work() ctx race") Signed-off-by: Hao Xu Link: https://lore.kernel.org/r/20210820221954.61815-1-haoxu@linux.alibaba.com Signed-off-by: Jens Axboe --- diff --git a/fs/io_uring.c b/fs/io_uring.c index 5d3df4f..706ac8c 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -2007,7 +2007,8 @@ static void ctx_flush_and_put(struct io_ring_ctx *ctx) return; if (ctx->submit_state.compl_nr) { mutex_lock(&ctx->uring_lock); - io_submit_flush_completions(ctx); + if (ctx->submit_state.compl_nr) + io_submit_flush_completions(ctx); mutex_unlock(&ctx->uring_lock); } percpu_ref_put(&ctx->refs);